Update bandit.yml with a maintained fork

Migrate to latest, maintained, version of action.
 * Maintained action is a fork of the unmaintained previous version.
    - Versions are still pinnable ( including bug-for-bug compatible `v1.0` )
    - Maintained project now utilizes @dependabot to keep sub-dependencies current.
    - Maintained action is already released on marketplace
 * Credits both original and maintainer with no change to licensing
 * Updated to use checkout@v4 already

code-scanning/bandit.yml

@@ -7,7 +7,7 @@
 # This action will run Bandit on your codebase.
 # The results of the scan will be found under the Security tab of your repository.
 
-# https://github.com/marketplace/actions/bandit-scan is ISC licensed, by abirismyname
+# https://github.com/marketplace/actions/python-bandit-scan is ISC licensed, by abirismyname and maintained by reactive-firewall
 # https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA
 
 name: Bandit
@@ -20,29 +20,31 @@ on:
   schedule:
     - cron: $cron-weekly
 
+permissions: {}  # Default global permissions to none.
+
 jobs:
   bandit:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
       actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
-
+    
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Bandit Scan
-        uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c
+        uses: reactive-firewall/python-bandit-scan@v2.1  # v2.1 - c8b1d56a3964de4e00e7a820dddb38661a4b7566
         with: # optional arguments
-          # exit with 0, even with results found
+          # exit with 0, even with results found - remove or set to false to fail on results when found.
           exit_zero: true # optional, default is DEFAULT
           # Github token of the repository (automatically created by Github)
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information.
           # File or directory to run bandit on
-          # path: # optional, default is .
+          # path: "." # optional, default is .
           # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
-          # level: # optional, default is UNDEFINED
+          # level: high # optional, default is UNDEFINED
           # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
-          # confidence: # optional, default is UNDEFINED
+          # confidence: high # optional, default is UNDEFINED
           # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
           # excluded_paths: # optional, default is DEFAULT
           # comma-separated list of test IDs to skip