Since the documentation now explicitly describes how to use ntia-conformance-checker as a library, it might be worthwhile to turn on a second security static analysis tool to catch security bugs. While the project currently uses bandit, I've observed that not all security static analysis tools catch the same bugs, so there could be additional benefit.

Thoughts? It should be a cheap GH action and easy to implement.