ci(security): add Bandit pre-commit hook

.gitignore

@@ -223,6 +223,10 @@ cython_debug/
 .github/copilot-instructions.md
 CLAUDE.md
 
+# CodeQL local analysis
+.codeql-db/
+.codeql-results/
+
 # Ruff stuff:
 .ruff_cache/
 

.pre-commit-config.yaml

@@ -16,6 +16,15 @@ repos:
     rev: 6.0.1
     hooks:
       - id: isort
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.8.3
+    hooks:
+      - id: bandit
+        args:
+          - -c=pyproject.toml
+          - --severity-level=medium
+          - --confidence-level=medium
+        additional_dependencies: ['bandit[toml]']
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v5.0.0
     hooks:

pyproject.toml

@@ -119,6 +119,16 @@ follow_imports = "silent"
 ignore_missing_imports = true
 no_implicit_optional = true
 
+[tool.bandit]
+exclude_dirs = ["tests", ".venv"]
+skips = [
+    "B101",  # assert used legitimately in non-test code
+    "B324",  # MD5/SHA1 used for identifiers and cache keys, not security
+    "B413",  # false positive: pycryptodome uses Crypto namespace, not deprecated pyCrypto
+    "B314",  # XML from DRM protocol headers, not untrusted user input
+    "B608",  # SQL table names from internal service tags, not user input; parameterized values
+]
+
 [tool.uv.sources]
 unshackle = { workspace = true }
 subby = { git = "https://github.com/vevv/subby.git", rev = "1ea6a52028c5bea8177c8abc91716d74e4d097e1" }