Add Comprehensive Security Testing to CI Pipeline

[JohananOppongAmoateng]

This PR integrates automated security testing into the django-polymorphic CI pipeline, providing continuous security monitoring without blocking development workflows.
The security workflow generates reports instead of failing the pipeline:

• Generates reports

• Uploads all reports as GitHub Actions artifacts

• [x]Uses continue-on-error: true to prevent blocking

• Retains reports for 30 days for historical tracking
  Closes Add Comprehensive Security and Vulnerability Checks to CI #753

[JohananOppongAmoateng]

@bckohan i am not really sure which one is the best action to take whether to fail the whole pipeline if there are security issues or generate a report so i generated reports. Please advise on the preferred route or the best one

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.24%. Comparing base (13521c6) to head (699c107).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #762   +/-   ##
=======================================
  Coverage   91.24%   91.24%           
=======================================
  Files          28       28           
  Lines        1897     1897           
  Branches      273      273           
=======================================
  Hits         1731     1731           
  Misses        110      110           
  Partials       56       56           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Adds Bandit-based Python static security scanning (SARIF output) to the CI/tooling setup for django-polymorphic, alongside minor adjustments to existing security tooling output naming.

Changes:

• Add a new GitHub Actions workflow to run Bandit and upload SARIF/artifacts.
• Add Bandit configuration + dependency-group entry, and update lockfile accordingly.
• Add just targets to run Bandit locally and include it in the broader check task; ignore generated SARIF output.

Reviewed changes

Copilot reviewed 4 out of 6 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
uv.lock	Adds Bandit and its transitive dependencies to the resolved environment and groups.
pyproject.toml	Introduces Bandit configuration and adds Bandit to the lint dependency group.
justfile	Adds a bandit recipe and wires Bandit/Zizmor into check.
.gitignore	Ignores bandit.sarif.
.github/workflows/zizmor.yml	Renames output SARIF file from a generic name to zizmor.sarif.
.github/workflows/bandit.yml	New workflow to run Bandit and upload SARIF/artifacts.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out
the documentation.

[bckohan]

Thanks for this! I made a few tweaks - most notably, results are output in sarif and uploaded to the security tool.