fix: restore -r flag for bandit targets

scottschreckengaust · scottschreckengaust · commit 5e538018163f · 2026-04-08T17:51:59.000Z
The YAML config does not support a "targets" key — that was
INI-format only. Without -r on the CLI, bandit gets no scan
targets and produces an empty SARIF file.
diff --git a/.bandit b/.bandit
@@ -1,10 +1,9 @@
-# Bandit configuration
+# Bandit configuration (YAML format, bandit 1.9+)
 # https://bandit.readthedocs.io/en/latest/config.html
-
-# Python directories to scan (add new entries here instead of
-# editing the workflow file)
-targets:
-  - scripts/aidlc-evaluator
+#
+# NOTE: scan targets must be passed via -r on the CLI; the YAML config
+# does not support a "targets" key.  Edit the workflow's bandit command
+# to add new directories.
 
 # Exclude test directories (test code often has intentional patterns
 # that trigger false positives like assert, subprocess in fixtures)
diff --git a/.github/workflows/security-scanners.yml b/.github/workflows/security-scanners.yml
@@ -231,7 +231,7 @@ jobs:
           pip install -r requirements.txt
           rm requirements.txt
           set +e
-          bandit -c .bandit -f sarif -o bandit-report_sarif.json
+          bandit -c .bandit -r scripts/aidlc-evaluator -f sarif -o bandit-report_sarif.json
           BANDIT_EXIT=$?
           set -e
           # Fail only if HIGH severity findings exist (level=error in SARIF)
