Comparison with Bandit¶
The pycharm-security plugin has some significant differences to Bandit:
- It is fully integrated into PyCharm (and other Jetbrains IDE products)
- It uses the Intellij PSI Tree instead of the Python AST. Your code is checked as you type. There is no need to re-run the scanner after modifying files.
- Many of the checks offer quick fixes
- It scans your installed packages in the projects against SafetyDB, bandit only looks at your code
- Many of the checks use the context of the code to reduce false-positives, where bandit would otherwise raise an alert
Equivalent Checks¶
This plugin is still lacking some of the checks that are offered in Bandit.
List of bandit plugins that have equivalent checks in pycharm-security:
| Plugin | Status | Check |
|---|---|---|
| app_debug.py (Flask Debug) | Yes | FLK100 |
| asserts.py | Yes | AST100 |
| crypto_request_no_cert_validation.py (requests no verify) | Yes | RQ100 |
| django_sql_injection.py | Yes | DJG101 |
| django_xss.py | Yes | DJG102 |
| exec.py | Yes | EX100 |
| general_bad_file_permissions.py | Yes | OS100 |
| general_bind_all_interfaces.py | Yes | NET100 |
| general_hardcoded_password.py | Yes | PW101 |
| general_hardcoded_tmp.py | Yes | TMP101 |
| hashlib_new_insecure_functions.py | Yes | HL100 |
| injection_paramiko.py | Yes | PAR101 |
| injection_shell.py | Yes | PR100 |
| injection_sql.py | Yes | SQL100 |
| injection_wildcard.py | Yes | PR100 |
| insecure_ssl_tls.py | Yes | SSL100 |
| jinja2_templates.py | Yes | JJ100 |
| mako_templates.py | Yes | MK100 |
| ssh_no_host_key_verification.py | Yes | PAR100 |
| try_except_continue.py | Yes | TRY101 |
| try_except_pass.py | Yes | TRY100 |
| weak_cryptographic_key.py | No | |
| yaml_load.py | Yes | YML100 |
