In today’s fast-paced software world, security isn’t something you can afford to overlook. The earlier you integrate security into your development process, the better. One of the easiest and most effective ways to start is by applying SAST (Static Application Security Testing). In this article, I’ll walk you through using Bandit, a lightweight but powerful open-source tool designed specifically to catch common security issues in Python applications.

🔍 What is Bandit?

Bandit is a static code analyzer for Python projects. It was created to find common security flaws in your code before it even runs.

Bandit scans your Python files and warns you about:

  • Use of insecure functions (e.g., eval, exec, subprocess)
  • Hardcoded passwords or credentials
  • Insecure usage of third-party libraries
  • Potential injection vulnerabilities

It’s easy to integrate into your workflow and doesn’t require much setup.

⚙️ Getting Started with Bandit

Step 1: Install Bandit
Just run:
pip install bandit

That’s it — Bandit is now ready to scan your code.

Step 2: Create a Vulnerable Python Script (For Testing)
Here’s a simple example of a Python script that includes a few insecure patterns:

# vulnerable_app.py

import subprocess

def run_command():
    command = input("Enter a shell command: ")
    subprocess.call(command, shell=True)

run_command()

This script allows arbitrary command execution using user input — a classic command injection vulnerability.

✅ Step 3: Run Bandit on Your Code
Use the terminal to analyze the file:
bandit -r vulnerable_app.py

This will generate a report highlighting the insecure use of subprocess.call() with shell=True.

🧪 Sample Output

Bandit will output something like:

[bandit]    INFO    running on Python 3.11.0
>> Issue: [B602:subprocess_popen_with_shell_equals_true] Subprocess call with shell=True identified
   Severity: High   Confidence: High
   File: vulnerable_app.py   Line: 5

Now you’ve got real insight into potential issues — before they hit production.

🛠️ Fixing the Issue

To make this safer, we can refactor the function like so:

import subprocess
import shlex

def run_command():
    command = input("Enter a shell command: ")
    subprocess.call(shlex.split(command))

run_command()

Bandit will now report a much cleaner bill of health.

🤖 Bonus: GitHub Actions Integration

Want to automate Bandit checks with each push? Add this to your .github/workflows/security.yml:

name: Python Security Scan

on: [push, pull_request]

jobs:
  bandit-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.11'
      - name: Install Bandit
        run: pip install bandit
      - name: Run Bandit
        run: bandit -r . -f txt

This will automatically scan your repo and catch issues before merging code.

📦 Demo Repository

👉 Check out the full working example here:
🔗GitHub Repository

🎥 Video Walkthrough

Watch this short 5-minute video explaining the code and Bandit in action:
🎬Watch on TikTok

🧠 Conclusion

Security tools like Bandit make it easy and quick to add a layer of protection to your code. Whether you’re working on a solo script or a team project, catching vulnerabilities early helps you avoid trouble later.

Give Bandit a try — it only takes minutes and could save you hours of debugging or patching later!

💬 Have you tried Bandit? Got questions or tips? Drop them in the comments!