ci(sast): added Bandit

.github/workflows/lint.yml

@@ -33,6 +33,6 @@ jobs:
         run: |
           pip install poetry
           make install
-      - name: Run linter
+      - name: Run Flake8
         run: |
           poetry run flake8

.github/workflows/security.yml

@@ -0,0 +1,38 @@
+name: Security
+
+on:
+  workflow_dispatch:
+  push:
+
+env:
+  PYTHON_VERSION: '3.12'
+
+jobs:
+  lint:
+    name: Lint source code
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+      - name: Set up Poetry
+        run: |
+          pipx install poetry
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: poetry
+      - name: Set up Poetry environment
+        env:
+          PYTHON_VERSION: ${{ env.PYTHON_VERSION }}
+        run: |
+          poetry env use ${PYTHON_VERSION}
+      - name: Install Python dependencies
+        run: |
+          pip install poetry
+          make install
+      - name: Run Bandit
+        run: |
+          poetry run bandit -r mkdocs_exporter

mkdocs_exporter/formats/pdf/browser.py

@@ -102,10 +102,7 @@ async def print(self, html: str) -> tuple[bytes, int]:
     pages = int(await context.locator('body').get_attribute('mkdocs-exporter-pages') or 0)
     pdf = await context.pdf(prefer_css_page_size=True, print_background=True, display_header_footer=False)
 
-    try:
-      os.unlink(file)
-    except Exception:
-      pass
+    os.unlink(file)
 
     await context.close()
 

pyproject.toml

@@ -45,3 +45,4 @@ mkdocs-redirects = "^1.2.0"
 mdx-truly-sane-lists = "^1.3"
 mkdocstrings = {extras = ["python"], version = "^0.25.1"}
 mkdocs-git-committers-plugin-2 = "^2.3.0"
+bandit = "^1.7.9"