From 2af9baeec9b4f0c49dd9b79504a72231e68be577 Mon Sep 17 00:00:00 2001
From: Khushal Malhotra <redmi5a3217@gmail.com>
Date: Fri, 27 Feb 2026 16:08:26 +0530
Subject: [PATCH 1/2] feat: Add bandit security pre-commit hook and
 documentation

- Add bandit pre-commit hook to scan Python scripts for security issues
- Configure bandit to scan scripts/ directory with medium severity and high confidence
- Fix XML parsing vulnerability in convert.py by using defusedxml
- Update bandit to version 1.9.4 for Python 3.14 compatibility
- Add documentation for security scanning under Contributing to Development section

Security improvements:
- Replaces unsafe xml.etree.ElementTree.parse with defusedxml.ElementTree.parse
- Prevents XML external entity (XXE) attacks
- Bandit hook will catch future security regressions

Signed-off-by: Khushal Malhotra <redmi5a3217@gmail.com>
---
 .pre-commit-config.yaml | 42 ++++++++++++++++++++++++-----------------
 README.md               | 10 ++++++++++
 scripts/convert.py      |  3 ++-
 3 files changed, 37 insertions(+), 18 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 0ef0fe842..3246cca84 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,18 +1,26 @@
 repos:
-- repo: https://github.com/gitleaks/gitleaks
-  rev: v8.16.3
-  hooks:
-  - id: gitleaks
-- repo: https://github.com/jumanjihouse/pre-commit-hooks
-  rev: 3.0.0
-  hooks:
-  - id: shellcheck
-- repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.4.0
-  hooks:
-  - id: end-of-file-fixer
-  - id: trailing-whitespace
-- repo: https://github.com/pylint-dev/pylint
-  rev: v2.17.2
-  hooks:
-  - id: pylint
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.3
+    hooks:
+      - id: gitleaks
+  - repo: https://github.com/jumanjihouse/pre-commit-hooks
+    rev: 3.0.0
+    hooks:
+      - id: shellcheck
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+  - repo: https://github.com/pylint-dev/pylint
+    rev: v2.17.2
+    hooks:
+      - id: pylint
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.9.4
+    hooks:
+      - id: bandit
+        name: "Bandit security scan (Python scripts)"
+        args: ["-r", "--severity-level", "medium", "--confidence-level", "high"]
+        files: ^scripts/.*\.py$
+        exclude: ^tests/
diff --git a/README.md b/README.md
index e12a42453..b18233258 100644
--- a/README.md
+++ b/README.md
@@ -45,6 +45,16 @@ Please read [README.md](./scripts/README.md)
 
 Please read [README.md](./scripts/README.md)
 
+### Security Scanning
+
+A Bandit pre-commit hook scans Python scripts for security issues on commit.
+It runs automatically via pre-commit (medium severity, high confidence).
+
+To run manually:
+```bash
+pre-commit run bandit --all-files
+```
+
 ### Building and Deploying the Cornucopia website
 
 https://cornucopia.owasp.org contains the card browser for each of the cards in the cornucopia suits together with the taxonomy and in depth explaination for each of the cards in the suits.
diff --git a/scripts/convert.py b/scripts/convert.py
index 2ea5e50f3..3759455f6 100644
--- a/scripts/convert.py
+++ b/scripts/convert.py
@@ -10,6 +10,7 @@
 import yaml
 import zipfile
 import xml.etree.ElementTree as ElTree
+from defusedxml import ElementTree as DefusedElTree
 from typing import Any, Dict, List, Tuple, cast
 from operator import itemgetter
 from itertools import groupby
@@ -1126,7 +1127,7 @@ def _find_xml_elements(tree: Any) -> List[ElTree.Element]:
 def replace_text_in_xml_file(filename: str, replacement_values: List[Tuple[str, str]]) -> None:
     logging.debug(f" --- starting xml_replace for {filename}")
     try:
-        tree = ElTree.parse(filename)
+        tree = DefusedElTree.parse(filename)
     except Exception as e:
         logging.error(f"Failed to parse XML file {filename}: {e}")
         return

From cba5898520060aa4139974e1694b133ece46e4e2 Mon Sep 17 00:00:00 2001
From: Khushal Malhotra <redmi5a3217@gmail.com>
Date: Fri, 27 Feb 2026 17:43:54 +0530
Subject: [PATCH 2/2] Add pre-commit installation steps to README for bandit
 setup

---
 README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/README.md b/README.md
index b18233258..d0ac57cca 100644
--- a/README.md
+++ b/README.md
@@ -47,6 +47,12 @@ Please read [README.md](./scripts/README.md)
 
 ### Security Scanning
 
+First time setup:
+```bash
+pip install pre-commit
+pre-commit install
+```
+
 A Bandit pre-commit hook scans Python scripts for security issues on commit.
 It runs automatically via pre-commit (medium severity, high confidence).