Merge pull request #1480 from lukaszstolarczuk/update-bandit-workflow

[CI] Enable more scans with Bandit

Author: wlemkows

.github/workflows/bandit.yml

@@ -11,18 +11,20 @@ permissions:
   contents: read
 
 jobs:
-  linux:
+  bandit:
     name: Bandit
-    runs-on: ubuntu-latest
-  
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+    runs-on: ${{matrix.os}}
+
     steps:
       - name: Clone the git repo
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Install pip packages
         run: pip install -r third_party/requirements.txt
 
-      # Scan is run only for the 'tools' folder.
+      # Scan all files, except for dev. scripts
       - name: Run Bandit
-        run: |
-          bandit -r tools
+        run: bandit -r . -x ./scripts/

test/conformance/cts_exe.py

@@ -23,10 +23,11 @@
     parser.add_argument("--test_devices_count", type=str, help="Number of devices on which tests will be run")
     parser.add_argument("--test_platforms_count", type=str, help="Number of platforms on which tests will be run")
     args = parser.parse_args()
-    
-    result = subprocess.Popen([args.test_command, '--gtest_brief=1', f'--devices_count={args.test_devices_count}',
+
+    result = subprocess.Popen([args.test_command, '--gtest_brief=1',        # nosec B603
+                               f'--devices_count={args.test_devices_count}',
                                f'--platforms_count={args.test_platforms_count}'],
-                               stdout=subprocess.PIPE, stderr=subprocess.STDOUT, text=True)  # nosec B603
+                               stdout=subprocess.PIPE, stderr=subprocess.STDOUT, text=True)
 
     pat = re.compile(r'\[( )*FAILED( )*\]')
     output_list = []