Linked issue

• Closes #
• Related [Enhancement] Establish CI/CD Pipeline with GitHub Actions for Linting, Testing, and Build Verification #58

Existing related work reviewed

• Issues/PRs reviewed: [Enhancement] Establish CI/CD Pipeline with GitHub Actions for Linting, Testing, and Build Verification #58, feat(ci): add GitHub Actions pipeline with linting and test scaffolding #120, ci: add pytest suite and GitHub Actions pipeline - automated quality gate in the repo - 34 unit tests #204, chore: add pre-commit hooks and linting configuration (black, flake8, eslint) #319
• feat(ci): add GitHub Actions pipeline with linting and test scaffolding #120 and ci: add pytest suite and GitHub Actions pipeline - automated quality gate in the repo - 34 unit tests #204 add linting and pytest CI — neither addresses security scanning.
  chore: add pre-commit hooks and linting configuration (black, flake8, eslint) #319 adds pre-commit hooks (black, flake8, eslint) no security analysis.
  This PR introduces static security analysis to the pipeline.

Overlap assessment

• Classification: New feature — no overlap
• Overlapping items: None
• Why this is not duplicate/superseded: No existing open or closed PR introduces
  Bandit or any other Python SAST tool. This fills the security scanning gap
  explicitly left open by [Enhancement] Establish CI/CD Pipeline with GitHub Actions for Linting, Testing, and Build Verification #58.

Why this PR should proceed

• The codebase has no automated security analysis. Every PR to main currently
  merges without any check for high-severity Python vulnerabilities.
• This workflow catches real issues: one High (B201 flask debug=True) and two
  Medium (B104 hardcoded bind-all-interfaces) were found in the existing
  codebase during development of this PR.
• SARIF output integrates directly with GitHub's Security tab, surfacing
  findings inline on future PRs without requiring contributors to read logs.

Summary

• What changed:
  • .github/workflows/bandit.yml — Bandit security scan workflow triggered on
    push/PR to main and manually via workflow_dispatch. Fails on High severity,
    reports Medium/Low as non-blocking. Outputs SARIF to GitHub Security tab
    and uploads full report as artifact. Bandit and formatter versions pinned.
    Pip dependencies cached.
  • API/app.py added # nosec B201 to suppress known,
    accepted High finding in the dev-only Flask fallback path.
  • .gitignore — added *.sarif to exclude generated scan artifacts.
• Why: Establishes a security baseline and ensures all future PRs are
  automatically scanned for high-severity Python vulnerabilities.

Validation

• Tests added/updated (not applicable — workflow validated locally)
• Validation steps documented
• Evidence attached (logs/screenshots/output as relevant)

Local validation:

• bandit -r API/ --severity-level high → exit 0, no issues after nosec annotation

• bandit -r API/ --severity-level low → exit 1 (findings exist), handled correctly

• Both SARIF files verified as valid JSON

• Docs updated in this PR (not applicable)

• Any setup/workflow changes reflected in repo docs (workflow is self-documenting)

Scope check

• No unrelated refactors
• Implemented from a feature branch (feature/58-bandit-security-scan)
• Change is deliverable without upstream OSeMOSYS/MUIO dependency
• Base repo/branch is EAPD-DRB/MUIOGO:main (not upstream)

Exception rationale

• Leave blank otherwise.