diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
new file mode 100644
index 0000000..c255378
--- /dev/null
+++ b/.github/copilot-instructions.md
@@ -0,0 +1,49 @@
+---
+# Codacy Rules
+Configuration for AI behavior when interacting with Codacy's MCP Server
+
+## After ANY successful `edit_file` or `reapply` operation
+- YOU MUST IMMEDIATELY run the `codacy_cli_analyze` tool from Codacy's MCP Server for each file that was edited, with:
+ - `rootPath`: set to the workspace path
+ - `file`: set to the path of the edited file
+ - `tool`: leave empty or unset
+- If any issues are found in the new edits, propose and apply fixes for them.
+- > NOTE: Failure to follow this rule is considered a critical error.
+
+## CRITICAL: Dependencies and Security Checks
+- IMMEDIATELY after ANY of these actions:
+ - Running npm/yarn/pnpm install
+ - Adding dependencies to package.json
+ - Adding requirements to requirements.txt
+ - Adding dependencies to pom.xml
+ - Adding dependencies to build.gradle
+ - Any other package manager operations
+- You MUST run the `codacy_cli_analyze` tool with:
+ - `rootPath`: set to the workspace path
+ - `tool`: set to "trivy"
+ - `file`: leave empty or unset
+- If any vulnerabilities are found because of the newly added packages:
+ - Stop all other operations
+ - Propose and apply fixes for the security issues
+ - Only continue with the original task after security issues are resolved
+- EXAMPLE:
+ - After: npm install react-markdown
+ - Do: Run codacy_cli_analyze with trivy
+ - Before: Continuing with any other tasks
+
+## General
+- Repeat the relevant steps for each modified file.
+- "Propose fixes" means to both suggest and, if possible, automatically apply the fixes.
+- You MUST NOT wait for the user to ask for analysis or remind you to run the tool.
+- Do not run `codacy_cli_analyze` looking for changes in duplicated code or code complexity metrics.
+- Do not run `codacy_cli_analyze` looking for changes in code coverage.
+- Do not try to manually install Codacy CLI using either brew, npm, npx, or any other package manager.
+- If the Codacy CLI is not installed, just run the `codacy_cli_analyze` tool from Codacy's MCP Server.
+- When calling `codacy_cli_analyze`, only send provider, organization and repository if the project is a git repository.
+
+## Whenever a call to a Codacy tool that uses `repository` or `organization` as a parameter returns a 404 error
+- Offer to run the `codacy_setup_repository` tool to add the repository to Codacy
+- If the user accepts, run the `codacy_setup_repository` tool
+- Do not ever try to run the `codacy_setup_repository` tool on your own
+- After setup, immediately retry the action that failed (only retry once)
+---
\ No newline at end of file
diff --git a/doc-generator/src/main/scala/docs/transformers/BlacklistDocTransformer.scala b/doc-generator/src/main/scala/docs/transformers/BlacklistDocTransformer.scala
index 439e6f2..c752ac9 100644
--- a/doc-generator/src/main/scala/docs/transformers/BlacklistDocTransformer.scala
+++ b/doc-generator/src/main/scala/docs/transformers/BlacklistDocTransformer.scala
@@ -70,6 +70,7 @@ object BlacklistDocTransformer extends IPatternDocTransformer {
           Level.Warn,
           Pattern.Category.Security,
           SecuritySubcategories.get(patternIdCapitalized),
+          Some(Pattern.ScanType.SAST),
           Set.empty,
           Set.empty,
           enabled = DefaultPatterns.list.contains(patternIdCapitalized.value)
diff --git a/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala b/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala
index c780f86..45a05c7 100644
--- a/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala
+++ b/doc-generator/src/main/scala/docs/transformers/PluginsDocGenerator.scala
@@ -4,7 +4,7 @@ import docs.transformers.utils.HtmlLoader
 
 import scala.xml._
 import better.files._
-import com.codacy.plugins.api.results.Pattern.Category
+import com.codacy.plugins.api.results.Pattern.{Category, Scantype}
 import com.codacy.plugins.api.results.Result.Level
 import com.codacy.plugins.api.results.Pattern
 import docs.{DefaultPatterns, SecuritySubcategories}
@@ -52,7 +52,7 @@ object PluginsDocTransformer extends IPatternDocTransformer {
       divs <- htmlPluginsDocs
       if (divs \@ "id").startsWith(patternId.value.toLowerCase())
       divsChildren <- divs.child.filter { node =>
-        val l = node.labels
+        val l = node.label
