diff --git a/Makefile b/Makefile
index 7e039ea752..9bddaab4e2 100644
--- a/Makefile
+++ b/Makefile
@@ -77,8 +77,7 @@ lint-fix: lint-codespell  ## Lint and automatically fix errors in the python sou
 lint-codespell:  ## Reports spelling errors.
 	$(UV) run codespell -w
 
-lint: ## Lint the python and golang sources
-	$(UV) run bandit -c pyproject.toml -r $(PY_SOURCES)
+lint: ci-bandit ## Lint the python and golang sources
 	golangci-lint run -v
 
 core-install:
@@ -340,7 +339,7 @@ ci-codespell: ci--meta-debug
 	$(UV) run codespell -s
 
 ci-bandit: ci--meta-debug
-	$(UV) run bandit -r $(PY_SOURCES)
+	$(UV) run bandit -c pyproject.toml -r $(PY_SOURCES) -iii
 
 ci-pending-migrations: ci--meta-debug
 	$(UV) run ak makemigrations --check
diff --git a/authentik/sources/oauth/types/slack.py b/authentik/sources/oauth/types/slack.py
index e15eb11637..3b44384e89 100644
--- a/authentik/sources/oauth/types/slack.py
+++ b/authentik/sources/oauth/types/slack.py
@@ -51,7 +51,8 @@ class SlackOAuthClient(OAuth2Client):
             token["id"] = authed_user.get("id")
 
         # Slack returns "user", but API expects Bearer
-        token["token_type"] = "Bearer"  # nosec B105 - not a password, OAuth token type
+        # not a password, OAuth token type
+        token["token_type"] = "Bearer"  # nosec
 
         return token
 
diff --git a/authentik/sources/oauth/types/wechat.py b/authentik/sources/oauth/types/wechat.py
index eaa31c20e2..7504eb4c7b 100644
--- a/authentik/sources/oauth/types/wechat.py
+++ b/authentik/sources/oauth/types/wechat.py
@@ -125,8 +125,8 @@ class WeChatType(SourceType):
 
     # URLs for the WeChat "Login for Websites" authorization flow
     authorization_url = "https://open.weixin.qq.com/connect/qrconnect"
-    # nosec: B105 This is a public URL, not a hardcoded secret
-    access_token_url = "https://api.weixin.qq.com/sns/oauth2/access_token"  # nosec
+    # This is a public URL, not a hardcoded secret
+    access_token_url = "https://api.weixin.qq.com/sns/oauth2/access_token"  # nosec B105
     profile_url = "https://api.weixin.qq.com/sns/userinfo"
 
     # Note: 'authorization_code_auth_method' is intentionally omitted.
diff --git a/blueprints/schema.json b/blueprints/schema.json
index bd6ab2bccb..4b2cbf9418 100644
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@@ -11284,8 +11284,7 @@
                     "type": "string",
                     "enum": [
                         "MIT",
-                        "Heimdal",
-                        "other"
+                        "Heimdal"
                     ],
                     "title": "Kadmin type",
                     "description": "KAdmin server type"
diff --git a/pyproject.toml b/pyproject.toml
index bf93ea27b5..46169e60fb 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -78,7 +78,7 @@ dependencies = [
 [dependency-groups]
 dev = [
   "aws-cdk-lib==2.235.0",
-  "bandit==1.9.2",
+  "bandit==1.9.3",
   "black==26.1.0",
   "bpython==0.26",
   "codespell==2.4.1",
diff --git a/schema.yml b/schema.yml
index d44b4b5530..c0e118f00a 100644
--- a/schema.yml
+++ b/schema.yml
@@ -22115,7 +22115,6 @@ paths:
           enum:
           - Heimdal
           - MIT
-          - other
         description: |+
           KAdmin server type
 
@@ -39806,7 +39805,6 @@ components:
       enum:
       - MIT
       - Heimdal
-      - other
       type: string
     KerberosSource:
       type: object
diff --git a/uv.lock b/uv.lock
index 2db0cf663a..445c18db8d 100644
--- a/uv.lock
+++ b/uv.lock
@@ -393,7 +393,7 @@ requires-dist = [
 [package.metadata.requires-dev]
 dev = [
     { name = "aws-cdk-lib", specifier = "==2.235.0" },
-    { name = "bandit", specifier = "==1.9.2" },
+    { name = "bandit", specifier = "==1.9.3" },
     { name = "black", specifier = "==26.1.0" },
     { name = "bpython", specifier = "==0.26" },
     { name = "codespell", specifier = "==2.4.1" },
@@ -545,7 +545,7 @@ wheels = [
 
 [[package]]
 name = "bandit"
-version = "1.9.2"
+version = "1.9.3"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "colorama", marker = "sys_platform == 'win32'" },
@@ -553,9 +553,9 @@ dependencies = [
     { name = "rich" },
     { name = "stevedore" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/cf/72/f704a97aac430aeb704fa16435dfa24fbeaf087d46724d0965eb1f756a2c/bandit-1.9.2.tar.gz", hash = "sha256:32410415cd93bf9c8b91972159d5cf1e7f063a9146d70345641cd3877de348ce", size = 4241659, upload-time = "2025-11-23T21:36:18.722Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/89/76/a7f3e639b78601118aaa4a394db2c66ae2597fbd8c39644c32874ed11e0c/bandit-1.9.3.tar.gz", hash = "sha256:ade4b9b7786f89ef6fc7344a52b34558caec5da74cb90373aed01de88472f774", size = 4242154, upload-time = "2026-01-19T04:05:22.802Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/55/1a/5b0320642cca53a473e79c7d273071b5a9a8578f9e370b74da5daa2768d7/bandit-1.9.2-py3-none-any.whl", hash = "sha256:bda8d68610fc33a6e10b7a8f1d61d92c8f6c004051d5e946406be1fb1b16a868", size = 134377, upload-time = "2025-11-23T21:36:17.39Z" },
+    { url = "https://files.pythonhosted.org/packages/e0/0b/8bdc52111c83e2dc2f97403dc87c0830b8989d9ae45732b34b686326fb2c/bandit-1.9.3-py3-none-any.whl", hash = "sha256:4745917c88d2246def79748bde5e08b9d5e9b92f877863d43fab70cd8814ce6a", size = 134451, upload-time = "2026-01-19T04:05:20.938Z" },
 ]
 
 [[package]]