/.cache/pip is owned by root; as UID 1001 pip emits a cache-permission
warning. Container is ephemeral so caching has no value — disable it
with PIP_NO_CACHE_DIR=1.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Creates /tmp/venv inside the ephemeral container, installs bandit there,
and runs the security check via the venv's Python. No --user installs,
no script-location warnings, no writes outside the container's /tmp.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
--no-warn-script-location: bandit scripts go to /tmp/.local/bin which is
not on PATH, but we invoke via 'python -m bandit' so this is harmless.
PIP_DISABLE_PIP_VERSION_CHECK=1: silence the version upgrade notice.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
docker run was using python:3.12-slim's default root user, causing pip
to warn about running as root. Fix: add -u 1001:1001, set HOME=/tmp so
pip --user has a writable install location, and pass --user to pip.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
curo1305