Skip to content

fix: add nosec annotations for bandit HIGH findings#913

Open
louiseschmidtgen wants to merge 1 commit intomainfrom
KU-5612/fix-bandit-findings
Open

fix: add nosec annotations for bandit HIGH findings#913
louiseschmidtgen wants to merge 1 commit intomainfrom
KU-5612/fix-bandit-findings

Conversation

@louiseschmidtgen
Copy link
Copy Markdown

@louiseschmidtgen louiseschmidtgen commented Apr 9, 2026

Summary

Add inline # nosec annotations for intentional security patterns flagged by the new bandit SAST workflow (-lll, HIGH severity only).

These are all documented exceptions — not actual security vulnerabilities:

Finding Annotation Rationale
B501 # nosec B501 verify=False used for internal cluster communication
B602 # nosec B602 subprocess(shell=True) with trusted/controlled input
B324 # nosec B324 MD5 used for content hashing, not security
B701 # nosec B701 Jinja2 autoescape disabled for non-HTML template generation
B202 # nosec B202 tarfile.extractall from trusted upstream release artifacts

Context

Companion to the SAST workflows PR. Once both are merged, the bandit workflow will pass cleanly.

@louiseschmidtgen
fix: add nosec annotations for bandit HIGH findings
8760f0d 
Add inline nosec annotations for intentional security patterns
flagged by bandit -lll (HIGH severity only). These are documented
exceptions, not security vulnerabilities:

- B501: verify=False used for internal cluster communication
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HomayoonAlimohammadi HomayoonAlimohammadi HomayoonAlimohammadi approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@louiseschmidtgen @HomayoonAlimohammadi