fix: convert .bandit config from INI to YAML format

Bandit 1.9.4 expects YAML config but .bandit used legacy INI format,
causing a parse error (exit code 2) that failed the CI job. Convert to
valid YAML and add -ll flag for high-confidence filtering.

Author: scottschreckengaust

.bandit

@@ -1,13 +1,7 @@
 # Bandit configuration
 # https://bandit.readthedocs.io/en/latest/config.html
 
-[bandit]
-# Only scan the Python source code
-targets = scripts/aidlc-evaluator
-
 # Exclude test directories (test code often has intentional patterns
 # that trigger false positives like assert, subprocess in fixtures)
-exclude = */tests/*
-
-# Skip low and medium-confidence findings to reduce noise
-confidence-level = high
+exclude_dirs:
+  - "*/tests/*"

.github/workflows/security-scanners.yml

@@ -223,7 +223,7 @@ jobs:
           pip install -r requirements.txt
           rm requirements.txt
           set +e
-          bandit -c .bandit -r scripts/aidlc-evaluator -f sarif -o bandit-report_sarif.json
+          bandit -c .bandit -r scripts/aidlc-evaluator -ll -f sarif -o bandit-report_sarif.json
           BANDIT_EXIT=$?
           set -e
           echo "exit_code=$BANDIT_EXIT" >> "$GITHUB_OUTPUT"