add bandit check; refactor tox config

.pre-commit-config.yaml

@@ -11,3 +11,9 @@ repos:
     rev: 23.7.0
     hooks:
       - id: black
+  - repo: https://github.com/PyCQA/bandit
+    rev: '1.7.5'
+    hooks:
+      - id: bandit
+        args: ["-c", "pyproject.toml"]
+        additional_dependencies: ["bandit[toml]"]

pyproject.toml

@@ -33,6 +33,7 @@ lint = [
     "pylint>=2.13.9",
     "types-PyYAML>=6.0.12.11",
     "mypy>=1.5.1",
+    "bandit[toml]>=1.7.5",
 ]
 
 [tool.pylint.main]
@@ -42,9 +43,11 @@ ignore-patterns = ["^\\.#"]
 no-docstring-rgx = "^(test)?_"
 
 [tool.pylint."messages control"]
-disable = ["raw-checker-failed", "bad-inline-option", "locally-disabled", "file-ignored", "suppressed-message", "useless-suppression", "deprecated-pragma", "use-symbolic-message-instead", "missing-module-docstring"]
-
+disable = ["raw-checker-failed", "bad-inline-option", "locally-disabled", "file-ignored", "suppressed-message", "useless-suppression", "deprecated-pragma", "use-symbolic-message-instead", "missing-module-docstring", "missing-function-docstring"]
 enable = ["c-extension-no-member"]
 
 [tool.pylint.variables]
 ignored-argument-names = "_.*|^ignored_|^unused_"
+
+[tool.bandit]
+exclude_dirs = ["tests", ".tox", ".venv"]

tox.ini

@@ -1,5 +1,5 @@
 [tox]
-envlist = py{39,310,311,py39}
+envlist = pylint, mypy, bandit, py{39,310,311,py39}
 isolated_build = True  ; This is required for a pyproject.toml based project.
 
 [gh-actions]
@@ -13,5 +13,15 @@ groups =  ; Dependency groups in pyproject.toml
     dev
 commands =
     pytest --cov-report term-missing --cov-fail-under=100 --cov=operator_repo -v tests/
-    pylint --disable=missing-module-docstring,missing-function-docstring src
+
+[testenv:pylint]
+commands =
+    pylint src
+
+[testenv:mypy]
+commands =
     mypy --strict src tests
+
+[testenv:bandit]
+commands =
+    bandit -c pyproject.toml -r .