[bandit]
# qfit vendors pypdf only to merge PDFs generated by QGIS. Scanning third-party
# compatibility crypto code creates false positives outside qfit's control.
exclude = vendor

# B310: qfit validates/constructs the URLs it opens for Strava/Mapbox APIs.
# B604: QGIS opens local files via the platform shell with user-controlled paths.
# B608: table names are fixed internally before SQL strings are assembled.
skips = B310,B604,B608
