Getting Started
===============

Installation
------------

Bandit is distributed on PyPI. The best way to install it is with pip.

Create a virtual environment and activate it using `virtualenv` (optional):

.. code-block:: console

    virtualenv bandit-env
    source bandit-env/bin/activate
Alternatively, use `venv` instead of `virtualenv` (optional):

.. code-block:: console

    python3 -m venv bandit-env
    source bandit-env/bin/activate

Install Bandit:

.. code-block:: console

    pip install bandit

If you want to include TOML support, install it with the `toml` extras:

.. code-block:: console

    pip install bandit[toml]

If you want to use the bandit-baseline CLI, install it with the `baseline`
extras:

.. code-block:: console

    pip install bandit[baseline]

If you want to include SARIF output formatter support, install it with the
`sarif` extras:

.. code-block:: console

    pip install bandit[sarif]

Run Bandit:

.. code-block:: console

    bandit -r path/to/your/code

Bandit can also be installed from source. To do so, either clone the
repository or download the source tarball from PyPI, then install it:

.. code-block:: console

    python setup.py install

Alternatively, let pip do the downloading for you, like this:

.. code-block:: console

    pip install git+https://github.com/PyCQA/bandit#egg=bandit

Usage
-----

Example usage across a code tree:

.. code-block:: console

    bandit -r ~/your_repos/project

Example usage across the ``examples/`` directory, showing three lines of
context and only reporting on the high-severity issues:

.. code-block:: console

    bandit examples/*.py -n 3 -lll

Bandit can be run with profiles. To run Bandit against the examples directory
using only the plugins listed in the ``ShellInjection`` profile:

.. code-block:: console

    bandit examples/*.py -p ShellInjection

Bandit also supports passing lines of code to scan using standard input. To
run Bandit with standard input:

.. code-block:: console

    cat examples/imports.py | bandit -

For more usage information:

.. code-block:: console

    bandit -h

Baseline
--------

Bandit allows specifying the path of a baseline report to compare against using the base line argument (i.e. ``-b BASELINE`` or ``--baseline BASELINE``).

.. code-block:: console

   bandit -b BASELINE

This is useful for ignoring known vulnerabilities that you believe are non-issues (e.g. a cleartext password in a unit test). To generate a baseline report simply run Bandit with the output format set to ``json`` (only JSON-formatted files are accepted as a baseline) and output file path specified:

.. code-block:: console

    bandit -f json -o PATH_TO_OUTPUT_FILE

Version control integration
---------------------------

Use `pre-commit`_. Once you `have it installed`_, add this to the
``.pre-commit-config.yaml`` in your repository
(be sure to update `rev` to point to a `real git tag/revision`_!):

.. code-block:: yaml

    repos:
    - repo: https://github.com/PyCQA/bandit
      rev: '' # Update me!
      hooks:
      - id: bandit

Then run ``pre-commit install`` and you're ready to go.

.. _pre-commit: https://pre-commit.com/
.. _have it installed: https://pre-commit.com/#install
.. _`real git tag/revision`: https://github.com/PyCQA/bandit/releases
