From dcfdb23b0c2a12a31282c913923ee5cb4cb148e8 Mon Sep 17 00:00:00 2001
From: Lorenzo Venerandi <lollo.venerandi@gmail.com>
Date: Thu, 22 Jan 2026 11:20:46 +0100
Subject: [PATCH] feat: enhance Bandit security check to enforce HIGH severity
 issue detection

---
 .github/workflows/security-scan.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 7de1246..3507c4f 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -30,8 +30,16 @@ jobs:
 
       - name: Bandit security check
         run: |
-          bandit -r src/ -f json -o bandit-report.json || true
+          bandit -r src/ -f json -o bandit-report.json
           bandit -r src/ -f txt
+          
+          # Check for HIGH severity issues only
+          HIGH_COUNT=$(python3 -c "import json; data=json.load(open('bandit-report.json')); print(len([i for i in data['results'] if i['severity'] == 'HIGH']))")
+          if [ "$HIGH_COUNT" -gt 0 ]; then
+            echo "Found $HIGH_COUNT HIGH severity security issues"
+            exit 1
+          fi
+          echo "No HIGH severity security issues found (LOW/MEDIUM are acceptable)"
 
       - name: Safety check for dependencies
         run: safety check --json || true