A GitHub Action that runs Bandit — a security linter for Python — and reports issues directly on pull requests using reviewdog.
Key Features • Usage • Related • Credits • License
-
Automated Python Security Scanning — Uses Bandit to statically analyze Python code and detect common security issues before they reach production.
-
Actionable Feedback in Pull Requests — Surfaces issues early in the review process, allowing developers to address them before merging. Frees human reviewers to focus on architecture and complex logic—not repetitive static checks.
-
Flexible Reporting with reviewdog — Choose how results are reported to fit your workflow:
- Inline PR Comments — Adds comments directly to affected lines for contextual feedback.
- GitHub Checks — Pair with required Github Checks to enforce security gates on pull requests. .
- Commit Status + Checks — Reports as both commit statuses and GitHub Checks for complete CI feedback.
-
Targeted Analysis with Filtering — Analyze only changed files in PRs using
filter_mode, reducing noise and improving relevance. -
Configurable — Supports
pyproject.tomlor Bandit configuration files for analysis settings, and reviewdog’s options for tuning output and behavior. -
Debugging and Troubleshooting — Enable
verbose: truefor detailed logs and use reviewdog’s debugging flags for in-depth diagnostics.
This action installs and runs reviewdog locally in the GitHub Actions runner using
GITHUB_TOKENfor authentication. All analysis and reporting happens within the runner. For stronger isolation and control, use self-hosted runners.
| Input | Description | Default |
|---|---|---|
github_token |
GitHub Token for API access | ${{ github.token }} |
workdir |
Directory relative to root to run Bandit | . |
bandit_config |
Path to Bandit configuration file | pyproject.toml |
bandit_flags |
Extra Bandit CLI flags | "" |
verbose |
Enable verbose logging | false |
tool_name |
Tool name used in reviewdog output | bandit |
level |
Report level (info, warning, error) |
error |
reporter |
Reporter type (github-check, github-pr-review, github-pr-check) |
github-check |
filter_mode |
Filtering mode (added, diff_context, file, nofilter) |
added |
fail_on_error |
Whether to fail the build when errors are found | false |
reviewdog_flags |
Additional flags for reviewdog | "" |
name: Run Bandit
on: [pull_request]
jobs:
bandit:
name: Bandit Security Check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: brunohaf/action-bandit@v1
with:
github_token: ${{ secrets.github_token }}
reporter: github-pr-review
level: warningRefer to the this workflow for more usage examples.
PR Review (github-pr-review)
Check Run (github-check)
- reviewdog — Integrates linter results with GitHub code reviews.
- Bandit — Python static security analyzer by PyCQA.
- Public reviewdog GitHub Actions — List of related GitHub Actions.
- Bandit GitHub Action by PyCQA — The official GitHub Action for running Bandit, maintained by PyCQA.
- Bootstrapped with reviewdog/action-composite-template.
- Based on reviewdog/action-eslint, with additional inspiration from jordemort/action-pyright.