agentsecops/sast-bandit
skills/appsec/sast-bandit/SKILL.md
Python security vulnerability detection using Bandit SAST with CWE and OWASP mapping. Use when: (1) Scanning Python code for security vulnerabilities and anti-patterns, (2) Identifying hardcoded secrets, SQL injection, command injection, and insecure APIs, (3) Generating security reports with severity classifications for CI/CD pipelines, (4) Providing remediation guidance with security framework references, (5) Enforcing Python security best practices in development workflows.
$ install --global
skillsauthnpx skillsauth add agentsecops/secopsagentkit sast-banditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 30, 2026, 4:57 PM58.6s5 files scanned
SKILL.md
- name:
- sast-bandit
- description:
- >
- Use when:
- (1) Scanning Python code for security vulnerabilities and anti-patterns,
- version:
- 0.1.0
- maintainer:
- SirAppSec
- category:
- appsec
- tags:
- [sast, bandit, python, vulnerability-scanning, owasp, cwe, security-linting]
- frameworks:
- [OWASP, CWE]
- python:
- >=3.8
- packages:
- [bandit]
- - https:
- //owasp.org/www-project-top-ten/
Bandit Python SAST
Overview
Bandit is a security-focused static analysis tool for Python that identifies common security vulnerabilities and coding anti-patterns. It parses Python code into Abstract Syntax Trees (AST) and executes security plugins to detect issues like hardcoded credentials, SQL injection, command injection, weak cryptography, and insecure API usage. Bandit provides actionable reports with severity classifications aligned to industry security standards.
Quick Start
Scan a Python file or directory for security vulnerabilities:
# Install Bandit
pip install bandit
# Scan single file
bandit suspicious_file.py
# Scan entire directory recursively
bandit -r /path/to/python/project
# Generate JSON report
bandit -r project/ -f json -o bandit_report.json
# Scan with custom config
bandit -r project/ -c .bandit.yaml
Core Workflow
Step 1: Install and Configure Bandit
Install Bandit via pip:
pip install bandit
Create a configuration file .bandit or .bandit.yaml to customize scans:
# .bandit.yaml
exclude_dirs:
- /tests/
- /venv/
- /.venv/
- /node_modules/
skips:
- B101 # Skip assert_used checks in test files
tests:
- B201 # Flask app run with debug=True
- B301 # Pickle usage
- B601 # Shell injection
- B602 # Shell=True in subprocess
Step 2: Execute Security Scan
Run Bandit against Python codebase:
# Basic scan with severity threshold
bandit -r . -ll # Report only medium/high severity
# Comprehensive scan with detailed output
bandit -r . -f json -o report.json -v
# Scan with confidence filtering
bandit -r . -i # Show only high confidence findings
# Exclude specific tests
bandit -r . -s B101,B601
Step 3: Analyze Results
Bandit reports findings with:
- Issue Type: Vulnerability category (e.g., hardcoded_password, sql_injection)
- Severity: LOW, MEDIUM, HIGH
- Confidence: LOW, MEDIUM, HIGH
- CWE: Common Weakness Enumeration reference
- Location: File path and line number
Example output:
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'admin123'
Severity: Medium Confidence: Medium
CWE: CWE-259 (Use of Hard-coded Password)
Location: app/config.py:12
Step 4: Prioritize Findings
Focus remediation efforts using this priority matrix:
- Critical: HIGH severity + HIGH confidence
- High: HIGH severity OR MEDIUM severity + HIGH confidence
- Medium: MEDIUM severity + MEDIUM confidence
- Low: LOW severity OR LOW confidence
Step 5: Remediate Vulnerabilities
For each finding, consult the bundled references/remediation_guide.md for secure coding patterns. Common remediation strategies:
- Hardcoded Secrets (B105, B106): Use environment variables or secret management services
- SQL Injection (B608): Use parameterized queries with SQLAlchemy or psycopg2
- Command Injection (B602, B605): Avoid
shell=True, useshlex.split()for argument parsing - Weak Cryptography (B303, B304): Replace MD5/SHA1 with SHA256/SHA512 or bcrypt for passwords
- Insecure Deserialization (B301): Avoid pickle, use JSON or MessagePack with schema validation
Step 6: Integrate into CI/CD
Add Bandit to CI/CD pipelines to enforce security gates:
# .github/workflows/security-scan.yml
name: Security Scan
on: [push, pull_request]
jobs:
bandit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install Bandit
run: pip install bandit
- name: Run Bandit
run: bandit -r . -f json -o bandit-report.json
- name: Check for high severity issues
run: bandit -r . -ll -f txt || exit 1
Use the bundled script scripts/bandit_analyzer.py for enhanced reporting with OWASP mapping.
