Diagnostics not published despite successful SARIF output (Windows, external venv)

[yacoubean]

Environment

VS Code: 1.104.3 (user setup)
OS: Windows 11 Pro
Extension: Bandit by PyCQA (pycqa.bandit-pycqa) v2025.14.0
Python: 3.13.5
Bandit: 1.8.6 (installed in external venv)
SARIF formatter: bandit_sarif_formatter installed

Steps to Reproduce

Configure .vscode/settings.json:

{
  "python.defaultInterpreterPath": "C:\\Users\\[redacted]\\VirtualEnvs\\[redacted]\\Scripts\\python.exe",
  "bandit.importStrategy": "fromEnvironment",
  "bandit.interpreter": ["C:\\Users\\[redacted]\\VirtualEnvs\\[redacted]\\Scripts\\python.exe"],
  "bandit.path": ["C:\\Users\\[redacted]\\VirtualEnvs\\[redacted]\\Scripts\\python.exe", "-m", "bandit"],
  "bandit.args": ["-x", "venv,.venv,build,dist"]
}

Ensure Bandit and SARIF formatter are installed:

python -m pip install -U bandit bandit_sarif_formatter
Requirement already satisfied: bandit in c:\users\[redacted]\virtualenvs\[redacted]\lib\site-packages (1.8.6)
Requirement already satisfied: bandit_sarif_formatter in c:\users\[redacted]\virtualenvs\[redacted]\lib\site-packages (1.1.1)
Requirement already satisfied: PyYAML>=5.3.1 in c:\users\[redacted]\virtualenvs\[redacted]\lib\site-packages (from bandit) (6.0.3)
Requirement already satisfied: stevedore>=1.20.0 in c:\users\[redacted]\virtualenvs\[redacted]\lib\site-packages (from bandit) (5.5.0)
Requirement already satisfied: rich in c:\users\[redacted]\virtualenvs\[redacted]\lib\site-packages (from bandit) (14.1.0)
Requirement already satisfied: colorama>=0.3.9 in c:\users\[redacted]\virtualenvs\[redacted]\lib\site-packages (from bandit) (0.4.6)
Requirement already satisfied: jschema-to-python>=1.2.3 in c:\users\[redacted]\virtualenvs\[redacted]\lib\site-packages (from bandit_sarif_formatter) (1.2.3)
Requirement already satisfied: sarif-om>=1.0.4 in c:\users\[redacted]\virtualenvs\[redacted]\lib\site-packages (from bandit_sarif_formatter) (1.0.4)
Requirement already satisfied: attrs in c:\users\[redacted]\virtualenvs\[redacted]\lib\site-packages (from jschema-to-python>=1.2.3->bandit_sarif_formatter) (25.4.0)
Requirement already satisfied: jsonpickle in c:\users\[redacted]\virtualenvs\[redacted]\lib\site-packages (from jschema-to-python>=1.2.3->bandit_sarif_formatter) (4.1.1)    
Requirement already satisfied: pbr in c:\users\[redacted]\virtualenvs\[redacted]\lib\site-packages (from jschema-to-python>=1.2.3->bandit_sarif_formatter) (7.0.1)
Requirement already satisfied: setuptools in c:\users\[redacted]\virtualenvs\[redacted]\lib\site-packages (from pbr->jschema-to-python>=1.2.3->bandit_sarif_formatter) (80.9.0)
Requirement already satisfied: markdown-it-py>=2.2.0 in c:\users\[redacted]\virtualenvs\[redacted]\lib\site-packages (from rich->bandit) (4.0.0)
Requirement already satisfied: pygments<3.0.0,>=2.13.0 in c:\users\[redacted]\virtualenvs\[redacted]\lib\site-packages (from rich->bandit) (2.19.2)
Requirement already satisfied: mdurl~=0.1 in c:\users\[redacted]\virtualenvs\[redacted]\lib\site-packages (from markdown-it-py>=2.2.0->rich->bandit) (0.1.2)

Add known vulnerabilities in python file:

import subprocess, os
subprocess.call("dir", shell=True)  # B602 HIGH
assert os.name != "posix"  # B101 LOW

Save the file in VS Code. Check Problems panel and inline code for reported errors. None found.

Bandit log does show SARIF output findings:

"results": [
  {
    "ruleId": "B602",
    "message": { "text": "subprocess call with shell=True identified, security issue." },
    "properties": { "issue_severity": "HIGH" }
  },
  {
    "ruleId": "B101",
    "message": { "text": "Use of assert detected..." },
    "properties": { "issue_severity": "LOW" }
  }
]

Bandit log snippet:

C:\Users\[redacted]\VirtualEnvs\[redacted]\Scripts\python.exe -m bandit --quiet --format=sarif ...
Ignoring notification for unknown method "textDocument/didSave"
file:///h%3A/Python/[redacted]/main.py :
{ ... full SARIF JSON ... }

Additional notes:

• Initially hit ${interpreter} substitution bug: extension logged ${interpreter} literally in command until hard-coded path was used.
• Workspace uses external venv (not under project folder).
• File URI in SARIF: file:///h:/Python/... vs document URI: file:///h%3A/... (possible mapping issue).
• Problems filter includes Information; B602 HIGH should appear as Error but does not.

Workarounds tried:

• Verified Bandit CLI works with SARIF.
• Installed SARIF formatter.
• Reloaded window, restarted server.
• Disabled other Bandit extensions.
• Problems panel filter set to show Info/Warnings/Errors.