1. Manuals
  2. Tumbleweed
  3. python3-bandit
  4. bandit(1)

Scroll to navigation

BANDIT(1) Bandit BANDIT(1)

NAME

bandit - Python source code security analyzer

SYNOPSIS

[-p PROFILE] [-t TESTS] [-s SKIPS] [-l] [-i] [-f {csv,custom,html,json,screen,txt,xml,yaml}] [--msg-template MSG_TEMPLATE] [-o [OUTPUT_FILE]] [-v] [-d] [-q] [--ignore-nosec] [-x EXCLUDED_PATHS] [-b BASELINE] [--ini INI_PATH] [--exit-zero] [--version] [targets [targets ...]]

DESCRIPTION

bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.

OPTIONS

show this help message and exit
find and process files in subdirectories

aggregate output by vulnerability (default) or by filename

maximum number of code lines to output for each issue
optional config file to use for selecting plugins and overriding defaults
profile to use (defaults to executing all tests)
comma-separated list of test IDs to run
comma-separated list of test IDs to skip
report only issues of a given severity level or higher (-l for LOW, -ll for MEDIUM, -lll for HIGH)

report only issues of a given severity level or higher. "all" and "low" are likely to produce the same results, but it is possible for rules to be undefined which will not be listed in "low".

report only issues of a given confidence level or higher (-i for LOW, -ii for MEDIUM, -iii for HIGH)

report only issues of a given confidence level or higher. "all" and "low" are likely to produce the same results, but it is possible for rules to be undefined which will not be listed in "low".
specify output format

specify output message template (only usable with --format custom), see CUSTOM FORMAT section for list of available values
write report to filename
output extra information like excluded and included files
turn on debug mode
only show output in the case of an error
do not skip lines with # nosec comments
comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
path of a baseline report to compare against (only JSON-formatted files are accepted)
path to a .bandit file that supplies command line arguments
exit with 0, even with results found
show program's version number and exit



CUSTOM FORMATTING

Available tags:

{abspath}, {relpath}, {line}, {test_id}, {severity}, {msg}, {confidence}, {range}


Example usage:

Default template: bandit -r examples/ --format custom --msg-template "{abspath}:{line}: {test_id}[bandit]: {severity}: {msg}"

Provides same output as: bandit -r examples/ --format custom

Tags can also be formatted in python string.format() style: bandit -r examples/ --format custom --msg-template "{relpath:20.20s}: {line:03}: {test_id:^8}: DEFECT: {msg:>20}"

See python documentation for more information about formatting style: https://docs.python.org/3/library/string.html



FILES

.bandit
file that supplies command line arguments
/etc/bandit/bandit.yaml
legacy bandit configuration file

EXAMPLES

Example usage across a code tree:

bandit -r ~/your-repos/project


Example usage across the examples/ directory, showing three lines of context and only reporting on the high-severity issues:

bandit examples/*.py -n 3 --severity-level=high


Bandit can be run with profiles. To run Bandit against the examples directory using only the plugins listed in the ShellInjection profile:

bandit examples/*.py -p ShellInjection


Bandit also supports passing lines of code to scan using standard input. To run Bandit with standard input:

cat examples/imports.py | bandit -


SEE ALSO

pylint(1)

AUTHOR

PyCQA

COPYRIGHT

2025, Bandit Developers

July 6, 2025