Security Considerations
-
Sensitive Data Handling: Bandit reports may contain code snippets with hardcoded credentials. Ensure reports are stored securely and access is restricted. Use
--no-codeflag to exclude code snippets from reports. -
Access Control: Run Bandit in sandboxed CI/CD environments with read-only access to source code. Restrict write permissions to prevent tampering with security configurations.
-
Audit Logging: Log all Bandit executions with timestamps, scan scope, findings count, and operator identity for security auditing and compliance purposes.
-
Compliance: Bandit supports SOC2, PCI-DSS, and GDPR compliance by identifying security weaknesses. Document scan frequency, remediation timelines, and exception approvals for audit trails.
-
False Positives: Review LOW confidence findings manually. Use inline
# noseccomments sparingly and document justifications in code review processes.
Bundled Resources
Scripts (scripts/)
bandit_analyzer.py- Enhanced Bandit wrapper that parses JSON output, maps findings to OWASP Top 10, generates HTML reports, and integrates with ticketing systems. Use for comprehensive security reporting.
References (references/)
-
remediation_guide.md- Detailed secure coding patterns for common Bandit findings, including code examples for SQLAlchemy parameterization, secure subprocess usage, and cryptographic best practices. Consult when remediating specific vulnerability types. -
cwe_owasp_mapping.md- Complete mapping between Bandit issue codes, CWE identifiers, and OWASP Top 10 categories. Use for security framework alignment and compliance reporting.
Assets (assets/)
-
bandit_config.yaml- Production-ready Bandit configuration with optimized test selection, exclusion patterns for common false positives, and severity thresholds. Use as baseline configuration for projects. -
pre-commit-config.yaml- Pre-commit hook configuration for Bandit integration. Prevents commits with HIGH severity findings.
Common Patterns
Pattern 1: Baseline Security Scan
Establish security baseline for legacy codebases:
# Generate baseline report
bandit -r . -f json -o baseline.json
# Compare future scans against baseline
bandit -r . -f json -o current.json
diff <(jq -S . baseline.json) <(jq -S . current.json)
Pattern 2: Security Gating in Pull Requests
Block merges with HIGH severity findings:
# Exit with error if HIGH severity issues found
bandit -r . -lll -f txt
if [ $? -ne 0 ]; then
echo "HIGH severity security issues detected - blocking merge"
exit 1
fi
Pattern 3: Progressive Security Hardening
Incrementally increase security standards:
# Phase 1: Block only CRITICAL (HIGH severity + HIGH confidence)
bandit -r . -ll -i
# Phase 2: Block HIGH severity
bandit -r . -ll
# Phase 3: Block MEDIUM and above
bandit -r . -l
Pattern 4: Suppressing False Positives
Document exceptions inline with justification:
# Example: Suppressing pickle warning for internal serialization
import pickle # nosec B301 - Internal cache, not user input
def load_cache(file_path):
with open(file_path, 'rb') as f:
return pickle.load(f) # nosec B301
Integration Points
-
CI/CD: Integrate as GitHub Actions, GitLab CI, Jenkins pipeline stage, or pre-commit hook. Use
scripts/bandit_analyzer.pyfor enhanced reporting. -
Security Tools: Combine with Semgrep for additional SAST coverage, Safety for dependency scanning, and SonarQube for code quality metrics.
-
SDLC: Execute during development (pre-commit), code review (PR checks), and release gates (pipeline stage). Establish baseline scans for legacy code and enforce strict checks for new code.
-
Ticketing Integration: Use
scripts/bandit_analyzer.pyto automatically create Jira/GitHub issues for HIGH severity findings with remediation guidance.
