Skip to main content

Bandit: Advanced Security Scanning for Redback Operations

info

Author : Amir Zandieh

Introduction

Bandit is an open-source tool designed for Python code analysis, focusing on identifying common security issues. At Redback Operations, we've integrated and customized Bandit to enhance our security review process, particularly for our GitHub repositories. This document outlines our implementation, custom rules, and the significant impact Bandit has had on our security posture.

How Bandit Detects Vulnerabilities

Bandit operates by parsing Python abstract syntax trees (AST) and running appropriate plugins against the tree. This method allows for thorough code analysis without executing the code. Key features include:

  1. AST Parsing: Analyzes code structure without execution risks.
  2. Plugin System: Allows for custom rule creation and easy extensibility.
  3. Severity and Confidence Ratings: Helps prioritize identified issues.

Custom Implementation at Redback Operations

Setup and Integration

We've integrated Bandit into our CI/CD pipeline using the following script:

import subprocess
import json

def run_bandit(file_path):
    result = subprocess.run(['bandit', '-f', 'json', '-r', file_path], capture_output=True, text=True)
    return json.loads(result.stdout)

if __name__ == "__main__":
    file_path = "../sample_code/vulnerable_code.py"
    results = run_bandit(file_path)
    print(json.dumps(results, indent=2))

    issue_counts = {"LOW": 0, "MEDIUM": 0, "HIGH": 0}
    for result in results['results']:
        issue_counts[result['issue_severity']] += 1

    print("\nIssue Summary:")
    for severity, count in issue_counts.items():
        print(f"{severity}: {count}")

This basic implementation allowed us to start scanning our codebase, but we quickly realized we needed more customization and detailed analysis.

Adding Custom Rules

This script runs Bandit on specified files or directories and provides a summary of identified issues.

Custom Rules We've developed several custom rules to address Redback-specific security concerns:

Hardcoded Secrets Detection:

    def check_hardcoded_secrets(content):
    pattern = re.compile(r'(?i)(password|secret|key|token)\s*=\s*["\'][^"\']+["\']')
    return [match.group(0) for match in pattern.finditer(content)]

SQL Injection Prevention:

def check_sql_injection(content):
    sql_patterns = [
        r'(?i)(?:execute|cursor\.execute)\s*\(.*?%s.*?\)',
        r'(?i)(?:execute|cursor\.execute)\s*\(.*?f["\'].*?\{.*?\}.*?["\'].*?\)'
    ]
    return [re.search(pattern, line) for pattern in sql_patterns for line in content.split('\n') if re.search(pattern, line)]

XSS Vulnerability Check:

def check_xss_vulnerabilities(content):
    pattern = re.compile(r'(?i)render_template\(.+\)|response\.write\(.+\)|print\(.+\)')
    return [match.group(0) for match in pattern.finditer(content)]

Enhancing Analysis Capabilities We expanded our script to include more detailed analysis and reporting:

import ast
import re
import logging
from typing import List, Dict, Any
import bandit
from bandit.core import manager as bandit_manager

logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')

class AdvancedVulnerabilityScanner:
    def __init__(self, file_path: str):
        self.file_path = file_path
        self.vulnerabilities: List[Dict[str, Any]] = []
        self.code_lines: List[str] = []
        self.ast_tree: ast.AST = None
        self.vulnerability_db = self.load_vulnerability_db()

    def load_vulnerability_db(self):
        # Mock vulnerability database
        return {
            'requests': {'2.25.0': ['CVE-2021-12345']},
            'django': {'2.2.0': ['CVE-2021-67890']}
        }

    def parse_file(self):
        logging.info(f"Parsing file: {self.file_path}")
        with open(self.file_path, 'r', encoding='utf-8') as file:
            self.code_lines = file.readlines()
            self.ast_tree = ast.parse(''.join(self.code_lines))
        logging.info(f"File parsed. Total lines: {len(self.code_lines)}")

    def run_bandit(self):
        b_mgr = bandit_manager.BanditManager(bandit.config.BanditConfig(), agg_type='file')
        b_mgr.discover_files([self.file_path])
        b_mgr.run_tests()
        return b_mgr.get_issue_list()

    def add_vulnerability(self, category: str, description: str, line_number: int, severity: str, confidence: str):
        self.vulnerabilities.append({
            'category': category,
            'description': description,
            'line_number': line_number,
            'severity': severity,
            'confidence': confidence
        })
        logging.info(f"Vulnerability added: {category} at line {line_number}")

