DevSecOps in Practice: Tools That Actually Catch Vulnerabilities - Part 2 - SAST with Bandit

This article discusses DevSecOps in Practice, specifically Static Application Security Testing (SAST) with Bandit. Bandit is a standard SAST tool for Python that analyzes source code without running it, looking for security vulnerabilities. It caught hardcoded passwords, SQL injection vulnerabilities, and debug mode left on in a Flask app. To use Bandit, install it with pip, run it against the code with the -r flag, and filter by severity level. The JSON report can be generated and used in a GitHub Actions workflow.