Template for writing bandit test plugins without the need to change the installed bandit module, a step by step guide, and unit-test.
Bandit supports writing plugins based on stevedore extension manager. It also has some older non-plugin based code artefacts.
There are plugins for:
- namespace=
bandit.formatters, to create custom reporting formats (not discussed, see bandit-sarif-formatter for an example) - namespace=
bandit.plugins, to create your own vulnerability detection (discussed)
Plugins can either be:
- Created as part of bandit source code (not discussed, slightly different)
- Created as a sepearted module (discussed)
The bandit code also has some other interesting features that will not be discussed here at this moment such as:
- sphinx autodoc to generate the docs from docstring
- tox framework used to automate building and testing the project against different python versions
- AST
- Python 3
- bandit installed
- TODO: get full list of required modules
- Clone this repository and
cdinto it - pip install .
- bandit examples/*
Expected outcome is one detected wolf with test_id B666. You can uninstall the plugin via pip uninstall bandit_big_bad_wolf.
| File | Description |
|---|---|
| examples/big_bad_wolf.py | Code example that we want to detect. In this case a mock up. |
| bandit_big_bad_wolf/big_bad_wolf.py | This is the actual test plugin for detecting the vulnerable code. The folder name bandit_big_bad_wolf represents the cutom plugin module that will be installed or uninstalled via pip as defined in setup.py |
| tests/functional/test_big_bad_wolf.py | This is to verify that the plugin code can detect the sample vulnerablity code. Setting a breakpoint in bandit_big_bad_wolf/big_bad_wolf.py allows to explorer more about how the plugin works. |
Get the test to work without installing it