Setting up Bandit with Jenkins & Git for Python SAST

Bandit is a source code review tool for Python codes.

This article is about automating the process of code review of Python codes. We will be using Jenkins for governing the automation process, & code to be tested is on Github. So, we are going to automate the process of pulling Python code from Github, running Bandit scan on the code based on local machine and saving the output in a text file, in one click.

Step 1:

Make sure system satisfy below mentioned requirements:

Python27 installed

pip configured

Jenkins servers installed & configured

Step 2:

Creating up Jenkins build for code review:

In the home page, click New Item

Enter item name as Bandit or whatever you wish.

Follow Screenshot:

In Project url field insert the URL of Github project

https://github.com/Test/WebGoat/

Insert project URL in GitHub project

Repository URL would end with https://github.com/Test/WebGoat/WebGoat.git

Insert URL & Gredentials

Steps to add git credentials is provided below:

Note: To add credentials follow below screenshot:

Click Add & select Jenkins

Select Username with password in Global credentials

Select Highlighted portion

Add credentials with ID & Description

Click Add after inserting values

Highlighted portion shows credentials successfully added

bandit-cred added

Step 3:

In order to execute Bandit, select Windows PowerShell for Windows.

Note: For Linux systems select Execute shell

Select highlighted portion

Insert below command, in either shell.

Bandit command

Now, scroll down to the bottom & click Save & Apply

Step 4:

Initiate one click Jenkins build

Build Now

After build is successful, check for Console Output.

Click Arrow & Console Output

Browse through the console logs.

Console Logs

Step 5:

Below is the output of scan and my code is fine with no vulnerability

output

References:

https://github.com/PyCQA/bandit

https://jenkins.io/download/