Bandit

Bandit is a static analysis tool that scans Python code for common security issues and produces reports that include severity and confidence levels. It analyzes each file by building an abstract syntax tree (AST) and running a set of security-focused plugins against it.

Installation and Setup

Install it from PyPI:

Windows PowerShell 
PS> py -m pip install bandit
Shell 
$ python3 -m pip install bandit

Optionally configure Bandit in a bandit.yaml file to define profiles, include and exclude patterns, and plugin settings.

Key Features

  • Runs AST-based static analysis with a plugin system that targets common Python security pitfalls.
  • Provides tunable severities and confidences through command-line flags or configuration.
  • Generates multiple output formats including text, JSON, and HTML.
  • Provides baseline support that filters out known findings to focus reviews on newly introduced issues.
  • Runs recursive project scans with directory excludes, targeted file selection, and parallel processing.

Usage

Scan a project directory recursively and show results:

Shell 
$ bandit -r src/

Exclude paths like tests/ or generated artifacts:

Shell 
$ bandit -r . -x tests,build,dist

Skip specific checks by ID and list only the issues you care about:

Shell 
$ bandit -r src/ -s B101,B404

Generate JSON and HTML reports:

Shell 
$ bandit -r src/ -f json -o bandit.json
$ bandit -r src/ -f html -o bandit.html
By Leodanis Pozo Ramos • Updated Dec. 15, 2025
Python Tools Share Feedback