菜单
This skill should be used when the user asks to "scan Python code for security issues", "set up Bandit", "configure bandit security linting", "fix bandit warnings", or needs guidance on Python static security analysis with Bandit.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
This skill should be used when the user asks to "optimize a website for SEO", "improve search engine rankings", "apply SEO best practices", "do on-page SEO", or needs guidance on technical SEO, keyword research, content optimization, or link building strategies.
This skill should be used when the user asks to "integrate GitHub Copilot into an app", "use the Copilot SDK", "build a Copilot-powered agent", "embed Copilot in a service", or needs guidance on the GitHub Copilot SDK for Python, TypeScript, Go, or .NET.
This skill should be used when the user asks to "evaluate an implementation", "run the zen evaluation workflow", "check if the plan was properly implemented", "review implementation against a plan", or needs to assess implementation quality and surface improvement suggestions after a zen build cycle.
This skill should be used when the user asks to "ideate a feature together", "zen ideation", "let's think through this together", "help me shape this idea", "collaborative ideation session", or needs a structured framework for LLM-user co-creation where both parties actively contribute, challenge, and build toward the best possible idea.
This skill should be used when the user asks to "plan a feature", "run the zen planning workflow", "consult all senior agents on a plan", "create a structured plan with agent consultation", or needs a thorough multi-agent planning phase before building anything.
This skill should be used when the user asks to "implement a zen plan", "execute the zen workflow", "run parallel agent implementation", "build from an opencode plan", or needs to execute a written plan from .opencode/plans/ using parallel engineering agents with quality gates.
| name | python-bandit |
| description | This skill should be used when the user asks to "scan Python code for security issues", "set up Bandit", "configure bandit security linting", "fix bandit warnings", or needs guidance on Python static security analysis with Bandit. |
Bandit is a static analysis tool that finds common security issues in Python code. It processes each file, builds an AST, and runs security-focused plugins against AST nodes. Results are categorized by severity (LOW, MEDIUM, HIGH) and confidence (LOW, MEDIUM, HIGH).
Install the base package or add extras for specific features:
# Base installation
pip install bandit
# With TOML config support (pyproject.toml)
pip install "bandit[toml]"
# With SARIF output (for GitHub Advanced Security)
pip install "bandit[sarif]"
# With baseline support
pip install "bandit[baseline]"
Use the same Python version as the project under scan. Bandit relies on Python's ast module, which can only parse code valid for that interpreter version.
Scan a full project tree:
bandit -r path/to/project/
Scan with severity filter (report only HIGH):
bandit -r . --severity-level high
# or shorthand: -lll (high), -ll (medium+), -l (low+)
bandit -r . -lll
Scan with confidence filter:
bandit -r . --confidence-level high
# shorthand: -iii (high), -ii (medium+), -i (low+)
Target specific test IDs only:
bandit -r . -t B105,B106,B107 # hardcoded password checks only
Skip specific test IDs:
bandit -r . -s B101 # skip assert_used (common in tests)
Use a named profile:
bandit examples/*.py -p ShellInjection
Scan from stdin:
cat myfile.py | bandit -
Show N lines of context per finding:
bandit -r . -n 3
Centralize Bandit settings alongside other tooling:
[tool.bandit]
exclude_dirs = ["tests", "migrations", "venv"]
skips = ["B101"] # assert_used — acceptable in test suites
tests = [] # empty = run all (minus skips)
Run with explicit config pointer:
bandit -c pyproject.toml -r .
