-
Notifications
You must be signed in to change notification settings - Fork 0
Security scan Bandit
Azahari Zaman edited this page Jun 27, 2026
·
1 revision
Migrated from paxman repositorys docs/sprints/ folder as part of the Sprint 11 repo springclean.
Date: 2026-06-26 Tool: bandit 1.9.4 Python: 3.12.13 Scope:
src/paxman/Sprint: 9 — Production Hardening (D9.6)
-
Config file:
pyproject.toml(accepted by bandit, no[tool.bandit]section — default profile) - Profile: default (all tests enabled, no exclusions)
- Lines scanned: 13,543
- Total findings: 0
- Fixed: 0
-
Suppressed (false positive with
# nosec): 0 - Documented (low/informational, no fix): 0
- Final status: CLEAN ✓
| ID | Severity | Confidence | File:Line | Description | Triage |
|---|
No findings identified.
$ uv run bandit -r src/paxman -c pyproject.toml
Test results:
No issues identified.
Code scanned:
Total lines of code: 13543
Total lines skipped (#nosec): 0
Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 0
Medium: 0
High: 0
Total issues (by confidence):
Undefined: 0
Low: 0
Medium: 0
High: 0
Files skipped (0):
None required. The codebase is clean on first scan.
None. No # nosec annotations exist in src/paxman/.
- The codebase follows secure-by-default patterns per
SECURITY.mdandAGENTS.md:- No
subprocesscalls, nopickle, noyaml.load, notempfile, noexec/eval - Secrets by reference only (no embedded API keys)
- No raw PII in logs (
Policy.log_raw_input: bool = False) - No
requestsorurllibusage in core (inference is V2; V1 ships a stub provider)
- No
- Ruff
Srules (flake8-bandit) are enabled inpyproject.toml— these catch many of the same patterns bandit checks, providing continuous security linting on every save - Existing unit tests pass after this audit (no code changes were needed)