DEV.co
Open-Source Security · PyCQA

bandit

Bandit is a static analysis tool that scans Python code for common security issues by parsing the Abstract Syntax Tree (AST) and running security plugins. It is actively maintained, widely adopted (8K+ stars), and distributed under the permissive Apache 2.0 license.

Source: GitHub — github.com/PyCQA/bandit
8.2k
GitHub stars
792
Forks
Python
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryPyCQA/bandit
OwnerPyCQA
Primary languagePython
LicenseApache-2.0 — OSI-approved
Stars8.2k
Forks792
Open issues257
Latest release1.9.4 (2026-02-25)
Last updated2026-07-07
Sourcehttps://github.com/PyCQA/bandit

What bandit is

Bandit processes Python source files, constructs an AST, applies configurable security rule plugins, and generates structured reports. It supports multiple output formats and can be integrated into CI/CD pipelines via CLI or Docker container.

Quickstart

Get the bandit source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/PyCQA/bandit.gitcd bandit# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

CI/CD security gating

Integrate Bandit into build pipelines to automatically flag security issues before code merges, with fail-on-severity thresholds.

Legacy Python codebase audits

Scan existing projects to identify patterns like hardcoded secrets, insecure deserialization, and weak cryptography calls at scale.

Security-aware code reviews

Use Bandit output as a checklist for human reviewers, catching common pitfalls (SQL injection patterns, use of exec/eval, etc.).

Implementation considerations

  • Bandit requires Python 3.6+ (verify compatibility with your target runtime environment).
  • Configure severity/confidence thresholds and exclusion lists early; default settings may not match organizational risk tolerance.
  • False positives are common for patterns like pickle usage or assertion statements; allocate effort for rule tuning.
  • Integrate into pre-commit hooks and CI/CD workflows; standalone execution requires discipline.
  • Combine with complementary tools (linters, SAST, SCA) for comprehensive security posture.

When to avoid it — and what to weigh

  • Need real-time vulnerability intelligence — Bandit detects patterns, not zero-day exploits or known CVEs in dependencies; pair with software composition analysis (SCA) tools.
  • Require dynamic or runtime security analysis — Bandit is static only; it cannot detect exploits or runtime behavior anomalies.
  • Working exclusively with non-Python codebases — Bandit is Python-specific; equivalent tools exist for JavaScript, Go, Java, etc.
  • Need minimal false positives out of the box — Bandit may flag patterns that are conditionally safe; tuning and allowlisting are required for production use.

License & commercial use

Bandit is licensed under Apache License 2.0, a permissive OSI-approved license allowing commercial use, modification, and distribution with minimal restrictions.

Apache 2.0 permits commercial use without requiring source disclosure. Users must include a copy of the license and any notices of modifications. No commercial support, SLA, or warranty is implied by the license; consult the project's governance for support options.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Bandit is a linting tool, not a runtime guardian. It detects static patterns and should not be relied upon as the sole security control. False negatives are possible for complex or obfuscated code paths. Regular updates are recommended as new threat patterns emerge. The tool itself is open-source; audit the plugins and rules if used in high-assurance contexts.

Alternatives to consider

Semgrep

Multi-language SAST with more granular rules and lower false positive rates; heavier resource footprint and commercial licensing available.

Pylint with security plugins

General-purpose Python linter; security coverage is narrower than Bandit but integrates with broader code quality checks.

SonarQube (Python plugin)

Enterprise-grade SAST with rule customization and cross-language support; requires server setup and commercial licensing for advanced features.

Software development agency

Build on bandit with DEV.co software developers

Evaluate Bandit in your pipeline with a proof-of-concept scan. Combine with complementary tools for comprehensive security coverage.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

bandit FAQ

Does Bandit check for known vulnerabilities in dependencies?
No. Bandit scans code patterns only. Use tools like `pip-audit` or Snyk alongside Bandit to check dependencies.
Can Bandit be used in automated enforcement (fail builds)?
Yes. Use the `--exit-code` flag and severity/confidence thresholds; configure in CI/CD to block merges on violations.
How do I reduce false positives?
Bandit supports inline comments (`# nosec`) and configuration files to exclude rules or severity levels per file or globally.
What Python versions does Bandit support?
Bandit requires Python 3.6+. Consult the release notes for the specific version range of each Bandit release.

Software development & web development with DEV.co

Adopting bandit is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Start securing your Python code today

Evaluate Bandit in your pipeline with a proof-of-concept scan. Combine with complementary tools for comprehensive security coverage.