Using automatic security scans to improve your python code quality


I am a big fan of code scanning tools that help you improve the quality of your code-base. I have already written about import-linter, which helps to adhere to your architecture by validating imports. Another great tool is bandit. It scans your python code for common security problems. When I ran it on MembershipNerd, I got the following warning:

Test results:
>> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'secret'
   Severity: Low   Confidence: Medium
   Location: ./src/testhelpers/users.py:10
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html
9	
10	SUPERUSER = UserCredentials(email="admin@example.com", password="secret")

The scanner identified a problem because hard-coded default value for a parameter called “password” could be a potential security issue. In this case, it is not an issue, because this is only part of a test-suite.

The great thing about bandit is that it has built-in-support for common python web-frameworks, like django and flask, and templating engines, like jinja2 and mako. A complete list of issues that it can detect can be found in the bandit-documentation.

I can highly recommend running bandit as part of your git pre-commit-hook and your CI-pipeline.


See also