fix: mixed lockfile strategy, strict bandit validation, B303 to B324,…

.github/scripts/validate_results.py

@@ -91,6 +91,7 @@ def validate_test(
     # --- Bandit findings ---
     expected_bandit = expected.get("bandit_findings", [])
     actual_rule_ids = {f["rule_id"] for f in bandit_findings}
+    expected_rule_ids = {e["rule_id"] for e in expected_bandit}
 
     if not expected_bandit and bandit_findings:
         errors.append(
@@ -100,6 +101,12 @@ def validate_test(
     for exp in expected_bandit:
         if exp["rule_id"] not in actual_rule_ids:
             errors.append(f"Bandit: expected {exp['rule_id']} not found in results")
+    if expected_bandit:
+        unexpected = sorted(actual_rule_ids - expected_rule_ids)
+        if unexpected:
+            errors.append(
+                f"Bandit: unexpected finding(s) not in expected set: {', '.join(unexpected)}"
+            )
 
     # --- pip-audit findings ---
     pip_audit_disabled = expected.get("pip_audit_disabled", False)

.github/workflows/01-requirements-flat.yml

@@ -16,7 +16,7 @@ jobs:
           persist-credentials: false
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
+        uses: lhoupert/action-python-security-auditing@1791bce99627a60fd1a0985c0e8a6169ffc19005 # fix--add-additional-tests-pip-audit
         with:
           working_directory: 01-requirements-flat
           package_manager: requirements

.github/workflows/02-requirements-src-bandit.yml

@@ -16,7 +16,7 @@ jobs:
           persist-credentials: false
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
+        uses: lhoupert/action-python-security-auditing@1791bce99627a60fd1a0985c0e8a6169ffc19005 # fix--add-additional-tests-pip-audit
         with:
           working_directory: 02-requirements-src-bandit
           package_manager: requirements

.github/workflows/03-requirements-multi-both.yml

@@ -16,13 +16,14 @@ jobs:
           persist-credentials: false
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
+        uses: lhoupert/action-python-security-auditing@1791bce99627a60fd1a0985c0e8a6169ffc19005 # fix--add-additional-tests-pip-audit
         with:
           working_directory: 03-requirements-multi-both
           package_manager: requirements
           requirements_file: requirements.txt
           bandit_scan_dirs: src/,scripts/
           bandit_severity_threshold: high
           pip_audit_block_on: fixable
+          debug: 'true'
           post_pr_comment: ${{ github.event_name == 'pull_request' }}
           artifact_name: security-audit-03

.github/workflows/04-uv-flat.yml

@@ -15,14 +15,8 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.3.1
-
-      - name: Generate uv.lock
-        working-directory: 04-uv-flat
-        run: uv lock
-
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
+        uses: lhoupert/action-python-security-auditing@1791bce99627a60fd1a0985c0e8a6169ffc19005 # fix--add-additional-tests-pip-audit
         with:
           working_directory: 04-uv-flat
           package_manager: uv

.github/workflows/05-uv-src-vuln.yml

@@ -15,19 +15,14 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.3.1
-
-      - name: Generate uv.lock
-        working-directory: 05-uv-src-vuln
-        run: uv lock
-
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
+        uses: lhoupert/action-python-security-auditing@1791bce99627a60fd1a0985c0e8a6169ffc19005 # fix--add-additional-tests-pip-audit
         with:
           working_directory: 05-uv-src-vuln
           package_manager: uv
           bandit_scan_dirs: src/
           bandit_severity_threshold: high
           pip_audit_block_on: fixable
+          debug: 'true'
           post_pr_comment: ${{ github.event_name == 'pull_request' }}
           artifact_name: security-audit-05

