Adds security scanning with Bandit

.github/workflows/bandit.yml

@@ -46,7 +46,7 @@ jobs:
           # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
           # excluded_paths: # optional, default is DEFAULT
           # comma-separated list of test IDs to skip
-          # skips: # optional, default is DEFAULT
+          skips: B101 # skip assert_used warnings in test files
           # path to a .bandit file that supplies command line arguments
           # ini_path: # optional, default is DEFAULT
 

README.md

@@ -168,10 +168,49 @@ This project uses [pytest](https://pytest.org/) for testing. To run the tests:
    ```
 
 The test suite includes:
+
 - Unit tests for calendar parsing and analysis functions
 - Mock calendar data to ensure consistent test results
 - Validation of output format and statistics calculations
 
+### Security Scanning
+
+This project uses [Bandit](https://bandit.readthedocs.io/) for security vulnerability scanning. Bandit is automatically installed as a development dependency.
+
+1. Make sure you have the development dependencies installed:
+
+   ```bash
+   uv sync --group dev
+   ```
+
+2. Run security scan on the main application:
+
+   ```bash
+   bandit -r calendar_analyzer.py
+   ```
+
+3. Run security scan on test files (skipping assert warnings):
+
+   ```bash
+   bandit -r tests/ --skip B101
+   ```
+
+4. Run security scan on all Python files:
+
+   ```bash
+   bandit -r . --exclude tests/
+   ```
+
+The project's GitHub Actions workflow automatically runs Bandit security scans on all code. The configuration in `pyproject.toml` skips B101 (assert_used) warnings for test files since assertions are expected and appropriate in tests.
+
+**Security Features:**
+
+- No hardcoded secrets or credentials
+- Secure temporary file handling
+- Input validation for date formats
+- Safe file operations with proper error handling
+- No external network requests (local processing only)
+
 ### Dependency Management
 
 This project uses `uv` for fast and reliable dependency management with `pyproject.toml`. Dependencies are organized into:

cspell.json

@@ -2,16 +2,17 @@
     "version": "0.2",
     "language": "en",
     "words": [
+        "abirismyname",
         "astral",
         "calendars",
         "capsys",
         "cspell",
         "datetime",
         "dateutil",
-        "dtstart",
         "DTEND",
-        "gettz",
+        "dtstart",
         "Getchell",
+        "gettz",
         "ical",
         "icalendar",
         "icbu",
@@ -20,13 +21,15 @@
         "pylint",
         "pyproject",
         "pytest",
+        "SARIF",
         "sdist",
+        "shundor",
         "sqlite",
         "sqlitedb",
         "timezone",
         "uv",
-        "venv",
         "VCALENDAR",
+        "venv",
         "VEVENT"
     ],
     "ignorePaths": [

pyproject.toml

@@ -26,8 +26,13 @@ dev = [
     "isort>=6.0.1",
     "pytest>=8.2.1",
     "pytest-cov>=6.2.1",
+    "bandit>=1.8.5",
 ]
 
+[tool.bandit]
+# Skip assert_used (B101) warnings in test files since assertions are expected in tests
+skips = ["B101"]
+
 [build-system]
 requires = ["hatchling"]
 build-backend = "hatchling.build"