use bandit via pantsbuild

Author: cognifloyd

pants.toml

@@ -12,6 +12,7 @@ backend_packages = [
   "pants.backend.python",
   "pants.backend.experimental.python", # activates twine `publish` support
   "pants.backend.python.mixed_interpreter_constraints",
+  "pants.backend.python.lint.bandit",
   "pants.backend.python.lint.black",
   "pants.backend.python.lint.flake8",
 
@@ -83,6 +84,15 @@ root_patterns = [
   "/st2common/benchmarks/micro",
 ]
 
+[bandit]
+version = "bandit==1.7.0"
+args = [
+  "-lll",  # only HIGH severity level
+  "--exclude",
+  "build,dist",
+  "--quiet",  # only show output in the case of an error
+]
+
 [black]
 lockfile = "lockfiles/black.lock"
 version = "black==22.3.0"