Skip to content

feat: Add Bandit pre-commit hook + fix XML parsing vulnerability (#2417)#2421

Merged
sydseter merged 2 commits intoOWASP:masterfrom
khushal-winner:feat/add-bandit-pre-commit-hook
Feb 27, 2026
Merged

feat: Add Bandit pre-commit hook + fix XML parsing vulnerability (#2417)#2421
sydseter merged 2 commits intoOWASP:masterfrom
khushal-winner:feat/add-bandit-pre-commit-hook

Conversation

@khushal-winner
Copy link
Contributor

@khushal-winner khushal-winner commented Feb 27, 2026

Closes #2417

Changes

  • Added Bandit security scanner as pre-commit hook
    • Targets scripts/ only (recursive with -r)
    • Medium severity, high confidence config (low noise)
    • Updated to Bandit 1.9.4 (Python 3.14 compatible)
    • Excludes tests/ to avoid false positives
  • Fixed detected vulnerability: Replaced unsafe xml.etree.ElementTree.parse with secure defusedxml.ElementTree.parse in convert.py
    • Prevents potential XML External Entity (XXE) attacks (CWE-611)
  • Added README note under "Development Setup" for visibility

Testing

  • pre-commit run --all-files passes locally after fix
  • Trial Bandit scan (before fix): 1 Medium issue (B314) detected
  • After fix: 0 Medium/High issues → hook passes
  • Manual verify: bandit -r scripts/convert.py --severity-level medium --confidence-level high → clean

Why?

Ready for review! Happy to tweak config (e.g. add --exit-zero, skips, bandit.yml) or adjust README.

@khushal-winner khushal-winner force-pushed the feat/add-bandit-pre-commit-hook branch 3 times, most recently from 314aa7c to d9855c0 Compare February 27, 2026 10:18
@khushal-winner khushal-winner marked this pull request as ready for review February 27, 2026 10:36
@khushal-winner khushal-winner marked this pull request as draft February 27, 2026 10:37
@khushal-winner khushal-winner force-pushed the feat/add-bandit-pre-commit-hook branch 2 times, most recently from 96bca83 to 9cf9b0f Compare February 27, 2026 10:39
@khushal-winner khushal-winner marked this pull request as ready for review February 27, 2026 10:41
@khushal-winner
feat: Add bandit security pre-commit hook and documentation
2af9bae 
- Add bandit pre-commit hook to scan Python scripts for security issues
- Configure bandit to scan scripts/ directory with medium severity and high confidence
- Fix XML parsing vulnerability in convert.py by using defusedxml
- Update bandit to version 1.9.4 for Python 3.14 compatibility
- Add documentation for security scanning under Contributing to Development section

Security improvements:
- Replaces unsafe xml.etree.ElementTree.parse with defusedxml.ElementTree.parse
- Prevents XML external entity (XXE) attacks
- Bandit hook will catch future security regressions

Signed-off-by: Khushal Malhotra <redmi5a3217@gmail.com>
@khushal-winner khushal-winner force-pushed the feat/add-bandit-pre-commit-hook branch from 9cf9b0f to 2af9bae Compare February 27, 2026 10:42
@khushal-winner
Copy link
Contributor Author

khushal-winner commented Feb 27, 2026

@sydseter, This PR is ready review, Happy to do any further changes, :))

@sydseter sydseter merged commit 078846e into OWASP:master Feb 27, 2026
15 of 17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sydseter sydseter sydseter approved these changes

@rewtd rewtd Awaiting requested review from rewtd rewtd is a code owner

@cw-owasp cw-owasp Awaiting requested review from cw-owasp cw-owasp is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: Integrate Bandit security scanner as pre-commit hook for automated Python code analysis

2 participants

@khushal-winner @sydseter