🔐 Day 3: Scanning Python Code with Bandit

ExcelExcel
2 min read

🛡️ Day 3: Scanning Python Code with Bandit

As I dive deeper into the world of secure coding and application security, today’s highlight is exploring Bandit — a static analysis tool designed to find common security issues in Python code. This is part of my ongoing hands-on security learning series, and today I documented how I installed Bandit, tested it on a sample Python script, and interpreted the results.

Let’s break it down.

🧰 What is Bandit?

Bandit is a security linter for Python that scans your code for common vulnerabilities such as use of eval, insecure random number generation, weak hashing, and more.

It’s maintained by the OpenStack Security Project and is easy to integrate into your workflow — locally or in CI pipelines.

🔧 Step 1: Installing Bandit

Getting Bandit on your machine is super simple. Just run:

pip install bandit

Or, if you're using Python 3:

pip3 install bandit

After installation, confirm it's working with:

bandit --version

🧪 Step 2: Test Bandit on a Sample Python Script

I wrote a simple script with some intentionally weak code for testing:

📄 vulnerable_script.py

import subprocess
import random
import hashlib

password = "supersecret"

# Subprocess call with shell=True
subprocess.call("ls -la", shell=True)

# Weak hash function
hashlib.md5(password.encode()).hexdigest()

# Insecure random usage
print(random.random())

Now let’s run Bandit on it:

bandit vulnerable_script.py

📊 Step 3: Results & Analysis

Bandit flagged several key issues:

  1. Shell injection risk with subprocess.call(..., shell=True)

  2. Use of weak hash function hashlib.md5

  3. Insecure randomness using random.random() for security-critical ops

Each issue is ranked by severity and confidence. Bandit also provides helpful CWE references so you can dig deeper into each type of vulnerability.

✅ What I Learned

  • Bandit is powerful yet lightweight — perfect for small and large projects.

  • Even "harmless-looking" Python code can have serious security flaws.

  • Tools like Bandit should be in every Python developer's toolkit — especially for security-aware devs.

🧭 Next Steps

I’m planning to:

  • Add Bandit to my Git pre-commit hook.

  • Explore how Bandit integrates with CI/CD pipelines.

  • Write custom Bandit plugins for organization-specific rules.

🗓️ Summary: "Day 3 - Scanning Python Code with Bandit"

Tools Used: Bandit
Goal: Scan Python code for vulnerabilities
What I Did: Installed Bandit, scanned a test file, reviewed and understood flagged issues
Next Up: Exploring Semgrep for writing custom security rules on Day 4 🔍

💬 Got questions about Bandit or want help scanning your own Python code? Drop a comment or reach out. Let’s code securely, together!

0
Subscribe to my newsletter

Read articles from Excel directly inside your inbox. Subscribe to the newsletter, and don't miss out.

30DaysOfCodeAuditing#cybersecurity

Written by

Excel
Excel