Skip to main content

Bandit Scanner Reference

You can set up a Security step with Bandit to find common security issues in your Python code.

Scan policy types

STO supports the following policy_type settings for Bandit:

  • orchestratedScan  — A Security step in the pipeline runs the scan and ingests the results. This is the easiest to set up and supports scans with default or predefined settings.
  • ingestionOnly — Run the scan in a Run step, or outside the pipeline, and then ingest the results. This is useful for advanced workflows that address specific security needs. See Ingest scan results into an STO pipeline.

Required Settings

  • product_name = bandit
  • scan_type = repository
  • product_config_name = default — Run a Bandit scan with the default settings.
  • repository_project — The repository name. If you want to scan https://github.com/my-github-account/codebaseAlpha, for example, you would set this to codebaseAlpha.
  • repository_branch — This tells Bandit the Git branch to scan. You can specify a hardcoded string or use the runtime variable <+codebase.branch>. This sets the branch based on the user input or trigger payload at runtime.