Calmcode - bandit: pre-commit

Automate Python Bandit scans with pre-commit

1 2 3 4 5

Bandit can also be configured as a pre-commit hook. If you're unfamiliar with pre-commit hooks, check out our video series. To configure the hook you need to add the following lines to your pre-commit configuration file.

-   repo:
    rev: v1.0.5
    -   id: python-bandit-vulnerability-check
        args: [--skip, "B101", --recursive, clumper]

In this file we've configured the pre-commit file to run recursively on the clumper folder and to ignore any errors with code "B101". You can read more about this check in the bandit documentation.

The main thing to remember with bandit is that it's not perfect. It won't catch every security concern out there but it does have some reasonable checks in there. You're free to configure the tool to your liking but it might also be a good idea to read more about the different issues. There's a lot of little things that can go wrong.