.github/workflows/06-uv-multi-bandit.yml

@@ -15,19 +15,14 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.3.1
-
-      - name: Generate uv.lock
-        working-directory: 06-uv-multi-bandit
-        run: uv lock
-
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
+        uses: lhoupert/action-python-security-auditing@1791bce99627a60fd1a0985c0e8a6169ffc19005 # fix--add-additional-tests-pip-audit
         with:
           working_directory: 06-uv-multi-bandit
           package_manager: uv
           bandit_scan_dirs: src/,scripts/
           bandit_severity_threshold: medium
           pip_audit_block_on: none
+          debug: 'true'
           post_pr_comment: ${{ github.event_name == 'pull_request' }}
           artifact_name: security-audit-06

.github/workflows/07-poetry-flat.yml

@@ -15,14 +15,13 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
-
-      - name: Generate poetry.lock
-        working-directory: 07-poetry-flat
-        run: poetry lock
+      - name: Install Poetry
+        uses: snok/install-poetry@972a0e78ffdebf9e98f6fe404b77831716cdd4aa # v1.4.0
+        with:
+          version: "1.8.5"
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
+        uses: lhoupert/action-python-security-auditing@1791bce99627a60fd1a0985c0e8a6169ffc19005 # fix--add-additional-tests-pip-audit
         with:
           working_directory: 07-poetry-flat
           package_manager: poetry

.github/workflows/08-poetry-src-both.yml

@@ -15,19 +15,19 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
-
-      - name: Generate poetry.lock
-        working-directory: 08-poetry-src-both
-        run: poetry lock
+      - name: Install Poetry
+        uses: snok/install-poetry@972a0e78ffdebf9e98f6fe404b77831716cdd4aa # v1.4.0
+        with:
+          version: "1.8.5"
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
+        uses: lhoupert/action-python-security-auditing@1791bce99627a60fd1a0985c0e8a6169ffc19005 # fix--add-additional-tests-pip-audit
         with:
           working_directory: 08-poetry-src-both
           package_manager: poetry
           bandit_scan_dirs: src/
           bandit_severity_threshold: medium
           pip_audit_block_on: all
-          post_pr_comment: ${{ github.event_name == 'pull_request' }} # post_pr_comment: false # Disable PR comments for testing purposes; set to true to enable
+          debug: 'true'
+          post_pr_comment: ${{ github.event_name == 'pull_request' }}
           artifact_name: security-audit-08

.github/workflows/09-pipenv-flat.yml

@@ -15,19 +15,16 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v5
         with:
           python-version: '3.12'
 
       - name: Install pipenv
-        run: pip install pipenv
-
-      - name: Generate Pipfile.lock
-        working-directory: 09-pipenv-flat
-        run: pipenv install
+        run: pip install pipenv==2024.4.0
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
+        uses: lhoupert/action-python-security-auditing@1791bce99627a60fd1a0985c0e8a6169ffc19005 # fix--add-additional-tests-pip-audit
         with:
           working_directory: 09-pipenv-flat
           package_manager: pipenv

.github/workflows/10-pipenv-multi-bandit.yml

@@ -15,19 +15,8 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: '3.12'
-
-      - name: Install pipenv
-        run: pip install pipenv
-
-      - name: Generate Pipfile.lock
-        working-directory: 10-pipenv-multi-bandit
-        run: pipenv install
-
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
+        uses: lhoupert/action-python-security-auditing@1791bce99627a60fd1a0985c0e8a6169ffc19005 # fix--add-additional-tests-pip-audit
         with:
           working_directory: 10-pipenv-multi-bandit
           package_manager: pipenv

.github/workflows/11-requirements-root.yml

@@ -16,12 +16,13 @@ jobs:
           persist-credentials: false
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
+        uses: lhoupert/action-python-security-auditing@1791bce99627a60fd1a0985c0e8a6169ffc19005 # fix--add-additional-tests-pip-audit
         with:
           package_manager: requirements
           requirements_file: 11-requirements-root/requirements.txt
           bandit_scan_dirs: 11-requirements-root
           bandit_severity_threshold: high
           pip_audit_block_on: fixable
+          debug: 'true'
           post_pr_comment: ${{ github.event_name == 'pull_request' }}
           artifact_name: security-audit-11