         l == "h1" || l == "h2" || l == "p"
       }
     } yield divsChildren
@@ -80,6 +80,8 @@ object PluginsDocTransformer extends IPatternDocTransformer {
         severity,
         Category.Security,
         SecuritySubcategories.get(patternIdCapitalized),
+        Some(ScanType.SAST),
+        Set.empty,
         Set.empty,
         enabled = DefaultPatterns.list.contains(patternIdCapitalized.value)
       )
diff --git a/docs/description/B613.md b/docs/description/B613.md
new file mode 100644
index 0000000..1fdd279
--- /dev/null
+++ b/docs/description/B613.md
@@ -0,0 +1,162 @@
+<a href="../index.html" class="icon icon-home" shape="rect">Bandit</a>
+
+- <a href="../start.html" class="reference internal" shape="rect">Getting
+  Started</a>
+- <a href="../config.html" class="reference internal"
+  shape="rect">Configuration</a>
+- <a href="../integrations.html" class="reference internal"
+  shape="rect">Integrations</a>
+- <a href="index.html" class="reference internal" shape="rect">Test
+  Plugins</a>
+  - <a href="index.html#writing-tests" class="reference internal"
+    shape="rect">Writing Tests</a>
+  - <a href="index.html#config-generation" class="reference internal"
+    shape="rect">Config Generation</a>
+  - <a href="index.html#example-test-plugin" class="reference internal"
+    shape="rect">Example Test Plugin</a>
+  - <a href="index.html#plugin-id-groupings" class="reference internal"
+    shape="rect">Plugin ID Groupings</a>
+  - <a href="index.html#complete-test-plugin-listing"
+    class="reference internal" shape="rect">Complete Test Plugin Listing</a>
+    - <a href="b101_assert_used.html" class="reference internal"
+      shape="rect">B101: assert_used</a>
+    - <a href="b102_exec_used.html" class="reference internal"
+      shape="rect">B102: exec_used</a>
+    - <a href="b103_set_bad_file_permissions.html" class="reference internal"
+      shape="rect">B103: set_bad_file_permissions</a>
+    - <a href="b104_hardcoded_bind_all_interfaces.html"
+      class="reference internal" shape="rect">B104:
+      hardcoded_bind_all_interfaces</a>
+    - <a href="b105_hardcoded_password_string.html" class="reference internal"
+      shape="rect">B105: hardcoded_password_string</a>
+    - <a href="b106_hardcoded_password_funcarg.html"
+      class="reference internal" shape="rect">B106:
+      hardcoded_password_funcarg</a>
+    - <a href="b107_hardcoded_password_default.html"
+      class="reference internal" shape="rect">B107:
+      hardcoded_password_default</a>
+    - <a href="b108_hardcoded_tmp_directory.html" class="reference internal"
+      shape="rect">B108: hardcoded_tmp_directory</a>
+    - <a href="b109_password_config_option_not_marked_secret.html"
+      class="reference internal" shape="rect">B109:
+      password_config_option_not_marked_secret</a>
+    - <a href="b110_try_except_pass.html" class="reference internal"
+      shape="rect">B110: try_except_pass</a>
+    - <a href="b111_execute_with_run_as_root_equals_true.html"
+      class="reference internal" shape="rect">B111:
+      execute_with_run_as_root_equals_true</a>
+    - <a href="b112_try_except_continue.html" class="reference internal"
+      shape="rect">B112: try_except_continue</a>
+    - <a href="b113_request_without_timeout.html" class="reference internal"
+      shape="rect">B113: request_without_timeout</a>
+    - <a href="b201_flask_debug_true.html" class="reference internal"
+      shape="rect">B201: flask_debug_true</a>
+    - <a href="b202_tarfile_unsafe_members.html" class="reference internal"
+      shape="rect">B202: tarfile_unsafe_members</a>
+    - <a href="b324_hashlib.html" class="reference internal"
+      shape="rect">B324: hashlib</a>
+    - <a href="b501_request_with_no_cert_validation.html"
+      class="reference internal" shape="rect">B501:
+      request_with_no_cert_validation</a>
+    - <a href="b502_ssl_with_bad_version.html" class="reference internal"
+      shape="rect">B502: ssl_with_bad_version</a>
+    - <a href="b503_ssl_with_bad_defaults.html" class="reference internal"
+      shape="rect">B503: ssl_with_bad_defaults</a>
+    - <a href="b504_ssl_with_no_version.html" class="reference internal"
+      shape="rect">B504: ssl_with_no_version</a>
+    - <a href="b505_weak_cryptographic_key.html" class="reference internal"
+      shape="rect">B505: weak_cryptographic_key</a>
+    - <a href="b506_yaml_load.html" class="reference internal"
