# Install bandit with Homebrew, apt, MacPorts, Nix, pacman

Security-oriented static analyser for Python code. Version 1.9.4 via Homebrew; verified from local package data.

## Install

```sh
sudo av install brew:bandit
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install bandit
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install bandit
```

  Evidence: MacPorts ports tree: python/bandit/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- Debian apt (92%):

```sh
sudo apt install bandit
```

  Evidence: Debian stable package indexes: bandit from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- Nix (92%):

```sh
nix profile install nixpkgs#bandit
```

  Evidence: nixpkgs package indexes: bandit from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix

- pacman (92%):

```sh
sudo pacman -S bandit
```

  Evidence: Arch Linux sync databases: bandit from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

## Package facts

- **Package key:** brew:bandit
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/bandit>
- **Version:** 1.9.4
- **Source summary:** Security-oriented static analyser for Python code
- **Homepage:** <https://github.com/PyCQA/bandit>
- **Repository:** <https://github.com/PyCQA/bandit>
- **Upstream docs:** <https://bandit.readthedocs.io/en/latest>
- **License:** Apache-2.0
- **Source archive:** <https://files.pythonhosted.org/packages/aa/c3/0cb80dfe0f3076e5da7e4c5ad8e57bac6ac357ff4a6406205501cade4965/bandit-1.9.4.tar.gz>
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- bandit (cli)
- bandit-baseline (cli)
- bandit-config-generator (cli)
- bandit (alias)
- bandit-baseline (alias)
- bandit-config-generator (alias)

## Dependencies

- libyaml
- python@3.14

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.9.4
- Local data: ok
- Upstream repository: https://github.com/PyCQA/bandit
- info: No package-manager update timestamp was available.
- info: No cached GitHub release or tag data was available.
## Project history and usage

Bandit is PyCQA's Python security linter: a command-line static analyzer that parses Python files into ASTs and runs security-focused plugins against the tree. It is one of the standard package-manager tools for lightweight Python application security checks.

### Project history

The official README says Bandit was originally developed within the OpenStack Security Project and later rehomed to PyCQA. Its public Git history begins in July 2014, with 0.9.0 tagged in February 2015 and a steady 1.x release line since then.

Bandit's architecture reflects the Python tooling style of its era: it uses Python's AST module, reports issue IDs such as B101 and B602, and exposes command-line, baseline, and config-generation executables for local use and CI automation.

### Adoption history

Bandit's adoption broadened from OpenStack security work into the general Python quality-tooling ecosystem after it moved under PyCQA. The supplied package facts list Homebrew, Debian/Ubuntu, MacPorts, Nix, Arch, and related packaging, and the official README advertises PyPI, container images, and GitHub Actions-built images.

The project also became part of common Python CI and pre-commit workflows: the official docs include integration and CI/CD sections, and the configuration docs show usage through pre-commit with the official PyCQA repository.

### How it is used

Bandit scans Python source recursively, builds ASTs, runs security plugins, and emits reports. Common usage is local scanning with bandit -r ., CI enforcement, baseline comparison, and per-line suppression with nosec comments when a finding has been reviewed.

Configuration can live in a .bandit INI file for recursive project scans, or in YAML/TOML files such as bandit.yaml and pyproject.toml when passed with -c. The docs also describe generated configs and plugin-specific overrides.

### Why package nerds care

Bandit matters in package catalogs because it is security tooling with a tiny operational footprint: easy to add to CI, easy to vendor into developer images, and easy for distributions to expose as a CLI.

It also illustrates the consolidation of Python QA tools under PyCQA, alongside linters and format-adjacent tooling that package managers routinely provide for reproducible developer environments.

### Timeline

- 2014: Public Git history begins in the official repository.
- 2015: 0.9.0 is tagged, followed by frequent early releases.
- 2010s: Bandit moves from the OpenStack Security Project to PyCQA, according to the official README.
- 2020s: Bandit is distributed through PyPI, OS package managers, pre-commit workflows, and signed container images.
- 2026: 1.9.x releases continue maintenance of the analyzer and rule set.

### Related projects

- Bandit is related to PyCQA tooling, Python's AST module, pre-commit, and broader Python security/static-analysis tools. It complements general-purpose linters by focusing specifically on common security issues.

### Sources

- <https://bandit.readthedocs.io/en/latest/config.html>
- <https://github.com/PyCQA/bandit>
- <https://github.com/PyCQA/bandit/blob/main/README.rst>
- <https://github.com/PyCQA/bandit/commit/c796659aea9bfb00088281bb2b6c1ef051839c18>
- input.source_facts.package-manager


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: .bandit, bandit.yaml, pyproject.toml
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** bandit
- **Version Scheme:** 0
- **Revision:** 1
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Debian apt - bandit - 1.7.10-2: normalized package name match | Debian stable package indexes: bandit from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Security oriented static analyzer for Python code - Metapackage | https://github.com/PyCQA/bandit
- Debian apt - python3-bandit - 1.7.10-2: normalized package name match | Debian stable package indexes: python3-bandit from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Security oriented static analyzer for Python code - Python 3.x | https://github.com/PyCQA/bandit
- Nix - bandit: normalized package name match | nixpkgs package indexes: bandit from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix
- Ubuntu apt - bandit - 1.6.2-3: normalized package name match | Ubuntu 24.04 LTS package indexes: bandit from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | Security oriented static analyzer for Python code - Metapackage | https://github.com/PyCQA/bandit
- Ubuntu apt - python3-bandit - 1.6.2-3: normalized package name match | Ubuntu 24.04 LTS package indexes: python3-bandit from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | Security oriented static analyzer for Python code - Python 3.x | https://github.com/PyCQA/bandit
- pacman - bandit - 1.9.4-1: normalized package name match | Arch Linux sync databases: bandit from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | Python security linter from OpenStack Security | https://github.com/PyCQA/bandit
- MacPorts - bandit: normalized package name match | MacPorts ports tree: python/bandit/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Developer build packages](https://www.automicvault.com/pkg/developer-build-tools/) - Matched build, compiler, generator, or developer workflow metadata.
- [Language runtime packages](https://www.automicvault.com/pkg/language-runtime-packages/) - Matched language runtime, compiler, or interpreter metadata.
- [python@3.14](https://www.automicvault.com/pkg/brew/python-3-14/) - Runtime dependency declared by Homebrew.
- [caracal](https://www.automicvault.com/pkg/brew/caracal/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [cargo-geiger](https://www.automicvault.com/pkg/brew/cargo-geiger/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [flawfinder](https://www.automicvault.com/pkg/brew/flawfinder/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [ghalint](https://www.automicvault.com/pkg/brew/ghalint/) - Shares av.db curated category or tags: cli, linter, security, static-analysis.
- [gosec](https://www.automicvault.com/pkg/brew/gosec/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [joern](https://www.automicvault.com/pkg/brew/joern/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [tfsec](https://www.automicvault.com/pkg/brew/tfsec/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [noir](https://www.automicvault.com/pkg/brew/noir/) - Shares av.db curated category or tags: cli, security, static-analysis.

## Combined YAML source

View the package source record on GitHub. [combined/bandit.yml](https://github.com/automic-vault/db/blob/main/combined/bandit.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
