I would like to see my bandit issues in sonarqube but I don’t know if I made a mistake with my configuration or if there is a way to sort issue by bandit
This is the correct place to ask questions about SonarQube to maximize your chance to get an answer from the SonarQube community or directly from SonarSourcers.
FYI there is no reason to continue to use Bandit because SonarQube and SonarCloud provide out of the box security rules (Vulnerabilities and Security Hotspots. The possibility to import Bandit rules is left here to ease the transition from Bandit to SonarSource native security rules.
That said, if you really want to import your Bandit issues into SonarQube, you should check first if Bandit generated issues and you have a report full of issues.
Secondly, make sure there is no typo in the parameter added to your Scanner command line:
-Dsonar.python.bandit.reportPaths=
Last, it would be great to post here the logs of your scan, the command line you run and the content of your Bandit report.
I found the problem, when I used sonar-scanner, there were venv folder. So I found a lot of analysis with the venv so I just put venv in .gitignore. Moreover my bandit command line was bad. I need to exclude venv folder like this bandit --verbose --ignore-nosec --recursive --exclude ./venv -o bandit_report.json -f json .