chore: Enable subset of Ruff security rules

Enabled a subset of flake8-bandit security rules.

Some S6* rules conflict with one another, with some requiring shell=True
and others preventing it. We enable S602 and S604 to prevent it.

Although we do use Mako templates, they are not used with any file types
that can contain executable code, so S7* rules aren't useful.

Author: joelspadin

pyproject.toml

@@ -86,7 +86,12 @@ select = [
   # ruff
   "RUF",
   # flake8-bandit
-  # "S", TODO: enable this and fix issues in a separate commit
+  "S1",
+  "S2",
+  "S3",
+  "S5",
+  "S602",
+  "S604",
   # flake8-simplify
   "SIM",
   # flake8-self