Initial commit: reusable Python security auditing GitHub Action

Composite action running bandit + pip-audit with PR comment reporting.
Includes SHA-pinned dependencies, zizmor CI job, Dependabot config,
and pre-commit hooks for zizmor and bandit.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: lhoupert

.github/dependabot.yml

@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: "ci"
+
+  - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: "deps"

.github/workflows/ci.yml

@@ -0,0 +1,40 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+        with:
+          python-version: '3.13'
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
+
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+        with:
+          python-version: '3.13'
+      - name: Install package and dev dependencies
+        run: pip install -e ".[dev]"
+      - name: Run tests
+        run: pytest
+
+  zizmor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+        with:
+          python-version: '3.13'
+      - name: Install zizmor
+        run: pip install zizmor
+      - name: Run zizmor
+        run: zizmor --min-severity medium .github/

.github/workflows/release-please.yml

@@ -0,0 +1,30 @@
+name: Release Please
+
+on:
+  push:
+    branches: [main]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
+        id: release
+        with:
+          release-type: python
+
+      # Move major version tag (e.g. v1) after a release is cut
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        if: ${{ steps.release.outputs.release_created }}
+      - name: Tag major version
+        if: ${{ steps.release.outputs.release_created }}
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git tag -fa "v${{ steps.release.outputs.major }}" \
+            -m "Release v${{ steps.release.outputs.tag_name }}"
+          git push origin "v${{ steps.release.outputs.major }}" --force

.gitignore

@@ -0,0 +1,16 @@
+__pycache__/
+*.py[cod]
+*.egg-info/
+dist/
+build/
+.venv/
+venv/
+.mypy_cache/
+.ruff_cache/
+.pytest_cache/
+*.egg
+MANIFEST
+bandit-report.json
+pip-audit-report.json
+*-requirements.txt
+.claude/

.pre-commit-config.yaml

@@ -0,0 +1,27 @@
+repos:
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.5.0
+    hooks:
+      - id: ruff
+        args: [--fix]
+      - id: ruff-format
+
+  - repo: https://github.com/pre-commit/mirrors-mypy
+    rev: v1.10.0
+    hooks:
+      - id: mypy
+        additional_dependencies:
+          - pydantic-settings>=2.0
+          - bandit>=1.8
+
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.23.1
+    hooks:
+      - id: zizmor
+        args: [--min-severity, medium]
+
+  - repo: https://github.com/PyCQA/bandit
+    rev: '1.9.4'
+    hooks:
+      - id: bandit
+        args: [-r, src/]

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2026 Loïc Houpert
+Copyright (c) 2024 Development Seed
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -0,0 +1,67 @@
+# python-security-auditing
+
+Reusable GitHub Action that runs [bandit](https://bandit.readthedocs.io/) and [pip-audit](https://pypi.org/project/pip-audit/) on any Python repository. Posts findings as a PR comment and fails the job when blocking issues are found.
+
+## Usage
+
+### Minimal (requirements.txt project)
+
+```yaml
+- uses: developmentseed/python-security-auditing@v1
+```
+
+### uv-based project
+
+```yaml
+- uses: developmentseed/python-security-auditing@v1
+  with:
+    package_manager: uv
+    bandit_scan_dirs: 'src/,scripts/'
+```
+
+### Poetry project, stricter thresholds
+
+```yaml
+- uses: developmentseed/python-security-auditing@v1
+  with:
+    package_manager: poetry
+    bandit_severity_threshold: MEDIUM
+    pip_audit_block_on: all
+```
+
+### Bandit only (no dependency audit)
+
+```yaml
+- uses: developmentseed/python-security-auditing@v1
+  with:
+    tools: bandit
+    bandit_scan_dirs: 'src/'
+```
+
+## Inputs
+
+| Input | Default | Description |
+|---|---|---|
+| `tools` | `bandit,pip-audit` | Comma-separated tools to run |
+| `bandit_scan_dirs` | `.` | Comma-separated directories for bandit to scan |
+| `bandit_severity_threshold` | `HIGH` | Minimum severity that blocks the job: `HIGH`, `MEDIUM`, or `LOW` |
+| `pip_audit_block_on` | `fixable` | Block on: `fixable` (has a fix), `all`, or `none` |
+| `package_manager` | `requirements` | How to resolve deps: `uv`, `pip`, `poetry`, `pipenv`, `requirements` |
+| `requirements_file` | `requirements.txt` | Path when `package_manager=requirements` |
+| `post_pr_comment` | `true` | Post/update a PR comment with scan results |
+| `github_token` | `${{ github.token }}` | Token for PR comments |
+
+## Outputs
+
+- **Step summary** — written to the workflow run summary.
+- **PR comment** — upserted on every run (idempotent via `<!-- security-scan-results -->` marker).
+- **Artifacts** — `bandit-report.json` and `pip-audit-report.json` uploaded as `security-audit-reports`.
+- **Exit code** — non-zero when blocking issues are found.
+
+## Development
+
+```bash
+pip install -e ".[dev]"
+pytest
+pre-commit run --all-files
+```

