[openstack-dev] [sec] [ossg] Introducing Bandit code security analyzer

McPeak, Travis travis.mcpeak at hp.com
Tue Nov 25 16:15:59 UTC 2014

Hi all - 

Bandit is a Python AST-based static analyzer from the OpenStack
Security Group.  Unlike other static code analysis tools in the
OpenStack ecosystem such as hacking and flake8, Bandit was
purpose-built to help find security vulnerabilities.

Bandit has a wiki page at:

and is available on Stackforge, at:

Instructions for installation and usage are in the README

How does it work? 

Bandit parses Python source into AST nodes and then executes a node
visitor function for each node.  Bandit tests are declared based on the
type of AST node they inspect.  For each such node that is encountered,
Bandit calls all of the tests that inspect that node type.  For example
any time a function is called, Bandit runs all of the tests that
inspect function calls.

What type of issues can it find?

Bandit currently has tests to find hardcoded SQL query strings, files
created with bad permissions, crypto requests without certificate
validation, insecure temp file usage, the use of unsafe functions, and
much more.

What's next?

We're working on getting Bandit integrated in gate tests in a few
projects.  If you are a contributor on a project and want to get
started using Bandit please get in touch with us.  We're also expanding
Bandit's functionality with new tests and capabilities.  Stay tuned.

How can I get involved?

We always love to hear feedback, run it against your project and let us
know what you find!  Also we're looking for new ideas for features and
tests.  If you'd like to get involved writing tests for Bandit or
improving Bandit itself, please drop us a line in #openstack-security
on Freenode IRC or send something on the mailing list.

Thank you,
 - The Bandit Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2751 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20141125/26c21a62/attachment.bin>

More information about the OpenStack-dev mailing list