fix: correct mypy paths and fix line length issues in security scripts

Author: Magic-Man-us

.github/workflows/ci.yml

@@ -56,7 +56,7 @@ jobs:
         run: uv run ruff check .
 
       - name: Typecheck (mypy)
-        run: uv run mypy src
+        run: uv run mypy python_project_deployment
 
       - name: Tests (pytest)
         run: uv run pytest --cov --cov-report=xml --cov-report=html
@@ -66,7 +66,7 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
-          if grep -R --line-number -E "\beval\(|\bexec\(|pickle\.loads|yaml\.load(?!_safe)|subprocess\.(Popen|call)" src/ tests/ || true; then
+          if grep -R --line-number -E "\beval\(|\bexec\(|pickle\.loads|yaml\.load(?!_safe)|subprocess\.(Popen|call)" python_project_deployment/ tests/ || true; then
             echo "⚠️ Potentially dangerous API usage detected. Please review." >&2
             exit 2
           fi

Makefile

@@ -29,7 +29,7 @@ lint:
 	uv run ruff check .
 
 type:
-	uv run mypy src
+	uv run mypy python_project_deployment
 
 format:
 	uv run ruff format .

python_project_deployment/templates/Makefile.j2

@@ -29,7 +29,7 @@ lint:
 	uv run ruff check .
 
 type:
-	uv run mypy src
+	uv run mypy {{ PKG }}
 
 format:
 	uv run ruff format .

scripts/security_bandit_check.py

@@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+"""Check Bandit security scan results against threshold."""
+
+import json
+import os
+import sys
+from pathlib import Path
+
+
+def main() -> None:
+    """Check bandit results against SECURITY_FAIL_LEVEL threshold."""
+    fail_level = os.getenv("SECURITY_FAIL_LEVEL", "MEDIUM").upper()
+    severity_order = ["LOW", "MEDIUM", "HIGH"]
+
+    if fail_level not in severity_order:
+        print(f"Invalid SECURITY_FAIL_LEVEL: {fail_level}")
+        sys.exit(1)
+
+    threshold_index = severity_order.index(fail_level)
+
+    report_path = Path("bandit-report.json")
+    if not report_path.exists():
+        print("No bandit-report.json found, skipping.")
+        return
+
+    with report_path.open() as f:
+        data = json.load(f)
+
+    results = data.get("results", [])
+    issues_above_threshold = [
+        r for r in results if severity_order.index(r["issue_severity"]) >= threshold_index
+    ]
+
+    if issues_above_threshold:
+        msg = (
+            f"❌ Found {len(issues_above_threshold)} Bandit issues "
+            f"at or above {fail_level} severity:"
+        )
+        print(msg)
+        for issue in issues_above_threshold:
+            location = f"{issue['filename']}:{issue['line_number']}"
+            msg = f"  - {issue['issue_text']} ({issue['issue_severity']}) in {location}"
+            print(msg)
+        sys.exit(1)
+    else:
+        print(f"✅ No Bandit issues at or above {fail_level} severity.")
+
+
+if __name__ == "__main__":
+    main()

scripts/security_safety_check.py

@@ -0,0 +1,33 @@
+#!/usr/bin/env python3
+"""Check Safety security scan results for vulnerabilities."""
+
+import json
+import sys
+from pathlib import Path
+
+
+def main() -> None:
+    """Check safety results for any vulnerabilities."""
+    report_path = Path("safety-report.json")
+    if not report_path.exists():
+        print("No safety-report.json found, skipping.")
+        return
+
+    with report_path.open() as f:
+        data = json.load(f)
+
+    vulnerabilities = data.get("vulnerabilities", [])
+
+    if vulnerabilities:
+        print(f"❌ Found {len(vulnerabilities)} Safety vulnerabilities:")
+        for vuln in vulnerabilities:
+            pkg = vuln.get("package_name", "Unknown")
+            issue = vuln.get("vulnerability", "Unknown issue")
+            print(f"  - {pkg}: {issue}")
+        sys.exit(1)
+    else:
+        print("✅ No Safety vulnerabilities found.")
+
+
+if __name__ == "__main__":
+    main()