Troubleshooting
Issue: Too Many False Positives
Solution:
- Use confidence filtering:
bandit -r . -i(HIGH confidence only) - Exclude test files:
bandit -r . --exclude /tests/ - Customize
.bandit.yamlto skip specific tests for known safe patterns - Review and suppress with inline
# noseccomments with justification
Issue: Scan Performance on Large Codebases
Solution:
- Exclude dependencies: Add
/venv/,/.venv/,/site-packages/to.bandit.yamlexclude_dirs - Use multiprocessing: Bandit automatically parallelizes for directories
- Scan only changed files in CI/CD:
git diff --name-only origin/main | grep '.py$' | xargs bandit
Issue: Missing Specific Vulnerability Types
Solution:
- Check enabled tests:
bandit -l(list all tests) - Ensure tests are not skipped in
.bandit.yaml - Combine with Semgrep for additional coverage (e.g., business logic vulnerabilities)
- Update Bandit regularly:
pip install --upgrade bandit
Issue: Integration with Pre-commit Hooks
Solution:
Use the bundled assets/pre-commit-config.yaml:
- repo: https://github.com/PyCQA/bandit
rev: '1.7.5'
hooks:
- id: bandit
args: ['-ll', '--recursive', '--configfile', '.bandit.yaml']
Install hooks: pre-commit install
References
- Bandit Documentation
- Bandit GitHub Repository
- OWASP Top 10
- CWE Database
- Python Security Best Practices
Related Skills
agentsecops/privesc-linpeas
testing
VerifiedTrustedCommunity
Linux privilege escalation enumeration and attack surface analysis using LinPEAS (Linux Privilege Escalation Awesome Script). Automates post-exploitation discovery of escalation vectors, misconfigurations, and credential exposure on Linux targets. Use when: (1) Enumerating privilege escalation vectors after initial access on a Linux system, (2) Identifying SUID/SGID binaries, sudo misconfigurations, and capability abuses, (3) Hunting for credentials in config files, history, and logs, (4) Detecting container breakout opportunities and writable service files, (5) Mapping kernel exploits and CVE exposure for a target system, (6) Conducting authorized CTF, red team, or penetration test post-exploitation phases.
110SKILL.mdUpdated Apr 16, 2026
agentsecops/ot-security-assessment
development
VerifiedTrustedCommunity
Operational Technology (OT) security assessment using a two-stage methodology: (1) Identification/Discovery of OT devices and protocols, and (2) Vulnerability Assessment using online sources and Metasploit. Use when: (1) Conducting authorized OT/ICS security assessments, (2) Identifying and enumerating OT protocols (Modbus, S7, IEC 104, DNP3, BACnet, EtherNet/IP), (3) Discovering industrial control devices and PLCs, (4) Assessing OT protocol vulnerabilities and security weaknesses, (5) Performing compliance scanning aligned with IEC 62443 standards, (6) Validating network segmentation and access controls in OT environments.
110SKILL.mdUpdated Apr 16, 2026
agentsecops/vuln-defectdojo
tools
VerifiedTrustedCommunity
Vulnerability management and findings aggregation using DefectDojo. Centralizes security findings from all SecOpsAgentKit scanners (Semgrep, Bandit, ZAP, Trivy, Grype, Gitleaks, Nuclei, Checkov, Horusec) into a unified platform with automatic deduplication, SLA tracking, risk-based prioritization, and compliance reporting. Use when: (1) Aggregating findings from multiple scanners across products and pipelines, (2) Tracking remediation status and SLA compliance against policy thresholds, (3) Deduplicating overlapping findings across security tools, (4) Generating vulnerability reports for compliance audits (SOC2, PCI-DSS, GDPR), (5) Managing security debt and vulnerability backlog across teams and applications.
110SKILL.mdUpdated Apr 16, 2026
agentsecops/pytm
tools
VerifiedTrustedCommunity
Python-based threat modeling using pytm library for programmatic STRIDE analysis, data flow diagram generation, and automated security threat identification. Use when: (1) Creating threat models programmatically using Python code, (2) Generating data flow diagrams (DFDs) with automatic STRIDE threat identification, (3) Integrating threat modeling into CI/CD pipelines and shift-left security practices, (4) Analyzing system architecture for security threats across trust boundaries, (5) Producing threat reports with STRIDE categories and mitigation recommendations, (6) Maintaining threat models as code for version control and automation.
82SKILL.mdUpdated Mar 27, 2026