Merge branch 'main' of https://github.com/MitCode85/yt-audio-workbench

Author: MitCode85

.github/workflows/security.yml

@@ -10,6 +10,9 @@ on:
 jobs:
   bandit:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write   # needed for SARIF upload
     steps:
       - uses: actions/checkout@v4
 
@@ -20,27 +23,30 @@ jobs:
       - name: Install Bandit
         run: python -m pip install --upgrade pip bandit
 
-      # 1) Generate a full report (never fails the job) so you can review details
-      - name: Bandit full report (non-blocking)
+      # Full report for triage (non-blocking), goes to the Security tab
+      - name: Bandit SARIF (non-blocking)
         run: |
           bandit -r . \
             -x tests,venv,.venv,build,dist,__pycache__,.github \
-            -s B101,B404 \
-            -f txt -o bandit.txt || true
+            -f sarif -o bandit.sarif || true
 
-      # 2) Gate on HIGH severity + HIGH confidence only (job fails if any)
-      - name: Bandit gate (HIGH/HIGH only)
+      - name: Upload SARIF to code scanning
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: bandit.sarif
+          category: bandit
+
+      # Gate 1: fail on ANY High severity (even if confidence is low)
+      - name: Bandit gate — HIGH severity (any confidence)
         run: |
           bandit -q -r . \
             -x tests,venv,.venv,build,dist,__pycache__,.github \
-            -s B101,B404 \
-            --severity-level high --confidence-level high
+            --severity-level high --confidence-level low
 
-      - name: Upload Bandit report
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: bandit-report
-          path: bandit.txt
-          if-no-files-found: warn
-          retention-days: 7
+      # Gate 2: fail on Medium/High with HIGH confidence
+      - name: Bandit gate — MEDIUM+ with HIGH confidence
+        run: |
+          bandit -q -r . \
+            -x tests,venv,.venv,build,dist,__pycache__,.github \
+            --severity-level medium --confidence-level high

ONBOARDING.md

@@ -6,7 +6,7 @@ Welcome to the project! Here’s how to get your development environment set up
 
 Before you begin, make sure you have the following installed on your system:
 
-* **Python 3.9+**
+* **Python 3.11+**
 * **Git**
 * **ffmpeg** & **ffprobe**
 * **mp3gain** (optional, but recommended)
@@ -78,4 +78,5 @@ This project uses standard tools to maintain code quality.
     pre-commit install
     ```
 
-That's it! You're ready to start developing.
+
+That's it! You're ready to start developing.

help_window.py

@@ -39,14 +39,13 @@ def _tool_info(cmd: str, version_args: list[str]) -> list[str]:
         return out
     out.append(f"{cmd}: {path}")
     try:
-        import subprocess
+        import subprocess # nosec B404: importing subprocess is intentional; we use shell=False
 
         p = subprocess.run(
             [path, *version_args],
             capture_output=True,
             text=True,
             check=False,
-            timeout=3, # It's also good practice to include a timeout
         )
 
         first = (