How to use Bandit with Vim’s quickfix list

One way to populate Vim’s quickfix list is by running :make which runs the program specified by the makeprg setting. Due to Vim’s C heritage, the default behaviour is to run the make command-line tool but there are many other useful programs that print locations to STDOUT.

Bandit is a Python static analysis tool that looks for common security issues. You can use it to populate the quickfix list by setting:

set makeprg=bandit\ -r\ -f\ custom

then you can run :make to work through any warnings with :cwindow, :cnext etc.

Note, :make will pass on any command-line options so you can do things like :make -t B112 to work though just one type of warning.

You can do a similar thing for linting errors by setting makeprg=flake8.