+      shape="rect">B506: yaml_load</a>
+    - <a href="b507_ssh_no_host_key_verification.html"
+      class="reference internal" shape="rect">B507:
+      ssh_no_host_key_verification</a>
+    - <a href="b508_snmp_insecure_version.html" class="reference internal"
+      shape="rect">B508: snmp_insecure_version</a>
+    - <a href="b509_snmp_weak_cryptography.html" class="reference internal"
+      shape="rect">B509: snmp_weak_cryptography</a>
+    - <a href="b601_paramiko_calls.html" class="reference internal"
+      shape="rect">B601: paramiko_calls</a>
+    - <a href="b602_subprocess_popen_with_shell_equals_true.html"
+      class="reference internal" shape="rect">B602:
+      subprocess_popen_with_shell_equals_true</a>
+    - <a href="b603_subprocess_without_shell_equals_true.html"
+      class="reference internal" shape="rect">B603:
+      subprocess_without_shell_equals_true</a>
+    - <a href="b604_any_other_function_with_shell_equals_true.html"
+      class="reference internal" shape="rect">B604:
+      any_other_function_with_shell_equals_true</a>
+    - <a href="b605_start_process_with_a_shell.html"
+      class="reference internal" shape="rect">B605:
+      start_process_with_a_shell</a>
+    - <a href="b606_start_process_with_no_shell.html"
+      class="reference internal" shape="rect">B606:
+      start_process_with_no_shell</a>
+    - <a href="b607_start_process_with_partial_path.html"
+      class="reference internal" shape="rect">B607:
+      start_process_with_partial_path</a>
+    - <a href="b608_hardcoded_sql_expressions.html" class="reference internal"
+      shape="rect">B608: hardcoded_sql_expressions</a>
+    - <a href="b609_linux_commands_wildcard_injection.html"
+      class="reference internal" shape="rect">B609:
+      linux_commands_wildcard_injection</a>
+    - <a href="b610_django_extra_used.html" class="reference internal"
+      shape="rect">B610: django_extra_used</a>
+    - <a href="b611_django_rawsql_used.html" class="reference internal"
+      shape="rect">B611: django_rawsql_used</a>
+    - <a href="b612_logging_config_insecure_listen.html"
+      class="reference internal" shape="rect">B612:
+      logging_config_insecure_listen</a>
+    - <a href="#" class="current reference internal" shape="rect">B613:
+      trojansource</a>
+    - <a href="b614_pytorch_load.html" class="reference internal"
+      shape="rect">B614: pytorch_load</a>
+    - <a href="b615_huggingface_unsafe_download.html"
+      class="reference internal" shape="rect">B615:
+      huggingface_unsafe_download</a>
+    - <a href="b701_jinja2_autoescape_false.html" class="reference internal"
+      shape="rect">B701: jinja2_autoescape_false</a>
+    - <a href="b702_use_of_mako_templates.html" class="reference internal"
+      shape="rect">B702: use_of_mako_templates</a>
+    - <a href="b703_django_mark_safe.html" class="reference internal"
+      shape="rect">B703: django_mark_safe</a>
+    - <a href="b704_markupsafe_markup_xss.html" class="reference internal"
+      shape="rect">B704: markupsafe_markup_xss</a>
+- <a href="../blacklists/index.html" class="reference internal"
+  shape="rect">Blacklist Plugins</a>
+- <a href="../formatters/index.html" class="reference internal"
+  shape="rect">Report Formatters</a>
+- <a href="../ci-cd/index.html" class="reference internal"
+  shape="rect">Continuous Integration and Deployment (CI/CD)</a>
+- <a href="../faq.html" class="reference internal" shape="rect">Frequently
+  Asked Questions</a>
+
+<a href="../index.html" shape="rect">Bandit</a>
+
+- <a href="../index.html" class="icon icon-home" aria-label="Home"
+  shape="rect"></a>
+- <a href="index.html" shape="rect">Test Plugins</a>
+- B613: trojansource
+- <a href="../_sources/plugins/b613_trojansource.rst.txt" rel="nofollow"
+  shape="rect">View page source</a>
+
+------------------------------------------------------------------------
+
+# B613: trojansource<a href="#b613-trojansource" class="headerlink" shape="rect"
+title="Link to this heading"></a>
+
+<a href="b612_logging_config_insecure_listen.html"
+class="btn btn-neutral float-left" rel="prev" accesskey="p" shape="rect"
+title="B612: logging_config_insecure_listen">Previous</a>
+<a href="b614_pytorch_load.html" class="btn btn-neutral float-right"
+rel="next" accesskey="n" shape="rect"
+title="B614: pytorch_load">Next</a>
+
+------------------------------------------------------------------------
+
+© Copyright 2025, Bandit Developers.