.github/workflows/12-uv-flat-bandit-only.yml

@@ -16,7 +16,7 @@ jobs:
           persist-credentials: false
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
+        uses: lhoupert/action-python-security-auditing@1791bce99627a60fd1a0985c0e8a6169ffc19005 # fix--add-additional-tests-pip-audit
         with:
           working_directory: 12-uv-flat-bandit-only
           tools: bandit

.github/workflows/13-requirements-unfixable.yml

@@ -16,13 +16,14 @@ jobs:
           persist-credentials: false
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
+        uses: lhoupert/action-python-security-auditing@1791bce99627a60fd1a0985c0e8a6169ffc19005 # fix--add-additional-tests-pip-audit
         with:
           working_directory: 13-requirements-unfixable
           package_manager: requirements
           requirements_file: requirements.txt
           bandit_scan_dirs: .
           bandit_severity_threshold: high
           pip_audit_block_on: fixable
+          debug: 'true'
           post_pr_comment: ${{ github.event_name == 'pull_request' }}
           artifact_name: security-audit-13

.github/workflows/14-uv-low-threshold.yml

@@ -16,7 +16,7 @@ jobs:
           persist-credentials: false
 
       - name: Run security audit
-        uses: lhoupert/action-python-security-auditing@6791db45b1aea51db705d38978ad62b855b34b32 # v0.4.3
+        uses: lhoupert/action-python-security-auditing@1791bce99627a60fd1a0985c0e8a6169ffc19005 # fix--add-additional-tests-pip-audit
         with:
           working_directory: 14-uv-low-threshold
           tools: bandit

03-requirements-multi-both/requirements.txt

@@ -1,3 +1,3 @@
 requests==2.25.0
-Pillow==9.0.0
+cryptography==38.0.0
 click==8.1.7

04-uv-flat/README.md

@@ -6,11 +6,6 @@
 
 ## What this tests
 
-- `uv export` correctly exports dependencies from `uv.lock`
 - Bandit scans the flat project directory
 - No bandit issues, no vulnerable deps
-
-## CI setup
-
-The workflow runs `uv lock` before the action to generate `uv.lock` from `pyproject.toml`.
-Lock file is not committed — generated fresh in CI.
+- `uv.lock` is **not committed** — tests the action's behaviour when no lockfile is present

05-uv-src-vuln/README.md

@@ -10,6 +10,7 @@
 - pip-audit detects the fixable CVE-2023-32681 in `requests==2.25.0`
 - Bandit finds no issues in clean code
 - Workflow fails due to pip-audit finding a fixable vulnerability
+- `uv.lock` is **committed** — required so pip-audit reliably resolves the pinned vulnerable version
 
 ## Intentional issues
 

05-uv-src-vuln/pyproject.toml

@@ -10,3 +10,6 @@ dependencies = [
 [build-system]
 requires = ["hatchling"]
 build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/uv_src_vuln"]

06-uv-multi-bandit/README.md

@@ -7,13 +7,14 @@
 ## What this tests
 
 - Bandit scans two directories via `bandit_scan_dirs: src/,scripts/`
-- MEDIUM severity threshold (lower than default HIGH) catches B303 and B506
+- MEDIUM severity threshold (lower than default HIGH) catches B324 and B506
 - `uv export` produces clean deps — no pip-audit failures
 - `pip_audit_block_on: none` ensures only bandit can fail this job
+- `uv.lock` is committed — tests the action with a pre-existing lockfile
 
 ## Intentional issues
 
 | File | Issue | Severity |
-|------|-------|---------|
+|------|-------|----------|
 | `src/parser.py` | B506: `yaml.load()` without Loader | MEDIUM |
-| `scripts/digest.py` | B303: `hashlib.md5()` | MEDIUM |
+| `scripts/digest.py` | B324: `hashlib.md5()` | MEDIUM |