ci: add bandit security-scan job (Task A.2 from #158)#167
Merged
JuergenFleiss merged 2 commits intoMay 27, 2026
Conversation
added 2 commits
May 27, 2026 09:29
Adds `bandit[toml]>=1.9.0` to the dev dependency group and a minimal `[tool.bandit]` block (exclude_dirs for build/venv/model dirs). bandit is the named security scanner BSI compliance reports cite; it runs as its own CI job, separate from ruff's overlapping S-category checks.
Adds a `bandit` job to the CI workflow, parallel to the ruff job and
installed the same lightweight way (`--only-group dev
--no-install-project` — bandit scans source, no app runtime needed).
The four baseline findings are annotated with scoped `# nosec`
comments + rationale on the offending lines (not a global skip list,
so any new occurrence elsewhere is still flagged):
- `import subprocess` (B404) — static argv, never a shell
- `subprocess.run(["xdg-open", ...])` (B603, B607) — fixed argv, no
shell, no user input
- `urllib.request.urlopen("https://huggingface.co", ...)` (B310) —
hardcoded https URL, not user input
Owner
|
looks good to me Regarding the shutil.which alternative to xdg, we would have to check how this behaves in flatpak sandboxing. |
Author
Yes, we can defer the change until you got the change to test + we setup a proper testing suite. |
This was referenced May 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to the ruff CI PR (#160). Adds
banditas its own dedicatedCI job, separate from the ruff job — one tool per job, per the review
on #160, so a failure attributes immediately to the right tool.
Contributes to #158 (Task A — CI lint/format/security).
What this PR does
bandit[toml]>=1.9.0to[dependency-groups] devand a minimal[tool.bandit]block (exclude_dirsfor build/venv/model dirs).banditCI job, installed the same lightweight way as ruff(
uv sync --locked --only-group dev --no-install-project— banditscans source, the app runtime isn't needed).
# noseccomments +rationale on the offending lines (not a global skip list, so any new
occurrence elsewhere is still flagged):
import subprocess(B404) — static argv, never a shellsubprocess.run(["xdg-open", …])(B603, B607) — fixed argv, noshell, no user input
urllib.request.urlopen("https://huggingface.co", …)(B310) —hardcoded https URL, not user input
banditcommand inCONTRIBUTING.md.Why bandit alongside ruff's S rules
ruff's
Scategory (flake8-bandit) already covers overlapping checks,but bandit is the named scanner BSI compliance reports cite, produces
its own report format, and versions independently — so a dedicated,
clearly-labelled
banditjob is worth the small overlap.Maps to BSI IT-Grundschutz
Codeanalyse) — bandit covers the named security-testing half.
Note
The grandfathered S607/B607 finding (
xdg-openpartial path) couldalternatively be fixed via
shutil.which(...); deferred to afollow-up with test coverage rather than changing behaviour here.
cc @gerardo-navarro