Adds security scanning with Bandit

[acgetchell]

Implements Bandit security scanning to identify potential vulnerabilities.

Includes Bandit as a development dependency and configures it to skip B101 (assert_used) warnings in test files where assertions are expected.

Updates the README with instructions on how to run Bandit locally, and adds a description of basic security features.

Also improves test file handling by using secure temporary file creation.

Summary by CodeRabbit

• Documentation
  • Added a "Security Scanning" section to the README with instructions for using Bandit and a summary of security features.
• Chores
  • Integrated Bandit security scanning into development dependencies and automated workflows.
  • Updated Bandit configuration to skip assertion warnings in test files.
• Tests
  • Improved test security and isolation by centralizing temporary file creation and replacing hardcoded file paths with secure temporary files.
• Style
  • Updated spelling configuration with new and reordered dictionary entries.

[coderabbitai]

Warning

Rate limit exceeded

@acgetchell has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 11 minutes and 14 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between a7726ee and b83e65f.

📒 Files selected for processing (1)

• .github/workflows/bandit.yml (1 hunks)

Walkthrough

The changes introduce Bandit security scanning into the project by updating development dependencies, adding configuration, and documenting its usage in the README. The GitHub Actions workflow is modified to skip specific Bandit warnings. Test files are updated to use securely generated temporary files instead of hardcoded paths, enhancing test isolation and security. Additionally, the spelling configuration file is updated with new and reordered words.

Changes

File(s)	Change Summary
.github/workflows/bandit.yml	Configured Bandit workflow to skip warnings for test ID B101 (assert_used).
README.md	Added a "Security Scanning" section with Bandit usage instructions and listed security features.
pyproject.toml	Added Bandit as a dev dependency and configured it to skip B101; no changes to public entities.
tests/test_calendar_analyzer.py	Replaced hardcoded temp file paths with securely created temporary files in test cases; added helpers.
cspell.json	Added new words and reordered existing entries in the spelling configuration.

Poem

In fields of code where rabbits scan,
Security checks now lead the plan.
Bandit skips the noisy shouts,
While temp files hop about.
README sings of safety bright—
No secrets lost, all files just right!
🐇🔒

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

Thanks for integrating Codecov - We've got you covered ☂️

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (2)

.github/workflows/bandit.yml (1)

48-49: Fix trailing spaces and approve Bandit configuration.

The Bandit configuration correctly skips B101 (assert_used) warnings, which aligns with the pyproject.toml configuration and is appropriate for test files where assertions are expected.

Fix the trailing spaces flagged by YAMLlint:

-          # comma-separated list of test IDs to skip  
+          # comma-separated list of test IDs to skip
           skips: B101 # skip assert_used warnings in test files

README.md (1)

176-213: Excellent comprehensive security documentation.

The new "Security Scanning" section provides clear, actionable instructions for using Bandit and thoroughly documents the project's security features. This greatly enhances the project's security posture and developer experience.

Fix minor language issues for clarity:

-4. Run security scan on all Python files:
+4. Run a security scan on all Python files:

-The project's GitHub Actions workflow automatically runs Bandit security scans on all code. The configuration in `pyproject.toml` skips B101 (assert_used) warnings for test files since assertions are expected and appropriate in tests.
+The project's GitHub Actions workflow automatically runs Bandit security scans on all code. The configuration in `pyproject.toml` skips B101 (assert_used) warnings for test files, since assertions are expected and appropriate in tests.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 36cbcd3 and b2a3004.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (4)

• .github/workflows/bandit.yml (1 hunks)
• README.md (1 hunks)
• pyproject.toml (1 hunks)
• tests/test_calendar_analyzer.py (5 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (1)

tests/test_calendar_analyzer.py (1)

calendar_analyzer.py (1)

• main (327-399)

🪛 LanguageTool

README.md

[uncategorized] ~198-~198: You might be missing the article “a” here.
Context: ...it -r tests/ --skip B101 4. Run security scan on all Python files: bash ...

(AI_EN_LECTOR_MISSING_DETERMINER_A)

---

[uncategorized] ~204-~204: Possible missing comma found.
Context: ...ps B101 (assert_used) warnings for test files since assertions are expected and appro...

