Add bandit security scanning to CI

Co-authored-by: Johanan Oppong Amoateng <johananoppongamoateng2001@gmail.com>
Co-authored-by: Brian Kohan <bckohan@gmail.com>

Author: JohananOppongAmoateng

.github/workflows/bandit.yml

@@ -0,0 +1,55 @@
+name: Bandit
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    paths:
+      - "src/**"
+      - "pyproject.toml"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  bandit-analysis:
+    name: Run Bandit
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        id: sp
+        with:
+          python-version: '3.x'
+          allow-prereleases: true
+      - name: Install uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098
+        with:
+          enable-cache: false
+      - name: Install Just
+        uses: extractions/setup-just@f8a3cce218d9f83db3a2ecd90e41ac3de6cdfd9b
+
+      - name: Run Bandit
+        run: |
+          just bandit
+
+      - name: Upload analysis results
+        if: ${{ always() }}
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
+        with:
+          name: bandit-results
+          path: bandit.sarif
+          retention-days: 7
+
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98
+        with:
+          sarif_file: bandit.sarif

.github/workflows/zizmor.yml

@@ -40,25 +40,25 @@ jobs:
 
       - name: Run Zizmor analysis
         run: |
-          zizmor --format sarif .github/workflows/ > results.sarif
+          zizmor --format sarif .github/workflows/ > zizmor.sarif
 
       - name: Upload analysis results
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         with:
           name: zizmor-results
-          path: results.sarif
+          path: zizmor.sarif
           retention-days: 7
 
       - name: Upload to code-scanning
         uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98
         with:
-          sarif_file: results.sarif
+          sarif_file: zizmor.sarif
 
       - name: Fail on Findings
         run: |
           count="$(
             jq '([.runs[]? | (.results // [])[] | select(.level != "note")] | length) // 0' \
-              results.sarif
+              zizmor.sarif
           )"
           echo "Zizmor findings: $count"
           test "$count" -eq 0

.gitignore

@@ -227,3 +227,4 @@ test2.db
 example/example.db
 CLAUDE.md
 zizmor.sarif
+bandit.sarif

justfile

@@ -195,6 +195,10 @@ lint: sort-imports
 # fix formatting, linting issues and import sorting
 fix: lint format
 
+# run bandit static security analysis
+bandit:
+    @just run --no-default-groups --group lint bandit -c pyproject.toml -r ./src -f sarif -o bandit.sarif
+
 # run all static checks
 check *ENV:
     @just check-lint {{ ENV }}
@@ -203,6 +207,7 @@ check *ENV:
     @just check-docs {{ ENV }}
     @just check-readme {{ ENV }}
     @just check-package
+    @just bandit
 
 # run all checks including documentation link checking (slow)
 check-all *ENV:

pyproject.toml

@@ -207,6 +207,30 @@ reportGeneralTypeIssues = false
 reportOptionalSubscript = false
 reportPrivateImportUsage = false
 
+
+[tool.bandit]
+targets = ["src"]
+exclude_dirs = [
+    "./src/polymorphic/tests",
+    "./src/polymorphic/migrations",
+    "./example",
+    "./.venv",
+    "./docs",
+]
+
+skips = [
+    "B101",  # assert_used - assertions are fine in tests and Django code
+]
+
+# Severity level threshold
+# Options: LOW, MEDIUM, HIGH
+severity = "MEDIUM"
+
+# Confidence level threshold
+# Options: LOW, MEDIUM, HIGH
+confidence = "MEDIUM"
+
+
 [dependency-groups]
 typing = [
     "django-stubs>=5.1.1",
@@ -216,9 +240,10 @@ typing = [
     "mypy>=1.19.1",
 ]
 lint = [
-    "ruff>=0.15.0", 
+    "ruff>=0.15.0",
     "readme-renderer[md]>=43.0",
-    "doc8>=1.1.2"
+    "doc8>=1.1.2",
+    "bandit[toml,sarif]>=1.7.10"
 ]
 coverage = ["coverage>=7.6.1"]
 test = [