Security pipeline update (#1781)

<!-- Contributing guide:
https://github.com/open-edge-platform/datumaro/blob/develop/CONTRIBUTING.md
-->

### Summary
This PR updates security pipeline, in particular:
- security checks is implemented based on reusable actions from Anomalib
repo (later we will move it to more appropriate repo like
`reusable-workflows`) - this will simplify maintenance and support
across Geti repos.
- bandit configuration moved to `pyproject.toml`
- `.pre-commit-config.yaml` - added zizmor and bandit pre-commit checks
- removed unnecessary files

Tested on local fork.
<!--
Resolves #111 and #222.
Depends on #1000 (for series of dependent commits).

This PR introduces this capability to make the project better in this
and that.

- Added this feature
- Removed that feature
- Fixed the problem #1234
-->

### How to test
Tested in fork https://github.com/AlexanderBarabanov/datumaro/actions

### Checklist
<!-- Put an 'x' in all the boxes that apply -->
- [ ] I have added unit tests to cover my changes.​
- [ ] I have added integration tests to cover my changes.​
- [ ] I have added the description of my changes into
[CHANGELOG](https://github.com/open-edge-platform/datumaro/blob/develop/CHANGELOG.md).​
- [ ] I have updated the
[documentation](https://github.com/open-edge-platform/datumaro/tree/develop/docs)
accordingly

### License

- [ ] I submit _my code changes_ under the same [MIT
License](https://github.com/open-edge-platform/datumaro/blob/develop/LICENSE)
that covers the project.
  Feel free to contact the maintainers if that's a concern.
- [ ] I have updated the license header for each file (see an example
below).

```python
# Copyright (C) 2025 Intel Corporation
#
# SPDX-License-Identifier: MIT
```

Author: AlexanderBarabanov

.ci/ipas_default.config

@@ -1,38 +1,34 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: "CodeQL scan"
+name: "CodeQL Scan"
 
 on:
-  schedule:
-    - cron: "0 0 * * *"
   push:
     branches: ["develop", "releases/*"]
   pull_request:
     branches: ["develop", "releases/*"]
-# No permissions by default
-permissions: {}
+  schedule:
+    - cron: "0 0 * * *"
+
+permissions: {} # No permissions by default on workflow level
 
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     permissions:
-      # required for all workflows
-      security-events: write
+      security-events: write # required to publish sarif
 
     strategy:
       fail-fast: false
       matrix:
-        language: ["c-cpp", "python", "actions"]
+        include:
+          - language: actions
+            build-mode: none
+          - language: python
+            build-mode: none
+          - language: c-cpp
+            build-mode: none
+          - language: rust
+            build-mode: none
 
     steps:
       - name: Checkout repository
@@ -42,35 +38,13 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@39edc492dbe16b1465b0cafca41432d857bdb31a # v3.29.1
+        uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
         with:
           languages: ${{ matrix.language }}
-
-      - name: Setup Python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
-        with:
-          python-version: "3.11"
-
-      - name: Build
-        run: |
-          pip install build
-          python -m build
+          build-mode: ${{ matrix.build-mode }}
+          queries: security-extended
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@39edc492dbe16b1465b0cafca41432d857bdb31a # v3.29.1
+        uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
         with:
           category: "/language:${{matrix.language}}"
-
-      - name: Generate CodeQL Report
-        uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          template: report
-          outputDir: ${{matrix.language}}
-
-      - name: Upload Report
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
-        with:
-          name: codeql-report-${{matrix.language}}
-          path: "./${{matrix.language}}/report.pdf"
-          retention-days: 7

.ci/trivy-csv.tmpl

@@ -24,3 +24,37 @@ jobs:
       - name: Run pre-commit checks
         shell: bash
         run: pre-commit run --all-files
+
+  Zizmor-Scan-PR:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Run Zizmor scan
+        uses: open-edge-platform/anomalib/.github/actions/security/zizmor@fadfedd5150eb8cd39dfb659ae9bd0eb1c06720d
+        with:
+          scan-scope: "changed"
+          severity-level: "MEDIUM"
+          confidence-level: "HIGH"
+          fail-on-findings: true
+  Bandit-Scan-PR:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Run Bandit scan
+        uses: open-edge-platform/anomalib/.github/actions/security/bandit@fadfedd5150eb8cd39dfb659ae9bd0eb1c06720d
+        with:
+          scan-scope: "changed"
+          severity-level: "LOW"
+          confidence-level: "LOW"
+          config_file: "pyproject.toml"
+          fail-on-findings: true