(AI_HYDRA_LEO_MISSING_COMMA)

🪛 YAMLlint (1.37.1)

.github/workflows/bandit.yml

[error] 48-48: trailing spaces

(trailing-spaces)

🪛 Ruff (0.11.9)

tests/test_calendar_analyzer.py

59-59: Use a context manager for opening files

(SIM115)

---

81-81: Use a context manager for opening files

(SIM115)

---

103-103: Use a context manager for opening files

(SIM115)

---

161-161: Use a context manager for opening files

(SIM115)

---

178-178: Use a context manager for opening files

(SIM115)

---

481-481: Use a context manager for opening files

(SIM115)

🪛 Pylint (3.3.7)

tests/test_calendar_analyzer.py

[refactor] 59-59: Consider using 'with' for resource-allocating operations

(R1732)

---

[refactor] 81-81: Consider using 'with' for resource-allocating operations

(R1732)

---

[refactor] 103-103: Consider using 'with' for resource-allocating operations

(R1732)

---

[refactor] 161-161: Consider using 'with' for resource-allocating operations

(R1732)

---

[refactor] 178-178: Consider using 'with' for resource-allocating operations

(R1732)

---

[refactor] 481-482: Consider using 'with' for resource-allocating operations

(R1732)

🪛 GitHub Actions: Pylint

tests/test_calendar_analyzer.py

[error] 15-17: pylint import-error: Unable to import 'icalendar', 'pandas', and 'dateutil'.

---

[error] 43-43: pylint too-many-branches: Too many branches (17/12).

---

[error] 110-112: pylint too-many-locals, too-many-branches, too-many-statements, and too-many-nested-blocks: Too many local variables (18/15), branches (20/12), statements (52/50), and nested blocks (7/5).

---

[error] 198-198: pylint too-many-locals: Too many local variables (16/15).

---

[error] 263-263: pylint too-many-locals: Too many local variables (18/15).

---

[error] 1-1: pylint missing-module-docstring: Missing module docstring.

---

[error] 4-9: pylint import-error: Unable to import 'pytest' and 'dateutil'.

---

[error] 13-13: pylint missing-function-docstring: Missing function or method docstring.

---

[warning] 58-58: pylint redefined-outer-name, reimported, import-outside-toplevel: Redefining and reimporting 'tempfile' outside toplevel.

---

[error] 59-59: pylint consider-using-with: Consider using 'with' for resource-allocating operations.

---

[warning] 80-80: pylint redefined-outer-name, reimported, import-outside-toplevel: Redefining and reimporting 'tempfile' outside toplevel.

---

[error] 81-81: pylint consider-using-with: Consider using 'with' for resource-allocating operations.

---

[warning] 102-103: pylint redefined-outer-name, reimported, import-outside-toplevel: Redefining and reimporting 'tempfile' outside toplevel; consider using 'with' for resource-allocating operations.

---

[warning] 160-165: pylint redefined-outer-name, reimported, import-outside-toplevel: Redefining and reimporting 'tempfile' and 'os' outside toplevel; consider using 'with' for resource-allocating operations.

---

[error] 178-178: pylint consider-using-with: Consider using 'with' for resource-allocating operations.

---

[warning] 265-265: pylint unspecified-encoding: Using open without explicitly specifying an encoding.

---

[warning] 351-352: pylint redefined-outer-name, reimported, import-outside-toplevel, unused-variable: Redefining and reimporting 'Path' outside toplevel; unused variable 'meetings'.

---

[warning] 423-423: pylint redefined-outer-name, reimported, import-outside-toplevel: Redefining and reimporting 'Path' outside toplevel.

---

[warning] 480-486: pylint redefined-outer-name, reimported, import-outside-toplevel: Redefining and reimporting 'tempfile' and 'os' outside toplevel; consider using 'with' for resource-allocating operations.

---

[warning] 529-529: pylint import-outside-toplevel: Import outside toplevel (time).

---

[warning] 766-766: pylint unused-argument: Unused argument 'capsys'.

---

[warning] 787-787: pylint redefined-outer-name, reimported, import-outside-toplevel: Redefining and reimporting 'datetime' outside toplevel.

---

[warning] 5-8: pylint wrong-import-order: Standard imports should be placed before third party imports (os, datetime.datetime, unittest.mock.patch, pathlib.Path).

🔇 Additional comments (3)

pyproject.toml (2)

29-29: LGTM: Bandit dependency added correctly.

The addition of bandit>=1.8.5 as a development dependency is appropriate for security scanning. The version constraint ensures a reasonably recent version with good functionality.

---

32-34: Excellent Bandit configuration for test files.

The [tool.bandit] configuration correctly skips B101 (assert_used) warnings, which is appropriate since assertions are expected and necessary in test files. This aligns well with the GitHub Actions workflow configuration.

tests/test_calendar_analyzer.py (1)

57-488: Excellent security improvement with temporary files.

The overall change from hardcoded paths like /tmp/dummy.ics to secure temporary files significantly improves the security posture and test isolation. This aligns perfectly with the PR's security scanning objectives and demonstrates good security practices.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

tests/test_calendar_analyzer.py (2)

114-117: Use helper function for consistency.