+
+Built with <a href="https://www.sphinx-doc.org/" shape="rect">Sphinx</a>
+using a <a href="https://github.com/readthedocs/sphinx_rtd_theme"
+shape="rect">theme</a> provided by
+<a href="https://readthedocs.org" shape="rect">Read the Docs</a>.
diff --git a/docs/description/B614.md b/docs/description/B614.md
new file mode 100644
index 0000000..3538e5a
--- /dev/null
+++ b/docs/description/B614.md
@@ -0,0 +1,162 @@
+<a href="../index.html" class="icon icon-home" shape="rect">Bandit</a>
+
+- <a href="../start.html" class="reference internal" shape="rect">Getting
+  Started</a>
+- <a href="../config.html" class="reference internal"
+  shape="rect">Configuration</a>
+- <a href="../integrations.html" class="reference internal"
+  shape="rect">Integrations</a>
+- <a href="index.html" class="reference internal" shape="rect">Test
+  Plugins</a>
+  - <a href="index.html#writing-tests" class="reference internal"
+    shape="rect">Writing Tests</a>
+  - <a href="index.html#config-generation" class="reference internal"
+    shape="rect">Config Generation</a>
+  - <a href="index.html#example-test-plugin" class="reference internal"
+    shape="rect">Example Test Plugin</a>
+  - <a href="index.html#plugin-id-groupings" class="reference internal"
+    shape="rect">Plugin ID Groupings</a>
+  - <a href="index.html#complete-test-plugin-listing"
+    class="reference internal" shape="rect">Complete Test Plugin Listing</a>
+    - <a href="b101_assert_used.html" class="reference internal"
+      shape="rect">B101: assert_used</a>
+    - <a href="b102_exec_used.html" class="reference internal"
+      shape="rect">B102: exec_used</a>
+    - <a href="b103_set_bad_file_permissions.html" class="reference internal"
+      shape="rect">B103: set_bad_file_permissions</a>
+    - <a href="b104_hardcoded_bind_all_interfaces.html"
+      class="reference internal" shape="rect">B104:
+      hardcoded_bind_all_interfaces</a>
+    - <a href="b105_hardcoded_password_string.html" class="reference internal"
+      shape="rect">B105: hardcoded_password_string</a>
+    - <a href="b106_hardcoded_password_funcarg.html"
+      class="reference internal" shape="rect">B106:
+      hardcoded_password_funcarg</a>
+    - <a href="b107_hardcoded_password_default.html"
+      class="reference internal" shape="rect">B107:
+      hardcoded_password_default</a>
+    - <a href="b108_hardcoded_tmp_directory.html" class="reference internal"
+      shape="rect">B108: hardcoded_tmp_directory</a>
+    - <a href="b109_password_config_option_not_marked_secret.html"
+      class="reference internal" shape="rect">B109:
+      password_config_option_not_marked_secret</a>
+    - <a href="b110_try_except_pass.html" class="reference internal"
+      shape="rect">B110: try_except_pass</a>
+    - <a href="b111_execute_with_run_as_root_equals_true.html"
+      class="reference internal" shape="rect">B111:
+      execute_with_run_as_root_equals_true</a>
+    - <a href="b112_try_except_continue.html" class="reference internal"
+      shape="rect">B112: try_except_continue</a>
+    - <a href="b113_request_without_timeout.html" class="reference internal"
+      shape="rect">B113: request_without_timeout</a>
+    - <a href="b201_flask_debug_true.html" class="reference internal"
+      shape="rect">B201: flask_debug_true</a>
+    - <a href="b202_tarfile_unsafe_members.html" class="reference internal"
+      shape="rect">B202: tarfile_unsafe_members</a>
+    - <a href="b324_hashlib.html" class="reference internal"
+      shape="rect">B324: hashlib</a>
+    - <a href="b501_request_with_no_cert_validation.html"
+      class="reference internal" shape="rect">B501:
+      request_with_no_cert_validation</a>
+    - <a href="b502_ssl_with_bad_version.html" class="reference internal"
+      shape="rect">B502: ssl_with_bad_version</a>
+    - <a href="b503_ssl_with_bad_defaults.html" class="reference internal"
+      shape="rect">B503: ssl_with_bad_defaults</a>
+    - <a href="b504_ssl_with_no_version.html" class="reference internal"
+      shape="rect">B504: ssl_with_no_version</a>
+    - <a href="b505_weak_cryptographic_key.html" class="reference internal"
+      shape="rect">B505: weak_cryptographic_key</a>
+    - <a href="b506_yaml_load.html" class="reference internal"
+      shape="rect">B506: yaml_load</a>
+    - <a href="b507_ssh_no_host_key_verification.html"
