Updated github action adding bandit.

Update ci.yml

Update ci.yml

Update ci.yml

Update ci.yml

Update ci.yml

Update ci.yml

Update ci.yml

Update ci.yml

Update ci.yml

Update ci.yml

Create .bandit

Update .bandit

Fix security issues

Resolved security warnings.

Run black.

.bandit

@@ -0,0 +1,3 @@
+[bandit]
+skips: B101
+exclude: {{cookiecutter.project_slug}}

.github/workflows/ci.yml

@@ -6,6 +6,13 @@ on:
   pull_request:
 
 jobs:
+  bandit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run bandit
+        uses: tj-actions/bandit@v1.2
+
   tox:
     runs-on: ubuntu-latest
     strategy:

hooks/post_gen_project.py

@@ -156,7 +156,7 @@ def generate_random_string(
         unsuitable = {"'", '"', "\\", "$"}
         suitable = all_punctuation.difference(unsuitable)
         symbols += "".join(suitable)
-    return "".join([random.choice(symbols) for _ in range(length)])
+    return "".join([random.choice(symbols) for _ in range(length)])  # nosec
 
 
 def set_flag(file_path, flag, value=None, formatted=None, *args, **kwargs):

setup.py

@@ -1,6 +1,7 @@
 #!/usr/bin/env python
 
-import os
+import shlex
+import subprocess  # nosec
 import sys
 
 try:
@@ -12,10 +13,16 @@ except ImportError:
 # If Django has a new release, we branch, tag, then update this setting after the tag.
 version = "3.0.11"
 
+
+def run_command(command):
+    args = shlex.split(command, posix=False)
+    return subprocess.check_output(args, shell=False)  # nosec
+
+
 if sys.argv[-1] == "tag":
-    os.system(f'git tag -a {version} -m "version {version}"')
-    os.system("git push --tags")
-    sys.exit()
+    run_command('git tag -a {version} -m "version {version}"'.format(version=version))
+    run_command("git push --tags")
+    sys.exit(0)
 
 with open("README.rst") as readme_file:
     long_description = readme_file.read()