This manual temporary file creation should use the create_temp_dummy_file helper function for consistency with the rest of the codebase.

Apply this diff to use the helper function:

-    # Create a temporary dummy file path (secure alternative to mktemp)
-    import tempfile
-    dummy_file = tempfile.NamedTemporaryFile(suffix=".ics", delete=False)
-    dummy_path = dummy_file.name
-    dummy_file.close()
+    # Create a temporary dummy file path (secure alternative to mktemp)
+    dummy_path = create_temp_dummy_file()

---

188-196: Use helper function for consistency.

This manual temporary file creation should use the create_temp_dummy_file helper function for consistency with the rest of the codebase.

Apply this diff to use the helper function:

-    # Create a temporary dummy file path that doesn't exist
-    import tempfile
-    dummy_file = tempfile.NamedTemporaryFile(suffix=".ics", delete=False)
-    dummy_path = dummy_file.name
-    dummy_file.close()
-    # Remove the file to make it nonexistent (for this test)
-    import os
-    os.unlink(dummy_path)
+    # Create a temporary dummy file path that doesn't exist
+    dummy_path = create_temp_dummy_file()
+    # Remove the file to make it nonexistent (for this test)
+    os.unlink(dummy_path)

🧹 Nitpick comments (3)

tests/test_calendar_analyzer.py (3)

93-93: Remove unused import.

The tempfile import is unused since the test now uses the helper function.

-    import tempfile

---

135-135: Remove unused import.

The tempfile import is unused since the test now uses the helper function.

-    import tempfile

---

497-497: Remove unused import.

The tempfile import is unused since the test now uses the helper function.

-    import tempfile

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b2a3004 and b6bd857.

📒 Files selected for processing (2)

• cspell.json (2 hunks)
• tests/test_calendar_analyzer.py (14 hunks)

✅ Files skipped from review due to trivial changes (1)

• cspell.json

🧰 Additional context used

🪛 Ruff (0.11.9)

tests/test_calendar_analyzer.py

44-44: Use a context manager for opening files

(SIM115)

---

93-93: tempfile imported but unused

Remove unused import: tempfile

(F401)

---

114-114: Use a context manager for opening files

(SIM115)

---

135-135: tempfile imported but unused

Remove unused import: tempfile

(F401)

---

190-190: Use a context manager for opening files

(SIM115)

---

497-497: tempfile imported but unused

Remove unused import: tempfile

(F401)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Analyze (python)
• GitHub Check: test (3.12)
• GitHub Check: test (3.13)
• GitHub Check: test (3.9)
• GitHub Check: test (3.11)
• GitHub Check: test (3.10)

🔇 Additional comments (2)

tests/test_calendar_analyzer.py (2)

13-30: Helper function implementation looks good.

The create_temp_ics_file function properly uses a context manager and handles resource management correctly. This addresses the previous review comments about secure temporary file creation.

---

68-88: Excellent refactoring of test setup.

The conversion to use the create_temp_ics_file helper function greatly improves code maintainability and addresses the previous concerns about resource management and code duplication.

[acgetchell]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[Copilot]

Pull Request Overview

This PR integrates Bandit security scanning into the project, updates test files to use secure temporary file helpers, and documents security setup in the README.

• Added Bandit as a dev dependency and configured it to skip B101 in tests
• Refactored tests to use create_temp_ics_file and create_temp_dummy_file helpers
• Updated README and GitHub Actions workflow to include Bandit instructions

Reviewed Changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
tests/test_calendar_analyzer.py	Refactored to use secure temp file helpers and added os.unlink calls in some tests
pyproject.toml	Added Bandit dev dependency and [tool.bandit] config
cspell.json	Added new words to spelling dictionary
README.md	Added "Security Scanning" section with Bandit usage
.github/workflows/bandit.yml	Enabled skipping B101 warnings in CI Bandit scans

Comments suppressed due to low confidence (1)

tests/test_calendar_analyzer.py:287

• The indentation of this with block has changed and may misalign the nested statements, leading to an IndentationError. Ensure the block and its body are consistently indented.

    with open(output_path, 'r', encoding='utf-8') as f:

[Copilot]

This test creates a temporary file but doesn't remove it. Add os.unlink(tmp_path) at the end to clean up and avoid leaking files.

[Copilot]

Temporary files created here are not cleaned up after the test. Consider adding os.unlink(tmp_path) at the end of the test to ensure proper cleanup.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (6)

tests/test_calendar_analyzer.py (3)

32-35: Unnecessary flush() inside a with block

tmp.flush() is redundant; the file is automatically flushed and closed on exit from the context manager.