+      class="reference internal" shape="rect">B507:
+      ssh_no_host_key_verification</a>
+    - <a href="b508_snmp_insecure_version.html" class="reference internal"
+      shape="rect">B508: snmp_insecure_version</a>
+    - <a href="b509_snmp_weak_cryptography.html" class="reference internal"
+      shape="rect">B509: snmp_weak_cryptography</a>
+    - <a href="b601_paramiko_calls.html" class="reference internal"
+      shape="rect">B601: paramiko_calls</a>
+    - <a href="b602_subprocess_popen_with_shell_equals_true.html"
+      class="reference internal" shape="rect">B602:
+      subprocess_popen_with_shell_equals_true</a>
+    - <a href="b603_subprocess_without_shell_equals_true.html"
+      class="reference internal" shape="rect">B603:
+      subprocess_without_shell_equals_true</a>
+    - <a href="b604_any_other_function_with_shell_equals_true.html"
+      class="reference internal" shape="rect">B604:
+      any_other_function_with_shell_equals_true</a>
+    - <a href="b605_start_process_with_a_shell.html"
+      class="reference internal" shape="rect">B605:
+      start_process_with_a_shell</a>
+    - <a href="b606_start_process_with_no_shell.html"
+      class="reference internal" shape="rect">B606:
+      start_process_with_no_shell</a>
+    - <a href="b607_start_process_with_partial_path.html"
+      class="reference internal" shape="rect">B607:
+      start_process_with_partial_path</a>
+    - <a href="b608_hardcoded_sql_expressions.html" class="reference internal"
+      shape="rect">B608: hardcoded_sql_expressions</a>
+    - <a href="b609_linux_commands_wildcard_injection.html"
+      class="reference internal" shape="rect">B609:
+      linux_commands_wildcard_injection</a>
+    - <a href="b610_django_extra_used.html" class="reference internal"
+      shape="rect">B610: django_extra_used</a>
+    - <a href="b611_django_rawsql_used.html" class="reference internal"
+      shape="rect">B611: django_rawsql_used</a>
+    - <a href="b612_logging_config_insecure_listen.html"
+      class="reference internal" shape="rect">B612:
+      logging_config_insecure_listen</a>
+    - <a href="b613_trojansource.html" class="reference internal"
+      shape="rect">B613: trojansource</a>
+    - <a href="#" class="current reference internal" shape="rect">B614:
+      pytorch_load</a>
+    - <a href="b615_huggingface_unsafe_download.html"
+      class="reference internal" shape="rect">B615:
+      huggingface_unsafe_download</a>
+    - <a href="b701_jinja2_autoescape_false.html" class="reference internal"
+      shape="rect">B701: jinja2_autoescape_false</a>
+    - <a href="b702_use_of_mako_templates.html" class="reference internal"
+      shape="rect">B702: use_of_mako_templates</a>
+    - <a href="b703_django_mark_safe.html" class="reference internal"
+      shape="rect">B703: django_mark_safe</a>
+    - <a href="b704_markupsafe_markup_xss.html" class="reference internal"
+      shape="rect">B704: markupsafe_markup_xss</a>
+- <a href="../blacklists/index.html" class="reference internal"
+  shape="rect">Blacklist Plugins</a>
+- <a href="../formatters/index.html" class="reference internal"
+  shape="rect">Report Formatters</a>
+- <a href="../ci-cd/index.html" class="reference internal"
+  shape="rect">Continuous Integration and Deployment (CI/CD)</a>
+- <a href="../faq.html" class="reference internal" shape="rect">Frequently
+  Asked Questions</a>
+
+<a href="../index.html" shape="rect">Bandit</a>
+
+- <a href="../index.html" class="icon icon-home" aria-label="Home"
+  shape="rect"></a>
+- <a href="index.html" shape="rect">Test Plugins</a>
+- B614: pytorch_load
+- <a href="../_sources/plugins/b614_pytorch_load.rst.txt" rel="nofollow"
+  shape="rect">View page source</a>
+
+------------------------------------------------------------------------
+
+# B614: pytorch_load<a href="#b614-pytorch-load" class="headerlink" shape="rect"
+title="Link to this heading"></a>
+
+<a href="b613_trojansource.html" class="btn btn-neutral float-left"
+rel="prev" accesskey="p" shape="rect"
+title="B613: trojansource">Previous</a>
+<a href="b615_huggingface_unsafe_download.html"
+class="btn btn-neutral float-right" rel="next" accesskey="n"
+shape="rect" title="B615: huggingface_unsafe_download">Next</a>
+
+------------------------------------------------------------------------
+
+© Copyright 2025, Bandit Developers.
