ci: add self-audtiting job in ci workflow

[lhoupert]

No description provided.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[github-actions]

Security Audit Report

View workflow run

Bandit — Static Security Analysis

Severity	Confidence	File	Line	Issue

| 🟢 LOW | HIGH | src/python_security_auditing/pr_comment.py | 6 | [B404] Consider possible security implications associated with the subprocess module. |
| 🟢 LOW | HIGH | src/python_security_auditing/pr_comment.py | 22 | [B607] Starting a process with a partial executable path |
| 🟢 LOW | HIGH | src/python_security_auditing/pr_comment.py | 22 | [B603] subprocess call - check for execution of untrusted input. |
| 🟢 LOW | HIGH | src/python_security_auditing/pr_comment.py | 62 | [B607] Starting a process with a partial executable path |
| 🟢 LOW | HIGH | src/python_security_auditing/pr_comment.py | 62 | [B603] subprocess call - check for execution of untrusted input. |
| 🟢 LOW | HIGH | src/python_security_auditing/pr_comment.py | 74 | [B607] Starting a process with a partial executable path |
| 🟢 LOW | HIGH | src/python_security_auditing/pr_comment.py | 74 | [B603] subprocess call - check for execution of untrusted input. |
| 🟢 LOW | HIGH | src/python_security_auditing/pr_comment.py | 87 | [B607] Starting a process with a partial executable path |
| 🟢 LOW | HIGH | src/python_security_auditing/pr_comment.py | 87 | [B603] subprocess call - check for execution of untrusted input. |
| 🟢 LOW | HIGH | src/python_security_auditing/runners.py | 6 | [B404] Consider possible security implications associated with the subprocess module. |
| 🟢 LOW | HIGH | src/python_security_auditing/runners.py | 32 | [B607] Starting a process with a partial executable path |
| 🟢 LOW | HIGH | src/python_security_auditing/runners.py | 32 | [B603] subprocess call - check for execution of untrusted input. |
| 🟢 LOW | HIGH | src/python_security_auditing/runners.py | 39 | [B607] Starting a process with a partial executable path |
| 🟢 LOW | HIGH | src/python_security_auditing/runners.py | 39 | [B603] subprocess call - check for execution of untrusted input. |
| 🟢 LOW | HIGH | src/python_security_auditing/runners.py | 42 | [B607] Starting a process with a partial executable path |
| 🟢 LOW | HIGH | src/python_security_auditing/runners.py | 42 | [B603] subprocess call - check for execution of untrusted input. |
| 🟢 LOW | HIGH | src/python_security_auditing/runners.py | 57 | [B607] Starting a process with a partial executable path |
| 🟢 LOW | HIGH | src/python_security_auditing/runners.py | 57 | [B603] subprocess call - check for execution of untrusted input. |
| 🟢 LOW | HIGH | src/python_security_auditing/runners.py | 112 | [B603] subprocess call - check for execution of untrusted input. |

19 issue(s) found, 0 at or above HIGH threshold.

pip-audit — Dependency Vulnerabilities

Package	Version	ID	Fix Versions	Description

| pygments | 2.19.2 | CVE-2026-4539 | none | A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file |

1 vulnerability/vulnerabilities found (0 fixable) across 1 package(s).

---

Result: ✅ No blocking issues found.