Security scanning is not enforced in CI/CD. Bandit (Python security linter) has been added as a dev dependency but is not yet integrated into make verify because there are 13 outstanding security issues to fix:
try-except-pass (silent exception suppression)
src/ai_agents_metrics/commands.py:1014 — pricing loadersrc/ai_agents_metrics/observability.py:267 — debug log fallbackpass with explicit = None or add proper loggingsrc/ai_agents_metrics/history_compare_store.py (multiple lines)src/ai_agents_metrics/usage_backends.py:156? placeholders) + separate params list — safe from SQL injection# nosec B608 inline comments or rewrite without f-strings for clarityCurrent state: make bandit runs separately but is excluded from make verify.
# nosec B608 comments (safe patterns already in use)bandit target to make verifymake verify passesmake bandit runs with --skip B404,B603,B607. These are permanently skipped globally:
import subprocess) — the import itself is not a vulnerability; bandit treats it as an informational warning. Adding # nosec to every import line would be pure noise.subprocess_without_shell_equals_true) — this rule fires when shell=False (the default and safer mode). It is the opposite of a real risk. No shell=True is used anywhere in this codebase.start_process_with_partial_path) — all subprocess calls use standard system commands (git, python). Hardcoding full paths like /usr/bin/git would break portability without adding security in a developer tool context.B105 (hardcoded_password_string) is not globally skipped — it must be suppressed inline with # nosec B105 where it fires. This keeps the rule active for real cases (e.g. an actual password literal added in future) while documenting each suppression explicitly.
make bandit passes cleanly (exit 0)bandit is added to verify target in Makefilemake verify passes end-to-enddone
None — can be picked up independently.