+
+Built with <a href="https://www.sphinx-doc.org/" shape="rect">Sphinx</a>
+using a <a href="https://github.com/readthedocs/sphinx_rtd_theme"
+shape="rect">theme</a> provided by
+<a href="https://readthedocs.org" shape="rect">Read the Docs</a>.
diff --git a/docs/description/B615.md b/docs/description/B615.md
new file mode 100644
index 0000000..e905ea0
--- /dev/null
+++ b/docs/description/B615.md
@@ -0,0 +1,161 @@
+<a href="../index.html" class="icon icon-home" shape="rect">Bandit</a>
+
+- <a href="../start.html" class="reference internal" shape="rect">Getting
+  Started</a>
+- <a href="../config.html" class="reference internal"
+  shape="rect">Configuration</a>
+- <a href="../integrations.html" class="reference internal"
+  shape="rect">Integrations</a>
+- <a href="index.html" class="reference internal" shape="rect">Test
+  Plugins</a>
+  - <a href="index.html#writing-tests" class="reference internal"
+    shape="rect">Writing Tests</a>
+  - <a href="index.html#config-generation" class="reference internal"
+    shape="rect">Config Generation</a>
+  - <a href="index.html#example-test-plugin" class="reference internal"
+    shape="rect">Example Test Plugin</a>
+  - <a href="index.html#plugin-id-groupings" class="reference internal"
+    shape="rect">Plugin ID Groupings</a>
+  - <a href="index.html#complete-test-plugin-listing"
+    class="reference internal" shape="rect">Complete Test Plugin Listing</a>
+    - <a href="b101_assert_used.html" class="reference internal"
+      shape="rect">B101: assert_used</a>
+    - <a href="b102_exec_used.html" class="reference internal"
+      shape="rect">B102: exec_used</a>
+    - <a href="b103_set_bad_file_permissions.html" class="reference internal"
+      shape="rect">B103: set_bad_file_permissions</a>
+    - <a href="b104_hardcoded_bind_all_interfaces.html"
+      class="reference internal" shape="rect">B104:
+      hardcoded_bind_all_interfaces</a>
+    - <a href="b105_hardcoded_password_string.html" class="reference internal"
+      shape="rect">B105: hardcoded_password_string</a>
+    - <a href="b106_hardcoded_password_funcarg.html"
+      class="reference internal" shape="rect">B106:
+      hardcoded_password_funcarg</a>
+    - <a href="b107_hardcoded_password_default.html"
+      class="reference internal" shape="rect">B107:
+      hardcoded_password_default</a>
+    - <a href="b108_hardcoded_tmp_directory.html" class="reference internal"
+      shape="rect">B108: hardcoded_tmp_directory</a>
+    - <a href="b109_password_config_option_not_marked_secret.html"
+      class="reference internal" shape="rect">B109:
+      password_config_option_not_marked_secret</a>
+    - <a href="b110_try_except_pass.html" class="reference internal"
+      shape="rect">B110: try_except_pass</a>
+    - <a href="b111_execute_with_run_as_root_equals_true.html"
+      class="reference internal" shape="rect">B111:
+      execute_with_run_as_root_equals_true</a>
+    - <a href="b112_try_except_continue.html" class="reference internal"
+      shape="rect">B112: try_except_continue</a>
+    - <a href="b113_request_without_timeout.html" class="reference internal"
+      shape="rect">B113: request_without_timeout</a>
+    - <a href="b201_flask_debug_true.html" class="reference internal"
+      shape="rect">B201: flask_debug_true</a>
+    - <a href="b202_tarfile_unsafe_members.html" class="reference internal"
+      shape="rect">B202: tarfile_unsafe_members</a>
+    - <a href="b324_hashlib.html" class="reference internal"
+      shape="rect">B324: hashlib</a>
+    - <a href="b501_request_with_no_cert_validation.html"
+      class="reference internal" shape="rect">B501:
+      request_with_no_cert_validation</a>
+    - <a href="b502_ssl_with_bad_version.html" class="reference internal"
+      shape="rect">B502: ssl_with_bad_version</a>
+    - <a href="b503_ssl_with_bad_defaults.html" class="reference internal"
+      shape="rect">B503: ssl_with_bad_defaults</a>
+    - <a href="b504_ssl_with_no_version.html" class="reference internal"
+      shape="rect">B504: ssl_with_no_version</a>
+    - <a href="b505_weak_cryptographic_key.html" class="reference internal"
+      shape="rect">B505: weak_cryptographic_key</a>
+    - <a href="b506_yaml_load.html" class="reference internal"
+      shape="rect">B506: yaml_load</a>
+    - <a href="b507_ssh_no_host_key_verification.html"
