update(security): bump security tooling versions and parameters

Author: Guts

.github/workflows/security.yml

@@ -29,7 +29,7 @@ env:
 jobs:
   check-bandit:
     name: "🦹‍♂️ Bandit"
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
 
     steps:
       - name: Get source code
@@ -43,8 +43,7 @@ jobs:
           cache-dependency-path: "requirements/security.txt"
 
       - name: Install project requirements
-        run: |
-          python -m pip install -U pip setuptools wheel
+        run: python -m pip install -U pip setuptools wheel
 
       - name: Install security dependencies
         run: python -m pip install -U -r requirements/security.txt
@@ -54,7 +53,7 @@ jobs:
 
   check-safety:
     name: "🛡 Safety PyUp"
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
 
     steps:
       - name: Get source code
@@ -68,11 +67,12 @@ jobs:
           cache-dependency-path: "requirements/security.txt"
 
       - name: Install project requirements
-        run: |
-          python -m pip install -U pip setuptools wheel
+        run: python -m pip install -U pip setuptools wheel
 
       - name: Install security dependencies
         run: python -m pip install -U -r requirements/security.txt
 
-      - name: Run Safety check
-        run: safety check --output text --short-report -r requirements/base.txt
+      - name: Run Safety scan (pyupio)
+        uses: pyupio/safety-action@v1
+        with:
+          api-key: ${{ secrets.SAFETY_API_KEY }}

.safety-project.ini

@@ -0,0 +1,4 @@
+[project]
+id = qgis-deployment-cli
+url = /codebases/qgis-deployment-cli/findings
+name = qgis-deployment-cli

SECURITY.md

@@ -56,16 +56,22 @@ Then open the `bandit_report.csv` file.
 
 ### Run Safety check
 
-In a terminal:
+To run Safety CLI locally, an authenticated account is required:
+
+```sh
+safety auth
+```
+
+Then:
 
 ```sh
-safety check --full-report --output screen -r requirements/base.txt
+safety scan --full-report --output screen -r requirements/base.txt
 ```
 
-It's also possible to get results in a text format:
+It's also possible to get results as HTML:
 
 ```sh
-safety check --full-report --output text -r requirements/base.txt > safety_report.txt
+safety scan --full-report --output html -r requirements/base.txt > safety_report.html
 ```
 
-Then open the `safety_report.txt` file.
+Then open the `safety_report.html` file.

requirements/security.txt

@@ -1,2 +1,2 @@
-bandit>=1.7.5,<1.9
-safety>=2.3.5,<3.4
+bandit>=1.8.3,<2
+safety>=3.3.1,<4