Scan Python code with https://github.com/PyCQA/bandit
Assuming scan configuration files are located in config/, source to be scanned is in src/,
and results/ exists:
$ docker run -v $PWD/config:/src -v $PWD/src:/target -v $PWD/results:/results ci-bandit
- Code in the
/targetdirectory is scanned recursively - Report is written in text format to
/results/bandit.txt - Configuration is read from
/src/bandit.yaml, if present. - Baseline is read from
/src/bandit-baseline.json, if present. - Only high and medium severity issues will be reported. Non-zero exit status if any are found.
You can specify one of the following commands to alter bandits behavior
scan-text(default) - generates report in text formatscan-json- generates report in json format. Useful for establishing a baseline. Output file will be named/results/bandit.jsonautotest- same asscan-text
- Offer more control over severity levels (?)