Add security checks

[dmentipl]

Addresses #1382

Run bandit and safety as part of CI. Bandit finds common security issues in Python code. Safety checks installed dependencies for know security vulnerabilities.

If bandit/safety find any issues the tests will not fail. However, the output is written to the log (in GitHub Actions) for inspection.

Testing:

• Ran tests and they passed OK
• Added new tests for the new feature(s)

CLA

• If a new developer, signed up to CLA

[codecov]

Codecov Report

Merging #1385 (e676700) into master (ecbe0da) will increase coverage by 0.10%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #1385      +/-   ##
==========================================
+ Coverage   96.19%   96.29%   +0.10%     
==========================================
  Files          86       89       +3     
  Lines        7301     7476     +175     
==========================================
+ Hits         7023     7199     +176     
+ Misses        278      277       -1     

Impacted Files	Coverage Δ
improver/metadata/probabilistic.py	100.00% <0.00%> (ø)
improver/wxcode/weather_symbols.py	98.48% <0.00%> (ø)
improver/wxcode/wxcode_decision_tree.py	100.00% <0.00%> (ø)
improver/synthetic_data/set_up_test_cubes.py	100.00% <0.00%> (ø)
improver/wxcode/wxcode_decision_tree_global.py	100.00% <0.00%> (ø)
improver/calibration/reliability_calibration.py	100.00% <0.00%> (ø)
...semble_copula_coupling/ensemble_copula_coupling.py	99.01% <0.00%> (ø)
improver/convection.py
improver/calculate_sleet_prob.py
improver/precipitation_type/convection.py	100.00% <0.00%> (ø)
... and 6 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ecbe0da...e676700. Read the comment docs.

[tjtg]

All looks good.
Bandit has found a few assert statements in non-test code. I'll create another issue to tackle those.

[benfitzpatrick]

Thank you @dmentipl! Looks good. I'm half wondering if bandit should just fail - what do you think?

[dmentipl]

No worries, @benfitzpatrick!

We certainly could fail with bandit. However, it does pick up things like using assert, which is a low severity issue. We could add the -ll flag which reports on "medium" severity and higher, e.g. ignoring use of assert.

What do you and @tjtg think?

[tjtg]

I'm half wondering if bandit should just fail - what do you think?

We should make it so that bandit fails if it identifies issues, but not right now.
There are a few existing issues identified by bandit (see #1386) and those existing issues would cause all CI jobs to be marked as failing until they get addressed. The flags to only fail on medium or high severity issues won't help here as one of the currently identified issues is high severity.