[MERGE]

* feature-unleash-bandit-164:
  Tune .bandit.yml
  Create .bandit.yml
  [TESTING] Update bandit.yml (- WIP #164 -)

Author: reactive-firewall

.bandit.yml

@@ -0,0 +1,61 @@
+# .bandit.yml
+# Strict configuration for Bandit to enforce comprehensive security checks.
+
+# Define the directories to exclude from scanning.
+exclude_dirs:
+  []
+
+# Specify files or directories to skip.
+skipped_files:
+  []
+
+# Indicate the targets to scan.
+targets:
+  - "."
+
+# Configure plugins (tests).
+plugins:
+  # Include all tests for strict scanning.
+  include:
+    - "*"
+  # Exclude no tests.
+  exclude:
+    - ""
+
+# Set the severity levels to report.
+# Including all levels ensures that even minor issues are reported.
+severity:
+  - LOW
+  - MEDIUM
+  - HIGH
+
+# Set the confidence levels to report.
+# Including all levels to catch all potential issues.
+confidence:
+  - MEDIUM
+  - HIGH
+
+# Specify the output format for the reports.
+format: "txt"
+
+# Include code snippets in the output for easier debugging.
+show_code: true
+
+# Define profiles if needed.
+profiles:
+  full_audit:
+    include:
+      - "*"
+    exclude:
+      - ""
+  fast_audit:
+    include:
+      - "multicast/*"
+    exclude:
+      - "tests/*"
+
+# Enable recursive scanning to cover all subdirectories.
+recursive: true
+
+# Disable any inline skips to ensure all code is analyzed.
+inline_skips: false

.github/workflows/bandit.yml

@@ -24,6 +24,7 @@ jobs:
   bandit:
     permissions:
       contents: read # for actions/checkout to fetch code
+      statuses: write
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
     runs-on: ubuntu-latest
     steps:
@@ -32,15 +33,15 @@ jobs:
         uses: reactive-firewall/[email protected]
         with: # optional arguments
           # exit with 0, even with results found
-          exit_zero: true # optional, default is DEFAULT
+          exit_zero: false # optional, default is DEFAULT
           # Github token of the repository (automatically created by Github)
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information.
           # File or directory to run bandit on
           path: "." # optional, default is .
           # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
-          level: medium # optional, default is UNDEFINED
+          # level: MEDIUM # optional, default is UNDEFINED
           # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
-          confidence: high # optional, default is UNDEFINED
+          confidence: LOW # optional, default is UNDEFINED
           # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
           # excluded_paths: # optional, default is DEFAULT
           # comma-separated list of test IDs to skip