run bandit, broaden test workflow filter, update readme

.github/workflows/bandit.yml

@@ -0,0 +1,58 @@
+name: Bandit
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    paths:
+      - "src/**"
+      - "pyproject.toml"
+      - "justfile"
+      - ".github/workflows/bandit.yml"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  bandit-analysis:
+    name: Run Bandit
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        id: sp
+        with:
+          python-version: '3.x'
+          allow-prereleases: true
+      - name: Install uv
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098
+        with:
+          enable-cache: false
+      - name: Install Just
+        uses: extractions/setup-just@f8a3cce218d9f83db3a2ecd90e41ac3de6cdfd9b
+
+      - name: Run Bandit
+        run: |
+          just bandit
+
+      - name: Upload analysis results
+        if: ${{ always() }}
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
+        with:
+          name: bandit-results
+          path: bandit.sarif
+          retention-days: 7
+
+      - name: Upload to code-scanning
+        if: ${{ always() }}
+        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98
+        with:
+          sarif_file: bandit.sarif

.github/workflows/test.yml

@@ -11,8 +11,8 @@ on:
   pull_request:
     branches: ['main']
     paths:
-      - "src/**/*.py"
-      - "tests/**/*.py"
+      - "src/**"
+      - "tests/**"
       - ".github/workflows/test.yml"
       - "pyproject.toml"
       - "justfile"

.gitignore

@@ -141,3 +141,5 @@ CLAUDE.md
 requirements-test*.txt
 constraints.txt
 zizmor.sarif
+bandit.sarif
+.ruff_cache

README.md

@@ -216,11 +216,11 @@ class Color(TextChoices):
 
 ## Database Support
 
-[![Postgres](https://img.shields.io/badge/Postgres-9.6%2B-blue)](https://www.postgresql.org/)
-[![MySQL](https://img.shields.io/badge/MySQL-5.7%2B-blue)](https://www.mysql.com/)
-[![MariaDB](https://img.shields.io/badge/MariaDB-10.2%2B-blue)](https://mariadb.org/)
+[![Postgres](https://img.shields.io/badge/Postgres-12%2B-blue)](https://www.postgresql.org/)
+[![MySQL](https://img.shields.io/badge/MySQL-8.0%2B-blue)](https://www.mysql.com/)
+[![MariaDB](https://img.shields.io/badge/MariaDB-10.4%2B-blue)](https://mariadb.org/)
 [![SQLite](https://img.shields.io/badge/SQLite-3.8%2B-blue)](https://www.sqlite.org/)
-[![Oracle](https://img.shields.io/badge/Oracle-18%2B-blue)](https://www.oracle.com/database/)
+[![Oracle](https://img.shields.io/badge/Oracle-21c%2B-blue)](https://www.oracle.com/database/)
 
 Like with [Django](https://www.djangoproject.com), [PostgreSQL](https://www.postgresql.org) is the preferred database for support. The full test suite is run against all combinations of currently supported versions of [Django](https://www.djangoproject.com), [Python](https://www.python.org), and [PostgreSQL](https://www.postgresql.org) as well as [psycopg3](https://pypi.org/project/psycopg) and [psycopg2](https://pypi.org/project/psycopg2). The other RDBMS supported by [Django](https://www.djangoproject.com) are also tested including [SQLite](https://www.sqlite.org), [MySQL](https://www.mysql.com), [MariaDB](https://mariadb.org) and [Oracle](https://www.oracle.com/database). For these RDBMS (with the exception of [Oracle](https://www.oracle.com/database), tests are run against the minimum and maximum supported version combinations to maximize coverage breadth.
 

SECURITY.md

@@ -2,6 +2,7 @@
 
 [![CodeQL](https://github.com/django-commons/django-enum/actions/workflows/github-code-scanning/codeql/badge.svg?branch=main)](https://github.com/django-commons/django-enum/actions/workflows/github-code-scanning/codeql?query=branch:main)
 [![Zizmor](https://github.com/django-commons/django-enum/actions/workflows/zizmor.yml/badge.svg?branch=main)](https://docs.zizmor.sh/)
+[![Bandit](https://github.com/django-commons/django-enum/actions/workflows/bandit.yml/badge.svg?branch=main)](https://bandit.readthedocs.io)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/django-commons/django-enum/badge)](https://securityscorecards.dev/viewer/?uri=github.com/django-commons/django-enum)
 
 ## Supported Versions

justfile

@@ -210,6 +210,10 @@ fix *ENV:
     @just lint {{ ENV }}
     @just format {{ ENV }}
 
+# run bandit static security analysis
+bandit:
+    @just run --no-default-groups --group lint bandit -c pyproject.toml -r ./src -f sarif -o bandit.sarif
+
 # run all static checks
 check *ENV:
     @just check-lint {{ ENV }}

pyproject.toml

@@ -95,6 +95,29 @@ rest = ["djangorestframework>=3.14,<4.0"]
 "Code_of_Conduct" = "https://github.com/django-commons/django-enum/blob/main/CODE_OF_CONDUCT.md"
 
 
+[tool.bandit]
+targets = ["src"]
+exclude_dirs = [
+    "./tests",
+    "./example",
+    "./.venv",
+    "./doc",
+]
+
+skips = [
+    "B101",  # assert_used - assertions are fine in tests and Django code
+    "B110",  # Try, Except, Pass detected - these are intentional
+]
+
+# Severity level threshold
+# Options: LOW, MEDIUM, HIGH
+severity = "MEDIUM"
+
+# Confidence level threshold
+# Options: LOW, MEDIUM, HIGH
+confidence = "MEDIUM"
+
+
 [dependency-groups]
 docs = [
     "docutils>=0.21.2",
@@ -118,7 +141,8 @@ typing = [
 lint = [
     "ruff>=0.15.0", 
     "readme-renderer[md]>=43.0",
-    "doc8>=1.1.2"
+    "doc8>=1.1.2",
+    "bandit[toml,sarif]>=1.7.10"
 ]
 precommit = [
     "pre-commit>=3.5.0",