ci(security): add Bandit pre-commit hook

2026-05-16 21:59:26 +00:00 · 2026-04-02 13:23:26 -06:00
parent e10dbeed94
commit c051d9df23
3 changed files with 23 additions and 0 deletions
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -119,6 +119,16 @@ follow_imports = "silent"
 ignore_missing_imports = true
 no_implicit_optional = true

+[tool.bandit]
+exclude_dirs = ["tests", ".venv"]
+skips = [
+    "B101",  # assert used legitimately in non-test code
+    "B324",  # MD5/SHA1 used for identifiers and cache keys, not security
+    "B413",  # false positive: pycryptodome uses Crypto namespace, not deprecated pyCrypto
+    "B314",  # XML from DRM protocol headers, not untrusted user input
+    "B608",  # SQL table names from internal service tags, not user input; parameterized values
+]
+
 [tool.uv.sources]
 unshackle = { workspace = true }
 subby = { git = "https://github.com/vevv/subby.git", rev = "1ea6a52028c5bea8177c8abc91716d74e4d097e1" }