| name | bandit-security-scan |
| description | Run Bandit security analysis to find common security issues and vulnerabilities in Python code. Use when the user mentions Bandit, security analysis, vulnerability scanning, security audit, software composition analysis (SCA), or wants to check for security issues in Python code. |
| allowed-tools | Bash, Read, Grep, Write |
Bandit Security Scanner
This skill runs Bandit security analysis on your Python codebase to identify common security vulnerabilities, insecure coding patterns, and potential risks.
When to Use This Skill
Use this skill when you need to:
- Run a Bandit security scan
- Find security vulnerabilities in Python code
- Perform software composition analysis (SCA)
- Conduct security audits
- Check for insecure coding practices
- Identify potential security risks
- Scan for common security issues (SQL injection, XSS, hardcoded passwords, etc.)
Prerequisites
Before running a scan, ensure:
- Python and pip are installed
- Project contains Python (.py) files
- Optional: Create a
.banditconfiguration file for custom settings
How to Run a Scan
Windows (PowerShell)
Run the PowerShell script:
powershell.exe -ExecutionPolicy Bypass -File .claude/skills/bandit/scripts/run_bandit_scan.ps1
Linux/Mac (Bash)
Run the bash script:
bash .claude/skills/bandit/scripts/run_bandit_scan.sh
What the Scan Does
- Installs Bandit - Automatically installs Bandit with all optional features (TOML, SARIF, baseline support)
- Analyzes Python files - Recursively scans all Python files in the project
- Detects vulnerabilities - Identifies security issues including:
- SQL injection vulnerabilities
- Hardcoded passwords and secrets
- Use of insecure functions
- Shell injection risks
- Weak cryptography
- Insecure deserialization
- Path traversal vulnerabilities
- And many more security issues
- Generates reports - Creates multiple output formats:
- Human-readable console output
- JSON report for machine processing
- HTML report for easy viewing
- SARIF format for IDE/tool integration
Understanding Results
Bandit categorizes findings by:
Severity Levels
- HIGH: Critical security issues requiring immediate attention
- MEDIUM: Moderate security concerns
- LOW: Minor issues or informational findings
Confidence Levels
- HIGH: Very likely to be a real security issue
- MEDIUM: Probable security issue
- LOW: Possible issue requiring manual review
Report Locations
After the scan completes, find reports at:
bandit-report.json- JSON format for automationbandit-report.html- HTML format for viewing in browser- Console output - Immediate feedback with issue details
Quick Actions
After scanning:
- Review HIGH severity issues first
- Check issues with HIGH confidence
- Fix critical vulnerabilities immediately
- Use
# noseccomments to suppress false positives (with caution) - Re-run scan to verify fixes
For detailed configuration options and advanced usage, see REFERENCE.md.
Troubleshooting
Issue: Bandit installation fails
- Check your Python and pip installation
- Ensure internet connectivity
- Try manually:
pip install bandit[toml,sarif,baseline]
Issue: Too many false positives
- Create a
.banditconfiguration file (see templates/) - Use
skipsoption to exclude specific test IDs - Add
# noseccomments to suppress individual lines
Issue: Scan too slow
- Exclude test directories and virtual environments
- Use
.banditconfig to specify only source directories - Consider scanning only changed files
Next Steps After Scanning
- Review the HTML report in your browser
- Prioritize fixes by severity and confidence
- Address hardcoded secrets immediately
- Update insecure dependencies
- Integrate Bandit into your CI/CD pipeline
- Set up pre-commit hooks for automatic scanning