action.yml

@@ -0,0 +1,76 @@
+name: Python Security Auditing
+description: Run bandit and pip-audit security scans on Python code and report findings
+author: Development Seed
+
+inputs:
+  tools:
+    description: Comma-separated tools to run (bandit, pip-audit)
+    default: bandit,pip-audit
+  bandit_scan_dirs:
+    description: Comma-separated directories for bandit to scan
+    default: .
+  bandit_severity_threshold:
+    description: Minimum bandit severity that blocks the job (HIGH, MEDIUM, LOW)
+    default: HIGH
+  pip_audit_block_on:
+    description: When to block on pip-audit findings — fixable, all, or none
+    default: fixable
+  package_manager:
+    description: How to resolve dependencies for pip-audit (uv, pip, poetry, pipenv, requirements)
+    default: requirements
+  requirements_file:
+    description: Path to requirements file when package_manager=requirements
+    default: requirements.txt
+  post_pr_comment:
+    description: Post or update a PR comment with the scan results
+    default: 'true'
+  github_token:
+    description: GitHub token used for posting PR comments
+    default: ${{ github.token }}
+  working_directory:
+    description: Directory to run the audit from (useful when the project is in a subdirectory)
+    default: '.'
+
+runs:
+  using: composite
+  steps:
+    - name: Set up Python
+      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+      with:
+        python-version: '3.13'
+
+    - name: Install python-security-auditing
+      shell: bash
+      run: pip install "${{ github.action_path }}"
+
+    - name: Run security audit
+      id: audit
+      shell: bash
+      continue-on-error: true
+      working-directory: ${{ inputs.working_directory }}
+      env:
+        TOOLS: ${{ inputs.tools }}
+        BANDIT_SCAN_DIRS: ${{ inputs.bandit_scan_dirs }}
+        BANDIT_SEVERITY_THRESHOLD: ${{ inputs.bandit_severity_threshold }}
+        PIP_AUDIT_BLOCK_ON: ${{ inputs.pip_audit_block_on }}
+        PACKAGE_MANAGER: ${{ inputs.package_manager }}
+        REQUIREMENTS_FILE: ${{ inputs.requirements_file }}
+        POST_PR_COMMENT: ${{ inputs.post_pr_comment }}
+        GITHUB_TOKEN: ${{ inputs.github_token }}
+        PR_NUMBER: ${{ github.event.pull_request.number }}
+      run: python -m python_security_auditing
+
+    - name: Upload audit reports
+      if: always()
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      with:
+        name: security-audit-reports
+        path: |
+          ${{ inputs.working_directory }}/bandit-report.json
+          ${{ inputs.working_directory }}/pip-audit-report.json
+        if-no-files-found: ignore
+
+    - name: Fail if blocking issues found
+      if: steps.audit.outcome == 'failure'
+      shell: bash
+      run: exit 1

pyproject.toml

@@ -0,0 +1,40 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "python-security-auditing"
+version = "0.1.0"
+description = "Reusable GitHub Action for Python security auditing with bandit and pip-audit"
+license = { text = "MIT" }
+requires-python = ">=3.11"
+dependencies = [
+    "pydantic-settings>=2.0",
+    "bandit>=1.8",
+    "pip-audit>=2.7",
+]
+
+[project.optional-dependencies]
+dev = [
+    "pytest>=8.0",
+    "pytest-mock>=3.14",
+    "mypy>=1.0",
+    "ruff>=0.5",
+    "types-requests",
+]
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/python_security_auditing"]
+
+[tool.ruff]
+line-length = 100
+
+[tool.ruff.lint]
+select = ["E", "F", "I", "UP"]
+
+[tool.mypy]
+python_version = "3.11"
+strict = true
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]

src/python_security_auditing/__init__.py

@@ -0,0 +1 @@
+"""Python Security Auditing — bandit + pip-audit GitHub Action."""