Update bandit.yml with version bump

[reactive-firewall]

Migrate to latest, maintained, version of bandit code-scanning action.

Noteworthy changes:

• Maintained action is a fork of the unmaintained previous version. - Versions are still pinnable ( including bug-for-bug compatible v1.0 ) - Maintained project now utilizes @dependabot to keep sub-dependencies current.
• Maintained action is already released on marketplace.
• Credits updated with both original and maintainer with no change to licensing.
• Updated to use checkout@v4 now.

---

📋 TL;DR - PR Template with checklist from code owners

Please note that at this time we are only accepting new starter workflows for Code Scanning. Updates to existing starter workflows are fine.

---

Tasks

For all workflows, the workflow:

• Should be contained in a .yml file with the language or platform as its filename, in lower, kebab-cased format (for example, docker-image.yml). Special characters should be removed or replaced with words as appropriate (for example, "dotnet" instead of ".NET").
• Should use sentence case for the names of workflows and steps (for example, "Run tests").
• Should be named only by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build").
• Should include comments in the workflow for any parts that are not obvious or could use clarification.
• Should specify least privileged permissions for GITHUB_TOKEN so that the workflow runs successfully.

For Code Scanning workflows, the workflow:

• Should be preserved under the code-scanning directory.
• Should include a matching code-scanning/properties/*.properties.json file (for example, code-scanning/properties/codeql.properties.json), with properties set as follows:
  • name: Name of the Code Scanning integration.
  • creator: Name of the organization/user producing the Code Scanning integration.
    PLEASE ADVISE does this need to be changed?
  • description: Short description of the Code Scanning integration.
  • categories: Array of languages supported by the Code Scanning integration.
  • iconName: Name of the SVG logo representing the Code Scanning integration. This SVG logo must be present in the icons directory.
• Should run on push to branches: [ $default-branch, $protected-branches ] and pull_request to branches: [ $default-branch ]. We also recommend a schedule trigger of cron: $cron-weekly (for example, codeql.yml).

Some general notes:

• This workflow must only use actions that are produced by GitHub, in the actions organization, or
• This workflow must only use actions that are produced by the language or ecosystem that the workflow supports. These actions must be published to the GitHub Marketplace. We require that these actions be referenced using the full 40 character hash of the action's commit instead of a tag. Additionally, workflows must include the following comment at the top of the workflow file:

  # This workflow uses actions that are not certified by GitHub.
  # They are provided by a third-party and are governed by
  # separate terms of service, privacy policy, and support
  # documentation.
  

• Automation and CI workflows should not send data to any 3rd party service except for the purposes of installing dependencies.
• Automation and CI workflows cannot be dependent on a paid service or product.

[reactive-firewall]

Tagging possible community stakeholders ( i.e. Request for Comment )

TL;DR:

Regarding which version to pin for actions/checkout (i.e. leave as actions/checkout@v4 versus change to actions/[email protected]

• @jww3 Author of actions/[email protected] (EDIT: new possible stakeholder)
• @cory-miller Author of actions/[email protected] (EDIT: 4.2.2 superseded 4.1.6)
• @joshmgross Author of actions/[email protected] (EDIT: 4.2.2 superseded 4.1.6)
• EDIT: big thanks to @jsoref from the community for feedback on this ⭐

Regarding Included fixes from overlapping, related, or similar work (i.e. relevant community):

• @abirismyname Upstream Author of included of shundor/python-bandit-scan
• Kenta Nakase Author of included work (already responded, declining further interest 🙇 Please respect)
• @Grisolfi Author of overlapping/similar work
• @SamMorrowDrums Author of overlapping/similar work
• @aegilops Author of redundant/similar work
• @clintonsteiner Author of similar work

Regarding Possible Overlap with other PRs in this repo:

• PR Checkout: Update all workflows to use Checkout V4 #2465 - this PR Update bandit.yml with version bump #2497 aims to eliminate part of the issue raised, as it concerns bandit.yml 🙇 Coordination appreciated.
• PR Ubuntu-Latest: Update all workflows to use ubuntu-latest #2464 - related changes, but does not conflict (included only for completeness)
• PR Bump Bandit starter workflow to actions/checkout@v4 #2553 - Partial DUPLICATE in bandit.yml 🙇 Coordination requested
• PR Update Old Python versions to modern supported ones #2584 - Related changes, but does not conflict 🙇 Coordination appreciated (included only for completeness as relevant community)

[reactive-firewall]

LGTM after rebase.

TL;DR - Fixed issue with space when pinning by hash instead of tag. Also rebased with latest version from default branch to ensure compatibility.

[reactive-firewall]

💁🏻 LGTM! No conflicts from rebasing (from actions:main to remain current).