Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
193 lines (147 sloc) 9.02 KB

Bento logo

Free program analysis focused on bugs that matter to you.

Install, configure, and adopt Bento in seconds. Runs 100% locally.

PyPI PyPI - Downloads Issues welcome! Follow @r2cdev

Installation · Motivations · Usage · Integrations · Help & Community

Bento is a free and opinionated toolkit for gradually adopting linters¹ and program analysis² in your codebase. Be the bug-squashing advocate your team needs but (maybe) doesn’t deserve.

  • Find bugs that matter. Bento automatically enables and configures relevant analysis based on your dependencies and frameworks, and it will never report style-related issues. You won’t painstakingly configure your tooling.
  • Get started immediately. Bento doesn’t force you to fix all your preexisting issues today. Instead, you can archive them and address them incrementally when it makes sense for your project.
  • Go fast. Bento installs in 5 seconds and self-configures in less than 30. Its tools check your code in parallel, not sequentially.

Bento includes checks written by r2c and curated from Bandit, ESLint, Flake8, and their plugins. It runs on your local machine and never sends your code anywhere or to anyone.

Demonstrating Bento running in a terminal


$ pip3 install bento-cli

Bento is for JavaScript, TypeScript, and Python 3 projects. It requires Python 3.6+ and works on macOS Mojave (10.14) and Ubuntu 18.04+.


See our Bento introductory blog post to learn the full story.

r2c is on a quest to make world-class security and bugfinding available to all developers, for free. We’ve learned that most developers have never heard of—let alone tried—tools that find deep flaws in code: like Codenomicon, which found Heartbleed, or Zoncolan at Facebook, which finds more top-severity security issues than any human effort. These tools find severe issues and also save tons of time, identifying hundreds of thousands of issues before humans can. Bento is a step towards universal access to tools like these.

We’re also big proponents of opinionated tools like Black and Prettier. This has two implications: Bento ignores style-related issues and the bikeshedding that comes with them, and it ships with a curated set of checks that we believe are high signal and bug-worthy. See Three things your linter shouldn’t tell you for more details on our decision making process.


To get started right away with sensible defaults:

$ bento init && bento check

To set aside preexisting results so you only see issues in new code:

$ bento archive

Bento is at its best when run automatically. See Integrations for details.

Command Line Options

$ bento --help

Usage: bento [OPTIONS] COMMAND [ARGS]...

  -h, --help             Show this message and exit.
  --version              Show current version bento.
  --base-path DIRECTORY  Path to the directory containing the code, as well as
                         the .bento.yml file.
  --agree                Automatically agree to terms of service.
  --email TEXT           Email address to use while running this command
                         without global configs e.g. in CI

  archive       Adds all current findings to the whitelist.
  check         Checks for new findings.
  disable       Turn OFF a tool or check.
  enable        Turn ON a tool or check.
  init          Autodetects and installs tools.
  install-hook  Installs Bento as a git pre-commit hook.

  To get help for a specific command, run `bento COMMAND --help`

Exit Codes

bento check may exit with the following exit codes:

  • 0: Bento ran successfully and found no errors
  • 2: Bento ran successfully and found issues in your code
  • 3: Bento or one of its underlying tools failed to run


Running Bento in CI

If you use CircleCI, add the following job:

version: 2.1

    executor: circleci/python:3.7.4-stretch-node
      - checkout
      - run:
          name: "Install Bento"
          command: pip3 install bento-cli && bento --version
      - run:
          name: "Run Bento check"
          command: bento --agree --email <YOUR_EMAIL> check

Otherwise, you can simply install and run Bento in CI with the following commands:

$ pip3 install bento-cli && bento --version
$ bento --agree --email <YOUR_EMAIL> check

bento check will exit with a non-zero exit code if it finds issues in your code (see Exit Codes). To suppress this behaviour you can pipe its output to true:

$ bento --agree --email <YOUR_EMAIL> check || true

Otherwise, address the issues or archive them with bento archive.

If you need help setting up Bento with another CI provider please open an issue. Documentation PRs welcome if you set up Bento with a CI provider that isn't documented here!

Running Bento as a Git Hook

Bento can automatically analyze your staged files when git commit is run. Configured as a Git pre-commit hook, Bento ensures every commit to your project is vetted and that no new issues have been introduced to the codebase.

To install Bento as a Git hook:

$ bento install-hook

If Git hooks ever incorrectly block your commit, you can skip them by passing the --no-verify flag at commit-time (use this sparingly):

$ git commit --no-verify

Bento’s Git hook can save the round-trip time involved with fixing a failed build if you’re using Bento in CI.

Help and Community

Need help or want to share feedback? We’d love to hear from you!

We’re constantly shipping new features and improvements.

We’re fortunate to benefit from the contributions of the open source community and great projects such as Bandit, ESLint, Flake8, and their plugins. 🙏

License and Legal

Please refer to the terms and privacy document.

r2c logo

Copyright (c) r2c.

You can’t perform that action at this time.