update codeowners and add workflow

.github/workflows/bandit-schedule.yml

@@ -0,0 +1,70 @@
+## This runs bandit checks on all jupyter notebooks and python files
+## on a schedule and then uploads the results so that can 
+## be seen in the security tab. It can also be run manually
+## https://tool.crontap.com/cronjob-debugger
+##
+## Current settings in this file are to look for only high severity with high confidence
+
+name: ScheduledBandit
+
+on:
+  schedule:
+    - cron: '0 1 1 * *'  # at 1am on the first day of the month  
+
+  workflow_dispatch:  # manual run, workflow must be in default branch
+
+
+jobs:
+  bandit-scheduled-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Get changed notebooks
+        id: get-changed-notebooks
+        uses: tj-actions/[email protected]
+        with:
+          separator: " " # nbconvert accepts space separated file list
+          safe_output: false # binding to env below
+          files: |
+            **/*.ipynb    
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ vars.PYTHON_VERSION }}
+          cache: 'pip'
+
+      - name: Install Bandit
+        run: |
+          python --version
+          python -m pip install --upgrade pip
+          pip install bandit bandit-sarif-formatter
+
+      - name: Install nbconvert
+        if: ${{ steps.get-changed-notebooks.outputs.any_changed == 'true' }}
+        run: pip install nbconvert ipython
+
+      - name: Convert Jupyter notebooks 
+        if: ${{ steps.get-changed-notebooks.outputs.any_changed == 'true' }}
+        env:
+          ADDED_FILES: ${{ steps.get-changed-notebooks.outputs.all_changed_files }}     
+        run: jupyter nbconvert --allow-errors --sanitize-html --to script $ADDED_FILES        
+
+      - name: Perform Bandit Analysis
+        id: bandit-run
+        run: bandit --format sarif -o results.sarif --confidence-level high  --severity-level high -r .
+
+      - name: Upload sarif to security
+        if: ${{ failure() }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif-file: results.sarif
+
+

.github/workflows/bandit.yml

@@ -0,0 +1,79 @@
+## This runs bandit checks on all PRs and upload artifact
+## Currently set only for high severity and high criticality
+name: BanditEverything
+
+on:
+  pull_request: 
+    branches: 
+      - main
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+  workflow_call:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  bandit-scan:
+    runs-on: ubuntu-latest
+    env:
+      ARTIFACT_ROOT: bandit-results
+      PR_NUMBER: ${{ github.event.number }}
+    permissions:
+      # only required for workflows in private repositories, remaining set to none
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ vars.PYTHON_VERSION }}
+
+      - name: Get changed notebooks
+        id: get-changed-notebooks
+        uses: tj-actions/[email protected]
+        with:
+          separator: " " # nbconvert accepts space separated file list
+          safe_output: false # binding to env below
+          files: |
+            **/*.ipynb    
+
+      - name: Install Bandit
+        id: install-bandit
+        run: |
+          python --version
+          python -m pip install --upgrade pip
+          pip install bandit
+          echo "BANDIT_ARTIFACT=$ARTIFACT_ROOT.$PR_NUMBER.json" >> "$GITHUB_ENV"
+
+      - name: Install nbconvert
+        if: ${{ steps.get-changed-notebooks.outputs.any_changed == 'true' }}
+        run: pip install nbconvert ipython
+
+      - name: Convert Jupyter notebooks 
+        if: ${{ steps.get-changed-notebooks.outputs.any_changed == 'true' }}
+        env:
+          ADDED_FILES: ${{ steps.get-changed-notebooks.outputs.all_changed_files }}     
+        run: jupyter nbconvert --allow-errors --sanitize-html --to script $ADDED_FILES        
+
+      - name: Perform Bandit Analysis
+        id: bandit-run
+        run: bandit --format json -o $BANDIT_ARTIFACT --confidence-level high  --severity-level high -r .
+
+      - name: Upload artifact
+        if: ${{ failure() }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.BANDIT_ARTIFACT }}
+          path: ${{ env.BANDIT_ARTIFACT }}
+          overwrite: true
+          retention-days: 14
+
+

CODEOWNERS

@@ -2,15 +2,15 @@
 # the repo. Unless a later match takes precedence
 *   @sosey
 
-/general_issues/ @sosey
+/general_issues/ @sosey @drlaw1558
 
 # Order is important; the last matching pattern takes the most
 # precedence.
 /MIRI/   @skendrew
 /Pure_Parallels/  @goudfroo @bhilbert4
 /NIRCam_grism_time_series/  @bhilbert4
 /NIRISS_SOSS/   @Rplesha    @tbainesUA
-/NIRSPEC_Fixed_Slit/    @melanieclarke  @PatrickOgle
-/NIRSPEC_General/   @melanieclarke  @PatrickOgle
-/NIRSPEC_IFU/   @melanieclarke  @PatrickOgle
-/NIRSPEC_MOS/   @melanieclarke  @PatrickOgle
+/NIRSPEC_Fixed_Slit/    @hayescr  @PatrickOgle
+/NIRSPEC_General/   @hayescr  @PatrickOgle
+/NIRSPEC_IFU/   @hayescr  @PatrickOgle
+/NIRSPEC_MOS/   @hayescr  @PatrickOgle