ci: integrate Bandit security scanning & fix initial findings (#18)

* ci(bandit): add bandit for security scanning
and format/de-lint ci.yaml

* fix(security): enable Jinja2 autoescape in PlanReporter (resolves Bandit B701)

Bandit flagged B701 because Jinja2’s Environment defaulted to autoescape=False.
Setting autoescape=True prevents potential XSS issues when rendering templates

* test: de-lint test_cli

Author: bcdady

.github/workflows/ci.yaml

@@ -2,9 +2,9 @@ name: CI
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
-    branches: [ main ]
+    branches: [main]
 
 jobs:
   test:
@@ -14,32 +14,33 @@ jobs:
         python-version: ["3.10", "3.11", "3.12", "3.13"]
 
     steps:
-    - uses: actions/checkout@v4
-
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v5
-      with:
-        python-version: ${{ matrix.python-version }}
-  
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install poetry twine
-        poetry install --with dev
-        
-    - name: Lint with Ruff
-      run: poetry run ruff check .
-        
-    - name: Run tests with coverage
-      run: |
-        poetry run pytest --cov=tfsumpy --cov-report=term
-        poetry run coverage report --fail-under=75
-
-    - name: Coverage reminder
-      if: success()
-      run: echo "::notice ::Current threshold is 75%. PRs that raise coverage are welcome!"
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install poetry twine bandit
+          poetry install --with dev
+
+      - name: Lint with Ruff
+        run: poetry run ruff check .
 
-    - name: Build package
-      run: poetry build
+      - name: Security scan with Bandit
+        run: poetry run bandit -q -r tfsumpy -llst
+
+      - name: Run tests with coverage
+        run: |
+          poetry run pytest --cov=tfsumpy --cov-report=term
+          poetry run coverage report --fail-under=75
+
+      - name: Coverage reminder
+        if: success()
+        run: echo "::notice ::Current threshold is 75%. PRs that raise coverage are welcome!"
 
-    
+      - name: Build package
+        run: poetry build

pyproject.toml

@@ -45,12 +45,14 @@ ruff = ">=0.4.0"
 mypy = ">=1.10.0"
 types-colorama = "*"
 coverage = ">=7.2.0"
+bandit = ">=1.7.8"
 
 [tool.poetry.extras]
 dev = [
     "pytest-cov",
     "pytest-mock",
     "coverage",
+    "bandit",
     "ruff",
     "mypy"
 ]
@@ -60,4 +62,4 @@ tfsumpy = "tfsumpy.__main__:main"
 
 [build-system]
 requires = ["poetry-core"]
-build-backend = "poetry.core.masonry.api" 
+build-backend = "poetry.core.masonry.api" 

tests/test_cli.py

@@ -1,4 +1,5 @@
-import subprocess, sys, json
+import subprocess
+import sys
 
 def test_cli_smoke():
     result = subprocess.run(

tfsumpy/plan/reporter.py

@@ -17,6 +17,7 @@ def __init__(self):
         # Initialize Jinja2 environment
         template_dir = Path(__file__).parent.parent / 'templates'
         self.env = Environment(
+            autoescape=True,
             loader=FileSystemLoader(str(template_dir)),
             trim_blocks=True,
             lstrip_blocks=True