According to Bandit's documentation, importing the subprocess module is considered a low security issue (B404). Unfortunately, it does not provide alternatives or explanation why. Thus, I have 2 questions:

1. How could just importing this module be an issue in itself?
2. What alternatives should I use instead? Should I import only a specific function from this library or should I just avoid it?

Our team decided to turn off the B404 warning, because as you pointed out it is not useful.

We have B602: subprocess_popen_with_shell_equals_true and B603: subprocess_without_shell_equals_true both turned on, which are where actual security issues could happen.

As noted in the Bandit blacklist imports documentation, this is a low severity issue. It is just a heads-up for anyone who is not aware of the potential security issues related to the library.

You can suppress the warning by excluding it with # nosec B404 on the corresponding line, or by changing scan behavior in your Bandit configuration.