ci(security): add Bandit pre-commit hook

2026-05-17 06:09:29 +00:00 · 2026-04-02 13:23:26 -06:00
parent e10dbeed94
commit c051d9df23
3 changed files with 23 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -223,6 +223,10 @@ cython_debug/
 .github/copilot-instructions.md
 CLAUDE.md

+# CodeQL local analysis
+.codeql-db/
+.codeql-results/
+
 # Ruff stuff:
 .ruff_cache/

--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -16,6 +16,15 @@ repos:
    rev: 6.0.1
    hooks:
      - id: isort
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.8.3
+    hooks:
+      - id: bandit
+        args:
+          - -c=pyproject.toml
+          - --severity-level=medium
+          - --confidence-level=medium
+        additional_dependencies: ['bandit[toml]']
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v5.0.0
    hooks:
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -119,6 +119,16 @@ follow_imports = "silent"
 ignore_missing_imports = true
 no_implicit_optional = true

+[tool.bandit]
+exclude_dirs = ["tests", ".venv"]
+skips = [
+    "B101",  # assert used legitimately in non-test code
+    "B324",  # MD5/SHA1 used for identifiers and cache keys, not security
+    "B413",  # false positive: pycryptodome uses Crypto namespace, not deprecated pyCrypto
+    "B314",  # XML from DRM protocol headers, not untrusted user input
+    "B608",  # SQL table names from internal service tags, not user input; parameterized values
+]
+
 [tool.uv.sources]
 unshackle = { workspace = true }
 subby = { git = "https://github.com/vevv/subby.git", rev = "1ea6a52028c5bea8177c8abc91716d74e4d097e1" }