exclude did not work for me, so I looked through official docs and found this:
We can specify dirs (and files as well) that we want to exclude in a list format
pyproject.toml:
[tool.bandit]
exclude_dirs = ["venv",]
From this documentation:
"Also you can configure bandit via pyproject.toml file. In this case you would explicitly specify the path to configuration via -c too."
Therefore, CLI option would look like this:
bandit -v -r . -c "pyproject.toml"
(will work without quotes as well)
I've never used bandit before, so if I got your question wrong - please feel free to write back, we will figure that out :D
Answer from barni on Stack OverflowReadthedocs
bandit.readthedocs.io › en › latest › config.html
Configuration — Bandit documentation - Read the Docs
Alternatively, put a YAML or TOML file anywhere, and use the -c option. For example: # FILE: bandit.yaml exclude_dirs: ['tests', 'path/to/file'] tests: ['B201', 'B301'] skips: ['B101', 'B601'] # FILE: pyproject.toml [tool.bandit] exclude_dirs = ["tests", "path/to/file"] tests = ["B201", "B301"] skips = ["B101", "B601"]
Top answer 1 of 2
13
exclude did not work for me, so I looked through official docs and found this:
We can specify dirs (and files as well) that we want to exclude in a list format
pyproject.toml:
[tool.bandit]
exclude_dirs = ["venv",]
From this documentation:
"Also you can configure bandit via pyproject.toml file. In this case you would explicitly specify the path to configuration via -c too."
Therefore, CLI option would look like this:
bandit -v -r . -c "pyproject.toml"
(will work without quotes as well)
I've never used bandit before, so if I got your question wrong - please feel free to write back, we will figure that out :D
2 of 2
0
To exclude directory venv, this command works fine for me :
bandit -r . -x */venv/*
Readthedocs
bandit.readthedocs.io › en › 1.7.1 › config.html
Configuration - Bandit documentation - Read the Docs
Also you can configure bandit via pyproject.toml file. In this case you would explicitly specify the path to configuration via -c too.
GitHub
github.com › PyCQA › bandit › issues › 550
Support for pyproject.toml as config file format · Issue #550 · PyCQA/bandit
November 17, 2019 - The toml format is very basic and should allow a simple 1 to 1 mapping of the existing config, since it is more on the minimal side. Given the following .bandit file: [bandit] targets: src skips: B101,B110 · Its section in a pyproject.toml ...
Author a-recknagel
GitHub
github.com › PyCQA › bandit › issues › 1027
Asking bandit to use `pyproject.toml` without a bandit config section causes exception · Issue #1027 · PyCQA/bandit
May 11, 2023 - bandit...................................................................Failed - hook id: bandit - exit code: 1 Traceback (most recent call last): File "/local/home/a.pirogov/.cache/pre-commit/repo_hijlu0c/py_env-python3/bin/bandit", line 8, in <module> sys.exit(main()) File "/local/home/a.pirogov/.cache/pre-commit/repo_hijlu0c/py_env-python3/lib/python3.8/site-packages/bandit/cli/main.py", line 455, in main b_conf = b_config.BanditConfig(config_file=args.config_file) File "/local/home/a.pirogov/.cache/pre-commit/repo_hijlu0c/py_env-python3/lib/python3.8/site-packages/bandit/core/config.py", line 56, in __init__ self._config = tomllib.load(f)["tool"]["bandit"] KeyError: 'bandit' For most tools with some config files, if the config does not "override" behavior, it is using default values. So I expect the same when running bandit with a pyproject.toml.
Published May 11, 2023
Author apirogov
GitHub
github.com › PyCQA › bandit › issues › 902
Bandit can't read config file when run in pre-commit · Issue #902 · PyCQA/bandit
May 19, 2022 - However, when I run bandit from the command line it appears to work (e.g. bandit . -r -c pyproject.toml).
Published May 19, 2022
Author RNKuhns
DEV Community
dev.to › whchi › enhance-your-python-code-security-using-bandit-14gb
Enhance your python code security using bandit - DEV Community
January 10, 2025 - repos: - repo: https://github.com/PyCQA/bandit rev: 1.7.7 hooks: - id: bandit args: ["-c", "pyproject.toml", "-r", "."] additional_dependencies: ["bandit[toml]"]
GitHub
github.com › PyCQA › bandit › pull › 401
PEP-518 support: configure bandit via pyproject.toml by orsinium · Pull Request #401 · PyCQA/bandit
October 9, 2018 - Closes #212, because now all projects have moved from setup.cfg to pyproject.toml. Parse files the end with .toml as toml and get the tool.bandit section.
