By Eric Brown
I lead the security team in VMware’s Open Source Technology Center (OSTC), where security tooling is a major area of focus. One of the tooling projects I help maintain is Bandit, a security linter, or scanning tool, that Python developers can run against their source code to expose potential security vulnerabilities.
In the last few months, we’ve been migrating Bandit out of OpenStack onto the regular GitHub platform. With that completed, we are now pushing out our first release of Bandit in its new namespace. First, let’s dive into a little more about what Bandit does, then discuss why we made the switch to GitHub and what we’re looking at doing now that Bandit is settled in its new home.
If you don’t know Bandit, it was birthed in 2015 when the OpenStack security team realized there were no good Python linters available to scan their code for security vulnerabilities. Over the course of a week-long meetup, they put one together for their own use and called it Bandit.
Bandit runs a variety of code tests, looking for things like application misconfigurations, calls to modules and imports that are known to be bad, weak key size creation, algorithms with known weaknesses, and potential code injection.
While Bandit was created to secure OpenStack code, the wider community of Python developers quickly saw its value and began using it to scan their own code. The last time I checked Bandit’s dependency information on GitHub, it had 897 repositories using it. This widespread applicability and popularity in itself suggested that it would make sense to move Bandit out of the OpenStack namespace to somewhere more general.
But the maintainer team also noticed that, despite its popularity, Bandit had a fairly small contributor community. We figured one reason for that might be that OpenStack runs reviews using Gerrit, which isn’t that easy to use if you come to it from a GitHub only background. So, while Bandit’s original review setup made sense for OpenStack, it was likely acting as a barrier for potential new contributors.
That hunch seems to be proven now that we’ve made the move. As of the end of the summer, we have Bandit fully ported to GitHub (it’s officially with the Python Code Quality Authority) and we’re already seeing more contributors joining. The move was cemented just last month when we did our first GitHub release of version 1.5.0. This contains new support for Python 3.6 and 3.7, improved shell injection detection, more_info links for all of the formatters and numerous documentation fixes.
Everything seems to be stable and working well, so now we’re thinking about next steps. For example, we’re looking to integrate with more tooling and expand Bandit’s ease of use. We might create more tools along the lines of the SublimeLinter-bandit plugin, which automatically scans code in your Sublime Text IDE as you write it, helping catch problems even sooner. Now that we’re fully done with the move, do check out Bandit to see how it might help you. And if there’s anything you’d like to help us develop further, let us know!