Use azpysdk Bandit Check in CI (#44214)

* cut

* sanity

* nvm

* pin bandit version

* minor

Author: JennyPng

eng/pipelines/templates/steps/run_bandit.yml

@@ -11,14 +11,17 @@ steps:
   - task: PythonScript@0
     displayName: 'Run Bandit'
     inputs:
-      scriptPath: 'scripts/devops_tasks/dispatch_tox.py'
+      scriptPath: 'eng/scripts/dispatch_checks.py'
       arguments: >-
         "$(TargetingString)"
         --mark_arg="${{ parameters.TestMarkArgument }}"
         --service="${{ parameters.ServiceDirectory }}"
-        --toxenv="bandit"
+        --checks="bandit"
         --disable-compatibility-filter
         --disablecov
         ${{ parameters.AdditionalTestArgs }}
-    env: ${{ parameters.EnvVars }}
+    env:
+      TOX_PIP_IMPL: "uv"
+      VIRTUAL_ENV: ""
+      PYTHONHOME: ""
     condition: and(succeededOrFailed(), ne(variables['Skip.Bandit'],'true'))

eng/tools/azure-sdk-tools/azpysdk/bandit.py

@@ -11,6 +11,8 @@
 from ci_tools.logging import logger
 from ci_tools.functions import install_into_venv, get_pip_command
 
+BANDIT_VERSION = "1.6.2"
+
 
 class bandit(Check):
     def __init__(self) -> None:
@@ -44,9 +46,10 @@ def run(self, args: argparse.Namespace) -> int:
             self.install_dev_reqs(executable, args, package_dir)
 
             try:
-                install_into_venv(executable, ["bandit"], package_dir)
+                # pbr is required by the pinned version of bandit
+                install_into_venv(executable, [f"bandit=={BANDIT_VERSION}", "pbr"], package_dir)
             except CalledProcessError as e:
-                logger.error(f"Failed to install bandit: {e}")
+                logger.error(f"Failed to install bandit and dependencies: {e}")
                 return e.returncode
 
             self.pip_freeze(executable)