ci: Add bandit into our workflows.

funilrys · funilrys · commit 50bdf7dda1a3 · 2025-12-17T21:21:06.000+01:00
diff --git a/.github/workflows/branches.yml b/.github/workflows/branches.yml
@@ -46,8 +46,38 @@ jobs:
       - name: Lint with Pylint
         run: pylint PyFunceble
 
+  sec_check:
+    name: Check the safety of the codebase with Bandit
+
+    runs-on: "${{ matrix.os }}"
+
+    strategy:
+      fail-fast: false
+      matrix:
+        python_version:
+          - "3.12"
+        os:
+          - ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6
+        name: Clone repository
+
+      - name: Set up Python ${{ matrix.python_version }}
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.python_version }}
+
+      - name: Install dependencies
+        run: |
+          pip install --upgrade pip
+          pip install .[test,dev]
+
+      - name: Check the safety of the codebase with Bandit
+        run: bandit --ini=setup.cfg -r PyFunceble
+
   test:
-    needs: [lint]
+    needs: [lint, sec_check]
     name: "[${{ matrix.os }}-py${{ matrix.python_version }}] Test Extension"
 
     runs-on: "${{ matrix.os }}"
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -44,8 +44,38 @@ jobs:
       - name: Lint with Pylint
         run: pylint PyFunceble
 
+  sec_check:
+    name: Check the safety of the codebase with Bandit
+
+    runs-on: "${{ matrix.os }}"
+
+    strategy:
+      fail-fast: false
+      matrix:
+        python_version:
+          - "3.12"
+        os:
+          - ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6
+        name: Clone repository
+
+      - name: Set up Python ${{ matrix.python_version }}
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.python_version }}
+
+      - name: Install dependencies
+        run: |
+          pip install --upgrade pip
+          pip install .[test,dev]
+
+      - name: Check the safety of the codebase with Bandit
+        run: bandit --ini=setup.cfg -r PyFunceble
+
   test:
-    needs: [lint]
+    needs: [lint, sec_check]
     name: "[${{ matrix.os }}-py${{ matrix.python_version }}] Test Extension"
 
     runs-on: "${{ matrix.os }}"
diff --git a/requirements.dev.txt b/requirements.dev.txt
@@ -1,4 +1,5 @@
 black
 flake8
 isort
-pylint
+pylint
+bandit
diff --git a/setup.cfg b/setup.cfg
@@ -27,3 +27,6 @@ minversion = 6.0
 addopts = --cov=PyFunceble --cov-report=html --cov-report=term
 testpaths =
     tests
+
+[bandit]
+exclude = tests

-Original file line number
+Diff line change
@@ @@ -1,4 +1,5 @@ @@
 black
 flake8
 isort
 -pylint
 +pylint
 +bandit