A pre-commit hook to find common security issues in your Python code
Switch branches/tags
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
pre_commit_hooks v1.0.2 Jan 20, 2017
tests v1.0.2 Jan 20, 2017
.gitignore v1.0.0 Nov 9, 2016
.pre-commit-config.yaml v1.0.3 Jan 26, 2017
.pre-commit-hooks.yaml hooks.yaml -> .pre-commit-hooks.yaml - close #3 Jan 26, 2017
.pylintrc pylint check fix Nov 9, 2016
.travis.yml Clarifying the README Jan 21, 2017
README.md v1.0.3 Jan 26, 2017
dev-requirements.txt v1.0.0 Nov 9, 2016
hooks.yaml v1.0.2 Jan 20, 2017
pytest.ini v1.0.1 Nov 9, 2016
setup.py v1.0.3 Jan 26, 2017


A pre-commit hook to find common security issues in your Python code using bandit.

You can check the plugins list & examples for tangible use cases.


-   repo: https://github.com/Lucas-C/pre-commit-hooks-bandit
    sha: v1.0.3
    -   id: python-bandit-vulnerability-check

You can also specify a custom .banditrc file, specific directories to check, test IDs to skip or the alerting level :

    -   id: python-bandit-vulnerability-check
        args: [--verbose, --ini, .banditrc, -ll, --skip, "B321,B402", --recursive, src/lib]

The default arguments are defined here and indicate to check for high-severity issues in all the repo files recursively.

Note that pre-commit will pass to bandit the list of all staged files that match the files regular expression in .pre-commit-config.yaml.

If you want to execute bandit only on modified Python files, you'll need:

  • to target the Python files / directories with the files field in .pre-commit-config.yaml
  • to override the args field so it does not include --recursive
    -   id: python-bandit-vulnerability-check
        args: []
        files: .py$

Alternative local hook

You'll need to pip install bandit beforehand:

-   repo: local
    -   id: python-bandit-vulnerability-check
        entry: bandit
        args: [-lll, --recursive, .]
        language: system
        files: ''