https://bandit.readthedocs.io/en/latest/plugins/index.html#complete-test-plugin-listing
* Enable B108 (hardcoded tmp dir), address findings * Enable B602 (subprocess popen with shell), address findings * Enable B604 (start process with shell), address findings * Enable B306 (mktemp), B307 (eval), and B325 (tempnam), no issues to address
* Add bandit to pre-commit and CI, use to catch known vulnerable XML parsing * Use defusedxml instead of direct xml.etree to parse XML * Move config to tests/bandit.yaml