feat: add bandit security scanning to pre-commit hooks

heysamtexas · heysamtexas · commit fade87c43609 · 2025-08-15T23:52:21.000+02:00
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -14,9 +14,15 @@ repos:
   # Ruff version.
   rev: v0.12.4
   hooks:
-    # Run the linter.
-    - id: ruff
-      exclude: ruff.xml
-    # Run the formatter.
+    # Run the formatter first.
     - id: ruff-format
       exclude: ruff.xml
+    # Then run the linter.
+    - id: ruff
+      exclude: ruff.xml
+
+- repo: https://github.com/PyCQA/bandit
+  rev: 1.8.0
+  hooks:
+    - id: bandit
+      args: ['-c', 'pyproject.toml']
diff --git a/pyproject.toml b/pyproject.toml
@@ -38,6 +38,7 @@ dev = [
     "ruff==0.12.3",
     "pre-commit==4.2.0",
     "commitizen>=3.0.0",
+    "bandit==1.8.0",
 ]
 
 [tool.hatch.build.targets.wheel]
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,7 @@ dev = [`
`38`	`38`	`"ruff==0.12.3",`
`39`	`39`	`"pre-commit==4.2.0",`
`40`	`40`	`"commitizen>=3.0.0",`
	`41`	`+ "bandit==1.8.0",`
`41`	`42`	`]`
`42`	`43`
`43`	`44`	`[tool.hatch.build.targets.wheel]`