Does bandit support scanning Jupyter Notebook .ipynb file?

[muaz-jasman]

Does bandit support scanning Jupyter Notebook .ipynb file?

[DeadNews]

Yes.

For example:

bandit /path/to/notebook.ipynb     

or

• pyproject.toml:

[tool.bandit]
include = ["*.ipynb"]    

• cmd:

bandit -r . -c pyproject.toml   

Ref: yaml config

[SamMorrowDrums]

No is the answer.

I have experimented with this, and even though technically it does "scan" the files, and reports lines of code scanned - it does not in fact interpret the (escaped) python code contained and so does not report any issues where it should.

I tried this by pasting some examples of known errors from this repo in both a python file, and an iPython notebook file, the python file gave results as expected, while the notebook did not.

I believe to support this would require bandit knowing about how to extract code cells from a notebook file, un-escaping them and then parsing the contents of that (while preserving the source line numbers) into the AST, so it can actually process the code correctly and report the correct results.

That being said, it might be possible to write an adaptor that handles this, and runs bandit on the resulting code and re-maps the results to the correct place, so in theory it can be done - it would just take a bit of work.

Changing my answer to yes:

run jupyter nbconvert --to script [YOUR_NOTEBOOK].ipynb and then you can run bandit on the resulting python file.