ci: bump python-bandit-scan to use codeql-action/upload-sarif v4

[Dipro-cyber]

The previous pinned commit (11a72c7c) used github/codeql-action/upload-sarif@v3 which is being deprecated in December 2025. Updated to the latest commit (88ecea17) which uses upload-sarif@v4.

Fixes #349

Description

• Please include a summary of the change.

This PR fixes #

Notes for Reviewers

Signed commits

• Yes, I signed my commits.

[MoralCode]

@Dipro-cyber Do you have a link to the new commit? Since #352 we are using a fork of the bandit scan action. i want to make sure the commit hashes are coming from the correct repo/project

[Dipro-cyber]

@Dipro-cyber Do you have a link to the new commit? Since #352 we are using a fork of the bandit scan action. i want to make sure the commit hashes are coming from the correct repo/project

The commit hash 88ecea17 is from reactive-firewall/python-bandit-scan (the same repo already being used in the workflow). I confirmed that this commit uses github/codeql-action/upload-sarif@v4 internally: https://github.com/reactive-firewall/python-bandit-scan/blob/88ecea175f67a97e97ebe4a1a2761135b8e10aa0/action.yml#L74

The shundor/python-bandit-scan fork (used as the base in #352) still uses upload-sarif@v3 and doesn't have config_path support. So reactive-firewall seems like the better upstream for this fix.

[MoralCode]

If this change includes effectively changing the branch/upstream we are using for this CI job, that is a lot more likely to break the job than just updating a single subtask. To get this merged, I'd like to either:

1. have the repo/branch we are currently using add this task update (maybe a contribution), or
2. do a more thorough comparison of the two repos/branches to make sure all the underlying reasons/features we need (likely explained in update bandit actions config to a more current version #352) are still present and pick the repo that is the best maintained/most likely to continue being maintained