+      class="reference internal" shape="rect">B507:
+      ssh_no_host_key_verification</a>
+    - <a href="b508_snmp_insecure_version.html" class="reference internal"
+      shape="rect">B508: snmp_insecure_version</a>
+    - <a href="b509_snmp_weak_cryptography.html" class="reference internal"
+      shape="rect">B509: snmp_weak_cryptography</a>
+    - <a href="b601_paramiko_calls.html" class="reference internal"
+      shape="rect">B601: paramiko_calls</a>
+    - <a href="b602_subprocess_popen_with_shell_equals_true.html"
+      class="reference internal" shape="rect">B602:
+      subprocess_popen_with_shell_equals_true</a>
+    - <a href="b603_subprocess_without_shell_equals_true.html"
+      class="reference internal" shape="rect">B603:
+      subprocess_without_shell_equals_true</a>
+    - <a href="b604_any_other_function_with_shell_equals_true.html"
+      class="reference internal" shape="rect">B604:
+      any_other_function_with_shell_equals_true</a>
+    - <a href="b605_start_process_with_a_shell.html"
+      class="reference internal" shape="rect">B605:
+      start_process_with_a_shell</a>
+    - <a href="b606_start_process_with_no_shell.html"
+      class="reference internal" shape="rect">B606:
+      start_process_with_no_shell</a>
+    - <a href="b607_start_process_with_partial_path.html"
+      class="reference internal" shape="rect">B607:
+      start_process_with_partial_path</a>
+    - <a href="b608_hardcoded_sql_expressions.html" class="reference internal"
+      shape="rect">B608: hardcoded_sql_expressions</a>
+    - <a href="b609_linux_commands_wildcard_injection.html"
+      class="reference internal" shape="rect">B609:
+      linux_commands_wildcard_injection</a>
+    - <a href="b610_django_extra_used.html" class="reference internal"
+      shape="rect">B610: django_extra_used</a>
+    - <a href="b611_django_rawsql_used.html" class="reference internal"
+      shape="rect">B611: django_rawsql_used</a>
+    - <a href="b612_logging_config_insecure_listen.html"
+      class="reference internal" shape="rect">B612:
+      logging_config_insecure_listen</a>
+    - <a href="b613_trojansource.html" class="reference internal"
+      shape="rect">B613: trojansource</a>
+    - <a href="b614_pytorch_load.html" class="reference internal"
+      shape="rect">B614: pytorch_load</a>
+    - <a href="#" class="current reference internal" shape="rect">B615:
+      huggingface_unsafe_download</a>
+    - <a href="b701_jinja2_autoescape_false.html" class="reference internal"
+      shape="rect">B701: jinja2_autoescape_false</a>
+    - <a href="b702_use_of_mako_templates.html" class="reference internal"
+      shape="rect">B702: use_of_mako_templates</a>
+    - <a href="b703_django_mark_safe.html" class="reference internal"
+      shape="rect">B703: django_mark_safe</a>
+    - <a href="b704_markupsafe_markup_xss.html" class="reference internal"
+      shape="rect">B704: markupsafe_markup_xss</a>
+- <a href="../blacklists/index.html" class="reference internal"
+  shape="rect">Blacklist Plugins</a>
+- <a href="../formatters/index.html" class="reference internal"
+  shape="rect">Report Formatters</a>
+- <a href="../ci-cd/index.html" class="reference internal"
+  shape="rect">Continuous Integration and Deployment (CI/CD)</a>
+- <a href="../faq.html" class="reference internal" shape="rect">Frequently
+  Asked Questions</a>
+
+<a href="../index.html" shape="rect">Bandit</a>
+
+- <a href="../index.html" class="icon icon-home" aria-label="Home"
+  shape="rect"></a>
+- <a href="index.html" shape="rect">Test Plugins</a>
+- B615: huggingface_unsafe_download
+- <a href="../_sources/plugins/b615_huggingface_unsafe_download.rst.txt"
+  rel="nofollow" shape="rect">View page source</a>
+
+------------------------------------------------------------------------
+
+# B615: huggingface_unsafe_download<a href="#b615-huggingface-unsafe-download" class="headerlink"
+shape="rect" title="Link to this heading"></a>
+
+<a href="b614_pytorch_load.html" class="btn btn-neutral float-left"
+rel="prev" accesskey="p" shape="rect"
+title="B614: pytorch_load">Previous</a>
+<a href="b701_jinja2_autoescape_false.html"
+class="btn btn-neutral float-right" rel="next" accesskey="n"
+shape="rect" title="B701: jinja2_autoescape_false">Next</a>
+
+------------------------------------------------------------------------
+
+© Copyright 2025, Bandit Developers.
