The secure-lambda-scanner.py script is designed to analyze Python Lambda functions in your AWS account for security vulnerabilities using Bandit. It dynamically discovers Python Lambda functions across all regions, downloads their code, extracts it, and runs Bandit against the extracted code. The results are stored in the specified destination directory in the desired format (default is 'txt').
Ensure the following prerequisites are met:
- Python 3
- AWS CLI configured
- Boto3 library installed
- Bandit installed and in your system's PATH
- Pre-commit installed (optional but recommended)
-
Clone the repository:
git clone https://github.com/your/repo.git
-
Install the required dependencies:
pip install -r requirements.txt
-
Set up pre-commit hooks:
pre-commit install
./secure-lambda-scanner.py --destination-directory /path/to/results --format txt--destination-directory(-dor--dest): Set the destination path to store the Bandit results.--format(-for--fmt): Specify the output format for Bandit results. Default is 'txt'.--bucket-name(-bor--bucket): Specify the destination bucket for uploading Bandit results.
The .pre-commit-config.yaml file specifies pre-commit hooks, including the Bandit hook, which is responsible for checking Python code for common security issues.
repos:
- repo: https://github.com/PyCQA/bandit
rev: 1.7.6
hooks:
- id: bandit
args: ["-c", "pyproject.toml"]
additional_dependencies: [".[toml]"]The requirements.txt file lists the necessary Python dependencies for the script.
boto3
click
requests
The pyproject.toml file configures Bandit by excluding the ./venv/* directory from scanning.
[tool.bandit]
exclude_dirs = ["./venv/*"]Make sure to run the script within a virtual environment with the specified requirements and pre-commit hooks to avoid potential errors, such as "command not found: bandit" or missing Python modules.