# Scan Python Code with Bandit SAST Python teams need fast security checks before code reaches production. This skill guides Claude, Codex, and Claude Code through Bandit scans, prioritization, and remediation planning. ## Install ```bash npx skillstore add agentsecops/sast-bandit ``` ## Metadata - - Slug: agentsecops-sast-bandit - - Version: 0.1.0 - - Author: AgentSecOps - - GitHub username: AgentSecOps - - License: MIT - - Repository: https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/appsec/sast-bandit - - Ref: main - - Supported tools: Claude, Codex, Claude Code - - Risk level: medium - - Risk factors: scripts, external\_commands, filesystem, network, env\_access - - Quality score: 50 - - Quality tier: warning - - Public page: https://skillstore.pages.dev/skills/agentsecops-sast-bandit - - Manifest: https://skillstore.pages.dev/api/skills/agentsecops-sast-bandit/manifest ## Capabilities - Guides Bandit installation and command-line scanning for Python files or directories. - Explains how to configure Bandit with exclusions, skipped checks, and severity thresholds. - Maps Bandit findings to CWE identifiers and OWASP Top 10 categories. - Provides remediation guidance for hardcoded secrets, SQL injection, command injection, weak cryptography, and deserialization. - Shows CI and pre-commit integration patterns for security gates. - Helps prioritize findings by severity, confidence, and remediation urgency. ## Use Cases - Review Python Pull Requests: Run Bandit on changed Python files and summarize security findings before merge. - Add Security Gates to CI: Configure Bandit thresholds so pipelines block medium or high severity issues. - Remediate Legacy Findings: Map Bandit results to CWE and OWASP categories, then plan fixes by priority. ## Prompt Templates ### Run a Basic Scan ``` Use the Bandit SAST skill to scan this Python project. Explain the command, expected output, and how I should read severity and confidence. ``` ### Configure Bandit ``` Help me create a Bandit configuration for this Python repository. Exclude generated files and tests, but keep important security checks enabled. ``` ### Prioritize Findings ``` Review these Bandit findings and group them by risk. Map each group to CWE and OWASP, then recommend a fix order. ``` ### Design CI Enforcement ``` Design a Bandit CI gate for this Python service. Include severity thresholds, report handling, false-positive workflow, and rollout phases. ``` ## Limitations - It depends on Bandit being installed or available in the target environment. - It focuses on Python code and does not replace broader SAST or dependency scanning. - It can produce reports that contain sensitive source snippets unless no-code output is used. - It references an enhanced analyzer script that is not included in this package. ## Best Practices - Run scans in a sandboxed or CI environment with least-privilege access to source code. - Use no-code report output when findings may expose credentials or sensitive snippets. - Document every nosec suppression with a clear justification and review owner. ## Anti Patterns - Do not scan broad filesystem paths without confirming the intended project scope. - Do not treat low-confidence Bandit findings as proven vulnerabilities without review. - Do not publish raw Bandit reports if they contain secrets, paths, or proprietary code snippets. ## Security Audit - - Safe to publish: true - - Audited at: 2026-06-28T06:05:22.759\+00:00 - - Summary: Static analysis reported many high and critical patterns, but manual review shows they are mostly Bandit rule names, scanner configuration, or vulnerable examples inside documentation. The skill is publishable with a medium warning because it asks users to install and run local security tooling, may scan broad source trees, and may produce reports containing sensitive code snippets. ## Stats - - Views: 417 - - Downloads: 6 - - Favorites: 1 - - Popularity score: 0