Fix CI: bandit pin 1.9.0→1.9.4, Go 1.23→1.25 for stdlib vuln fixes

SecAI-Hub · claude · SecAI-Hub · commit 7ab73ae29527 · 2026-03-14T15:03:34.000-07:00
- bandit==1.9.0 was yanked from PyPI; pin to 1.9.4 (latest stable)
- Update all 9 Go services from go 1.23 to go 1.25, fixing 12 stdlib
  vulnerabilities (GO-2025-4007 through GO-2026-4602) in crypto/tls,
  crypto/x509, encoding/asn1, encoding/pem, net/url, and os
- go mod tidy cleaned unused indirect deps in policy-engine and
  runtime-attestor

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/requirements-ci.txt b/requirements-ci.txt
@@ -6,7 +6,7 @@ Flask==3.1.1
 requests==2.32.5
 pytest==8.3.5
 ruff==0.11.6
-bandit==1.9.0
+bandit==1.9.4
 mypy==1.15.0
 pip-audit==2.9.0
 types-PyYAML==6.0.12.20250402
diff --git a/services/airlock/go.mod b/services/airlock/go.mod
@@ -1,5 +1,5 @@
 module github.com/sec_ai/SecAI_OS/services/airlock
 
-go 1.23
+go 1.25
 
 require gopkg.in/yaml.v3 v3.0.1
diff --git a/services/gpu-integrity-watch/go.mod b/services/gpu-integrity-watch/go.mod
@@ -1,5 +1,5 @@
 module github.com/SecAI-Hub/gpu-integrity-watch
 
-go 1.23
+go 1.25
 
 require gopkg.in/yaml.v3 v3.0.1
diff --git a/services/incident-recorder/go.mod b/services/incident-recorder/go.mod
@@ -1,5 +1,5 @@
 module github.com/SecAI-Hub/incident-recorder
 
-go 1.23
+go 1.25
 
 require gopkg.in/yaml.v3 v3.0.1
diff --git a/services/integrity-monitor/go.mod b/services/integrity-monitor/go.mod
@@ -1,5 +1,5 @@
 module github.com/SecAI-Hub/integrity-monitor
 
-go 1.23
+go 1.25
 
 require gopkg.in/yaml.v3 v3.0.1
diff --git a/services/mcp-firewall/go.mod b/services/mcp-firewall/go.mod
@@ -1,5 +1,5 @@
 module github.com/SecAI-Hub/mcp-firewall
 
-go 1.23
+go 1.25
 
 require gopkg.in/yaml.v3 v3.0.1
diff --git a/services/policy-engine/go.mod b/services/policy-engine/go.mod
@@ -1,7 +1,5 @@
 module github.com/SecAI-Hub/policy-engine
 
-go 1.23
+go 1.25
 
 require gopkg.in/yaml.v3 v3.0.1
-
-require gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 // indirect
diff --git a/services/registry/go.mod b/services/registry/go.mod
@@ -1,5 +1,5 @@
 module github.com/sec_ai/SecAI_OS/services/registry
 
-go 1.23
+go 1.25
 
 require gopkg.in/yaml.v3 v3.0.1
diff --git a/services/runtime-attestor/go.mod b/services/runtime-attestor/go.mod
@@ -1,7 +1,5 @@
 module github.com/SecAI-Hub/runtime-attestor
 
-go 1.23
+go 1.25
 
 require gopkg.in/yaml.v3 v3.0.1
-
-require gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 // indirect
diff --git a/services/tool-firewall/go.mod b/services/tool-firewall/go.mod
@@ -1,5 +1,5 @@
 module github.com/sec_ai/SecAI_OS/services/tool-firewall
 
-go 1.23
+go 1.25
 
 require gopkg.in/yaml.v3 v3.0.1

-Original file line number
+Diff line change
@@ @@ -1,5 +1,5 @@ @@
 module github.com/sec_ai/SecAI_OS/services/airlock
 -go 1.23
 +go 1.25
 require gopkg.in/yaml.v3 v3.0.1