-        tmp.write(content)
-        tmp.flush()
-        return tmp.name
+        tmp.write(content)
+        return tmp.name

---

74-94: Temporary artefacts leak into the test runner’s /tmp

test_analyze_mock_ics (and a few similar tests) create an ICS file via create_temp_ics_file but never delete it, while other tests remember to os.unlink(...). The suite therefore leaves stray files behind, which can eventually fill the tmpfs on long-running CI agents.

Add a try/finally or use tmp_path_factory/tmp_path fixtures to guarantee cleanup.

Also applies to: 295-298

---

50-52: create_temp_dummy_file still leaves an empty file on disk

If the intent is to obtain a non-existent path, delete the file inside the helper:

     with tempfile.NamedTemporaryFile(suffix=suffix, delete=False) as dummy_file:
         dummy_path = dummy_file.name
-    return dummy_path
+    os.unlink(dummy_path)
+    return dummy_path

That removes the need for ad-hoc os.unlink() calls scattered through the tests.

README.md (1)

198-205: Minor grammar / punctuation issues in new “Security Scanning” section

Consider:
“Run a security scan on all Python files” and add a comma after “warnings”.

Not blocking, just polishing.

cspell.json (2)

5-6: Questionable inclusion of highly project-specific term
"abirismyname" looks like a one-off handle rather than a domain term. Carrying personal / arbitrary nicknames in the global word list pollutes the dictionary for every contributor.

If the word is only needed in a single test or comment, consider:

1. Removing it from cspell.json, and
2. Instead adding an inline cspell:disable-line or a local .cspell.json in that component’s directory.

This keeps the shared dictionary focused and maintainable.

---

24-27: Verify necessity of “SARIF” vs. “shundor” additions
• SARIF is security-related and makes sense. ✅
• shundor appears non-English/slang; confirm it’s used in code or docs. If it’s only in a commit message or personal comment, omit it for the same cleanliness reasons as above.

While touching this section, you may also want to keep the list alphabetically sorted—helps avoid accidental duplicates and eases future diffs (optional).

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 36cbcd3 and a7726ee.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• .github/workflows/bandit.yml (1 hunks)
• README.md (1 hunks)
• cspell.json (2 hunks)
• pyproject.toml (1 hunks)
• tests/test_calendar_analyzer.py (15 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/bandit.yml

[error] 48-48: trailing spaces

(trailing-spaces)

🪛 LanguageTool

README.md

[uncategorized] ~198-~198: You might be missing the article “a” here.
Context: ...it -r tests/ --skip B101 4. Run security scan on all Python files: bash ...

(AI_EN_LECTOR_MISSING_DETERMINER_A)

---

[uncategorized] ~204-~204: Possible missing comma found.
Context: ...ps B101 (assert_used) warnings for test files since assertions are expected and appro...

(AI_HYDRA_LEO_MISSING_COMMA)

🔇 Additional comments (1)

pyproject.toml (1)

29-34: Confirm Bandit Version & Move Skip Configuration
I wasn’t able to fetch the latest Bandit release due to SSL errors—please confirm the current PyPI version and update the constraint accordingly. Note that Bandit ≤1.7.x does not support [tool.bandit] in pyproject.toml, so your skip list will be ignored.

• File: pyproject.toml
  Lines: 29–34
• Proposed diff:

  -    "bandit>=1.8.5",
  +    "bandit>=1.7.7",  # or the latest confirmed version

• Move the skip list into a .bandit file or invoke Bandit with --skip B101 in your CI/local scripts to ensure B101 is actually skipped.

[coderabbitai]

🛠️ Refactor suggestion

YAML-lint failure: trailing whitespace & blanket B101 skip

1. Line 48 contains trailing spaces – flagged by yamllint.
2. Skipping B101 for the whole repo hides assert misuse in production code. Prefer two jobs:
   • scan tests/ with --skip B101
   • scan everything else without the skip.

-          # comma-separated list of test IDs to skip  
-          skips: B101 # skip assert_used warnings in test files
+          # comma-separated list of test IDs to skip
+          skips: B101

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# comma-separated list of test IDs to skip
	skips: B101 # skip assert_used warnings in test files
	# path to a .bandit file that supplies command line arguments
	# comma-separated list of test IDs to skip
	skips: B101
	# path to a .bandit file that supplies command line arguments

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 48-48: trailing spaces

(trailing-spaces)

🤖 Prompt for AI Agents

In .github/workflows/bandit.yml around lines 48 to 50, remove the trailing
whitespace on line 48 to fix the yamllint error. Instead of skipping B101
globally, split the Bandit scan into two separate jobs: one scanning the tests/
directory with the B101 skip enabled, and another scanning the rest of the
codebase without skipping B101, to ensure assert misuse is detected in
production code.