[bandit]
exclude = tests,migrations
skips = B101,B601
tests = B201,B301
Bandit auto-discovers .bandit when invoked with -r. No -c flag needed.
exclude_dirs: ['tests', 'path/to/file']
tests: ['B201', 'B301']
skips: ['B101', 'B601']
# Override plugin-specific defaults
try_except_pass:
check_typed_exception: true
Run: bandit -c bandit.yaml -r .
bandit-config-generator > bandit.yaml
# Then edit — remove sections you don't need, adjust defaults
Mark individual lines with # nosec to suppress all findings:
self.process = subprocess.Popen('/bin/echo', shell=True) # nosec
Suppress specific test IDs only (preferred — avoids hiding future issues):
self.process = subprocess.Popen('/bin/ls *', shell=True) # nosec B602, B607
Use the full test name as an alternative to the ID:
assert yaml.load("{}") == [] # nosec assert_used
Always add a comment explaining why the suppression is justified.
bandit -r . -f json -o report.json # JSON (required for baseline)
bandit -r . -f sarif -o report.sarif # SARIF (GitHub Advanced Security)
bandit -r . -f csv -o report.csv # CSV
bandit -r . -f xml -o report.xml # XML
bandit -r . -f html -o report.html # HTML
bandit -r . -f screen # Terminal (default)
bandit -r . -f yaml -o report.yaml # YAML
Use baselines to track only new issues, ignoring pre-existing findings:
# 1. Generate a baseline from the current state of the codebase
bandit -r . -f json -o .bandit-baseline.json
# 2. Commit the baseline to version control
git add .bandit-baseline.json
# 3. Future scans compare against the baseline
bandit -r . -b .bandit-baseline.json
Useful when adopting Bandit on an existing codebase — block only newly introduced issues.
Bandit test IDs follow a group scheme:
| Range | Category |
|---|---|
| B1xx | Miscellaneous |
| B2xx | App/framework misconfiguration |
| B3xx | Blacklisted calls |
| B4xx | Blacklisted imports |
| B5xx | Cryptography |
| B6xx | Injection |
| B7xx | XSS |
Hardcoded secrets (B105, B106, B107) — passwords assigned to variables, passed as function arguments, or set as default parameters.
Injection (B602, B608) — shell injection via subprocess with shell=True, SQL injection via hardcoded SQL string construction.
Weak cryptography (B324, B501–B505) — MD5/SHA1 use, disabled TLS certificate validation, weak SSL versions, short cryptographic keys.
Unsafe deserialization (B301, B302, B303, B304) — pickle, marshal, yaml.load() without Loader.
Template injection (B701, B703, B704) — Jinja2 autoescape disabled, Django mark_safe, MarkupSafe XSS.
B101 — assert_used
Asserts are stripped in optimized mode (python -O). Never use assert for security-critical checks.
# Bad
assert user.is_admin, "Not authorized"
# Good
if not user.is_admin:
raise PermissionError("Not authorized")
B105/B106/B107 — Hardcoded password
# Bad
password = "hunter2"
connect(password="secret")
# Good — read from environment or secrets manager
import os
password = os.environ["DB_PASSWORD"]
B324 — Weak hash (MD5/SHA1)
# Bad
import hashlib
hashlib.md5(data)
# Good — use SHA-256 or higher for security contexts
hashlib.sha256(data)
# If MD5 is for non-security use (checksums), suppress with comment:
hashlib.md5(data).hexdigest() # nosec B324 — used for cache key, not security
B506 — yaml.load()
# Bad — arbitrary code execution risk
import yaml
yaml.load(data)
# Good
yaml.safe_load(data)
# or
yaml.load(data, Loader=yaml.SafeLoader)
B602 — subprocess with shell=True
# Bad — shell injection vector
subprocess.Popen(user_input, shell=True)
# Good — pass args as a list, avoid shell
subprocess.Popen(["ls", "-l", path])
B608 — Hardcoded SQL
# Bad
query = "SELECT * FROM users WHERE name = '" + name + "'"
# Good — use parameterized queries
cursor.execute("SELECT * FROM users WHERE name = ?", (name,))
B501 — No certificate validation
# Bad
requests.get(url, verify=False)
# Good
requests.get(url) # verify=True by default
requests.get(url, verify="/path/to/ca-bundle.crt")
# nosec if safe.skips.references/plugin-reference.md — Complete B-code listing with severity, description, and fix pattern per pluginreferences/ci-cd-integration.md — Pre-commit hooks, GitHub Actions, and baseline automation workflows