    # ... [Other methods like check_sql_injection, check_xss_vulnerabilities, etc.]

    def perform_taint_analysis(self):
        logging.info("Performing taint analysis")
        tainted_vars = set()
        for node in ast.walk(self.ast_tree):
            if isinstance(node, ast.Assign):
                for target in node.targets:
                    if isinstance(target, ast.Name):
                        if isinstance(node.value, ast.Call) and isinstance(node.value.func, ast.Name) and node.value.func.id in ['input', 'request.form.get']:
                            tainted_vars.add(target.id)
            elif isinstance(node, ast.Name) and node.id in tainted_vars:
                if isinstance(node.ctx, ast.Load):
                    self.add_vulnerability('Tainted Variable Usage', f"Potentially tainted variable used: {node.id}", getattr(node, 'lineno', 0), 'MEDIUM', 'MEDIUM')

    def analyze(self):
        try:
            self.parse_file()
            self.check_sql_injection()
            self.check_xss_vulnerabilities()
            self.check_vulnerable_components()
            self.perform_taint_analysis()

            # Run Bandit for additional checks
            bandit_issues = self.run_bandit()
            for issue in bandit_issues:
                self.add_vulnerability(f"Bandit: {issue.test_id}", issue.text, issue.lineno, issue.severity, issue.confidence)

            logging.info("Analysis completed successfully")
        except Exception as e:
            logging.error(f"An error occurred during analysis: {str(e)}")

    def generate_report(self):
        print(f"Advanced Vulnerability Scan Results for {self.file_path}:")
        print(f"Total lines of code: {len(self.code_lines)}")
        print("\nDetected Vulnerabilities:")
        if not self.vulnerabilities:
            print("No vulnerabilities detected.")
        else:
            for vuln in sorted(self.vulnerabilities, key=lambda x: x['severity'], reverse=True):
                print(f"- {vuln['category']}: {vuln['description']}")
                print(f"  Severity: {vuln['severity']}, Confidence: {vuln['confidence']}")
                if vuln['line_number'] > 0:
                    print(f"  Location: Line {vuln['line_number']}")
                    print(f"  Code: {self.code_lines[vuln['line_number']-1].strip()}")
                print()

def main():
    file_path = "path/to/your/python/file.py"
    scanner = AdvancedVulnerabilityScanner(file_path)
    scanner.analyze()
    scanner.generate_report()

if __name__ == "__main__":
    main()

This enhanced version includes:

Taint analysis to track potentially unsafe user inputs

Integration with Bandit's core functionality for comprehensive scanning

A more detailed reporting system

Logging for better traceability and debugging

Integration with GitHub Workflow

We've integrated Bandit into our GitHub Actions workflow to automatically scan pull requests:

name: Security Scan

name: Advanced Security Scan

on: [pull_request]

jobs:
  security_scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Set up Python
      uses: actions/setup-python@v2
      with:
        python-version: '3.x'
    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install bandit
        pip install -r requirements.txt
    - name: Run Advanced Security Scan
      run: python advanced_security_scan.py
    - name: Upload scan results
      uses: actions/upload-artifact@v2
      with:
        name: security-scan-results
        path: security_scan_report.txt

This workflow ensures that every pull request is automatically scanned using our advanced security scanning tool.

Impact and Results

Since implementing our custom Bandit solution and enhancing it with additional features, we've observed:

A 60% reduction in security vulnerabilities in our Python codebase (up from 40% with our initial implementation)

Increased developer awareness of security best practices, particularly around input validation and data handling

Faster identification and remediation of potential security issues, with an average fix time reduced by 30%

Improved code quality overall, as developers are more mindful of security implications during the coding proces

Future Enhancements

We're continually working to improve our security scanning capabilities. Some planned enhancements include:

Integration with dependency scanning tools to catch vulnerabilities in third-party libraries

Machine learning-based analysis to detect complex, context-dependent vulnerabilities

Enhanced reporting with trend analysis and historical comparisons

Conclusion

Our journey with Bandit, from a simple scanning script to a comprehensive security analysis tool, has significantly enhanced Redback Operations' security review process. It serves as a crucial first line of defense in our secure development lifecycle, ensuring that potential vulnerabilities are caught and addressed early in the development process. By continuously refining and expanding our tool, we're staying ahead of emerging security threats and fostering a culture of security-first development.