Fix Bandit checker on CI

[tisnik]

Summary by CodeRabbit

• Chores
  • Updated security scanning workflow to use the latest maintained action and refined configuration for clearer target selection.
  • Adjusted permissions to enable proper reporting of security findings within CI.
  • Simplified inputs and removed legacy options to streamline scans and reduce noise.
  • Improved reliability of continuous security checks during pull requests and main branch builds.

[coderabbitai]

Walkthrough

The Bandit GitHub Actions workflow was updated to change the action source, adjust inputs, and set permissions. The action was switched to PyCQA/bandit-action@v1, inputs moved from path to targets with "src", and permissions now include security-events: write and actions: read.

Changes

Cohort / File(s)	Summary of Changes
CI Workflow — Bandit .github/workflows/bandit.yaml	- Switched action: mdegis/bandit-action@v1.0 → PyCQA/bandit-action@v1 - Updated inputs: path → targets: "src"; removed exit_zero - Added permissions: security-events: write, actions: read

Sequence Diagram(s)

sequenceDiagram
  participant Dev as Developer
  participant GH as GitHub Actions Runner
  participant Bandit as PyCQA/bandit-action@v1

  Dev->>GH: Push/PR triggers bandit workflow
  GH->>Bandit: Run with targets="src"
  Note over Bandit: Analyzes Python code under src
  Bandit-->>GH: Report findings
  Note over GH: Requires permissions: actions: read, security-events: write

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

I thump my paws on CI ground,
New Bandit sails, a safer sound.
Targets set to "src" we seek,
Permissions primed, reports not meek.
With whiskered wit and YAML neat—
I hop through checks, secure and fleet. 🐇🔍

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9bf67fd and fbedcae.

📒 Files selected for processing (1)

• .github/workflows/bandit.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: mypy
• GitHub Check: Pylinter

🔇 Additional comments (1)

.github/workflows/bandit.yaml (1)

11-12: Permissions look correct for Code Scanning uploads.

security-events: write (required) and actions: read (needed for private repos) match the official guidance. Nothing to change here. (bandit.readthedocs.io, docs.github.com)

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbit in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbit in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbit gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbit read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbit help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbit ignore or @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbit summary or @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbit or @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[asamal4]

LGTM.. Thank You..

[VladimirKadlec]

Approving to not block the merge, but please consider the comment bellow.

[VladimirKadlec]

I'd add lsc_eval and lsc_agent_eval.