# Bandit

The Bandit Scanner is a static analysis tool that finds common security vulnerabilities in Python code. Salus triggers the Bandit scanner if your repo has a setup.cfg or requirements.txt.

# Configuration

In addition to the global scanner configurations, the Bandit scanner has specific configurations available. Salus does a great job of providing support for most of these options.

In addition, you can configure the additional options below. For more information about Bandit configurations, see Bandit Usage


# aggregate

aggregate output by vulnerability (default) or by filename. It can take the string values file or vuln

aggregate: file

# baseline

path of a baseline report to compare against

baseline: "path/to/file"

# confidence

identifies the confidence level, It can take the string options LOW, MEDIUM or HIGH. The default on Salus is LOW

confidence: MEDIUM

# configfile

Path to optional config file to use for selecting plugins and overriding defaults

configfile: file_name

# exclude

List of paths to exclude from scan

exclude: 
  - "path/to/file1"
  - "path/to/file2"

# ignore-nosec

set to true if you want lines with #nosec comments to be skipped, false if otherwise

ignore-nosec: false

# ini

path to a .bandit file that supplies command line arguments

aggregate: path/to/file.bandit

# level

report only issues of given severity level or higher. The valid values for this option are the strings``LOW, MEDIUM or HIGH

level: HIGH

# profile

profile to use (defaults to executing all tests)

profile: profile_name

# skips

List of test IDs to skip.

skips: 
  - B101
  - B102

# tests

list of test IDs to run

tests: 
  - B101
  - B102

# Sample Configuration for Scanner

Here is an example of how the options detailed above could be configured in a salus.yml file

salus.yml
  scanner_configs:
    Bandit:
      aggregate: file
      configfile: config_filename  
      profile: profile_name"  
      tests:
        - B101
        - B102
      skips: 
        - B101
        - B102
      level: LOW
      confidence: HIGH
      baseline: baseline_report_filename  
      ini: path_to_.bandit_file  
      ignore-nosec: true or false  
      exclude: 
        - path1
        - path2
      exceptions:
        - advisory_id: B101
          changed_by: security-team
          notes: Currently no patch exists and determined that this vulnerability is not exploitable.
          expiration: "2021-04-27"

# Unsupported Configurations

The following Bandit config options are currently NOT supported.

-n CONTEXT_LINES   # maximum number of code lines to output for each issue
--format {csv,custom,html,screen,txt,xml,yaml}   # salus always writes output to json
--msg-template MSG_TEMPLATE   # unsupported because it only works with --format custom
--verbose  # output extra information like excluded and included
--debug  # turn on debug mode (used for debugging Bandit code)
--quiet  # only show output in the case of error