Author PyCQA
GitHub
github.com › PyCQA › bandit › discussions › 1244
config is not in effect from pyproject.toml? · PyCQA/bandit · Discussion #1244
❯ bandit -c pyproject.toml dandi/move.py | head -n 12 [main] INFO profile include tests: None [main] INFO profile exclude tests: None [main] INFO cli include tests: None [main] INFO cli exclude tests: None [main] INFO using config: pyproject.toml [main] INFO running on Python 3.13.2 Run started:2025-03-13 21:43:07.442386 Test results: >> Issue: [B101:assert_used] Use of assert detected.
Author PyCQA
GitHub
github.com › PyCQA › bandit › pulls
Pull requests · PyCQA/bandit
Bandit is a tool designed to find common security issues in Python code. - Pull requests · PyCQA/bandit
Author PyCQA
GitHub
github.com › soda480 › pybuilder-bandit › blob › main › pyproject.toml
pybuilder-bandit/pyproject.toml at main · soda480/pybuilder-bandit
A pybuilder plugin that analyzes your project for common security issues using bandit. - pybuilder-bandit/pyproject.toml at main · soda480/pybuilder-bandit
Author soda480
GitHub
github.com › PyCQA › bandit › issues › 733
Error parsing pyproject.tml · Issue #733 · PyCQA/bandit
September 2, 2021 - Where the ppyproject.toml is the following · [tool.black] line-length = 120 skip-string-normalization = true skip-magic-trailing-comma = true [tool.bandit.assert_used] exclude = ["*_test.py", "test_*.py"] **https://bandit.readthedocs.io/en/latest/config.html · 1. bandit --recursive -c pyproject.toml test ·
Author edgarriba
Top answer 1 of 2
4
I think this is an issue of bandit that I found here. I think you should use the absolute path to .venv as follows:
poetry run bandit --exclude "./absolute/path/.venv" -r .
Use the absolute path in the config file too:
[tool.bandit]
targets = "my_package"
exclude = "./absolute/path/.venv" #
2 of 2
1
if you have defined the .pre-commit-config.yaml here is working sample to ignore multiple dirs:
- repo: local
hooks:
- id: bandit
name: python-bandit-vulnerability-check
entry: bandit
args: [ '-r', '.', '-x', 'env, venv' ]
language: system
pass_filenames: false
GitHub
github.com › PlaytikaOSS › pybandits
GitHub - PlaytikaOSS/pybandits: Python library for Multi-Armed Bandits · GitHub
The command above will automatically install all the dependencies listed in pyproject.toml. Please visit the installation page for more details. A short example, illustrating it use. Use the sMAB model to predict actions and update the model based on rewards from the environment. import numpy as np from pybandits.model import Beta from pybandits.smab import SmabBernoulli n_samples=100 # define action model actions = { "a1": Beta(), "a2": Beta(), } # init stochastic Multi-Armed Bandit model smab = SmabBernoulli(actions=actions) # predict actions pred_actions, _ = smab.predict(n_samples=n_samples) simulated_rewards = np.random.randint(2, size=n_samples) # update model smab.update(actions=pred_actions, rewards=simulated_rewards)
Starred by 52 users
Forked by 3 users
Languages Python
PyPI
pypi.org › project › bandit
Bandit
JavaScript is disabled in your browser. Please enable JavaScript to proceed · A required part of this site couldn’t load. This may be due to a browser extension, network issues, or browser settings. Please check your connection, disable any ad blockers, or try using a different browser
GitHub
github.com › oxsecurity › megalinter › issues › 2465
bandit checks fail when configured to use pyproject.toml · Issue #2465 · oxsecurity/megalinter
March 20, 2023 - Describe the bug bandit supports the use of pyproject.toml as a configuration source. As such, I set my .mega-linter.yml file as follows: # Bandit Configurations PYTHON_BANDIT_CONFIG_FILE: pyprojec...
Author andrewvaughan
PyPI
pypi.org › project › pyproject-pre-commit
pyproject-pre-commit · PyPI
Therefore, use bandit directly and give -c pyproject.toml option in the hooks.
» pip install pyproject-pre-commit
Pantsbuild
chat.pantsbuild.org › t › 9727390 › is-pyproject-toml-based-config-supported-by-bandit-in-pants-
Is `pyproject toml` based config supported by bandit in pant Pants #general
18:46:20.30 [INFO] Scheduler initialized. 18:46:24.33 [ERROR] Completed: Lint with Bandit - bandit failed (exit code 2). [main] ERROR pyproject.toml : toml parser not available, reinstall with toml extra 18:46:24.33 [ERROR] Completed: Lint with Bandit - bandit failed (exit code 2).
Mintlify
mintlify.com › mintlify atlas › mintlify-atlas/docs-atlas-6db8c2e2 › pyproject
Pyproject - pyrig
March 8, 2026 - Manages pyproject.toml with: Project metadata (name, version, description, authors) Dependencies (runtime and dev) Build system configuration (uv) Tool configurations (ruff, ty, pytest, bandit, rumdl) CLI entry points · Python version requirements ·