+
+Built with <a href="https://www.sphinx-doc.org/" shape="rect">Sphinx</a>
+using a <a href="https://github.com/readthedocs/sphinx_rtd_theme"
+shape="rect">theme</a> provided by
+<a href="https://readthedocs.org" shape="rect">Read the Docs</a>.
diff --git a/docs/description/B704.md b/docs/description/B704.md
new file mode 100644
index 0000000..f024bf6
--- /dev/null
+++ b/docs/description/B704.md
@@ -0,0 +1,161 @@
+<a href="../index.html" class="icon icon-home" shape="rect">Bandit</a>
+
+- <a href="../start.html" class="reference internal" shape="rect">Getting
+  Started</a>
+- <a href="../config.html" class="reference internal"
+  shape="rect">Configuration</a>
+- <a href="../integrations.html" class="reference internal"
+  shape="rect">Integrations</a>
+- <a href="index.html" class="reference internal" shape="rect">Test
+  Plugins</a>
+  - <a href="index.html#writing-tests" class="reference internal"
+    shape="rect">Writing Tests</a>
+  - <a href="index.html#config-generation" class="reference internal"
+    shape="rect">Config Generation</a>
+  - <a href="index.html#example-test-plugin" class="reference internal"
+    shape="rect">Example Test Plugin</a>
+  - <a href="index.html#plugin-id-groupings" class="reference internal"
+    shape="rect">Plugin ID Groupings</a>
+  - <a href="index.html#complete-test-plugin-listing"
+    class="reference internal" shape="rect">Complete Test Plugin Listing</a>
+    - <a href="b101_assert_used.html" class="reference internal"
+      shape="rect">B101: assert_used</a>
+    - <a href="b102_exec_used.html" class="reference internal"
+      shape="rect">B102: exec_used</a>
+    - <a href="b103_set_bad_file_permissions.html" class="reference internal"
+      shape="rect">B103: set_bad_file_permissions</a>
+    - <a href="b104_hardcoded_bind_all_interfaces.html"
+      class="reference internal" shape="rect">B104:
+      hardcoded_bind_all_interfaces</a>
+    - <a href="b105_hardcoded_password_string.html" class="reference internal"
+      shape="rect">B105: hardcoded_password_string</a>
+    - <a href="b106_hardcoded_password_funcarg.html"
+      class="reference internal" shape="rect">B106:
+      hardcoded_password_funcarg</a>
+    - <a href="b107_hardcoded_password_default.html"
+      class="reference internal" shape="rect">B107:
+      hardcoded_password_default</a>
+    - <a href="b108_hardcoded_tmp_directory.html" class="reference internal"
+      shape="rect">B108: hardcoded_tmp_directory</a>
+    - <a href="b109_password_config_option_not_marked_secret.html"
+      class="reference internal" shape="rect">B109:
+      password_config_option_not_marked_secret</a>
+    - <a href="b110_try_except_pass.html" class="reference internal"
+      shape="rect">B110: try_except_pass</a>
+    - <a href="b111_execute_with_run_as_root_equals_true.html"
+      class="reference internal" shape="rect">B111:
+      execute_with_run_as_root_equals_true</a>
+    - <a href="b112_try_except_continue.html" class="reference internal"
+      shape="rect">B112: try_except_continue</a>
+    - <a href="b113_request_without_timeout.html" class="reference internal"
+      shape="rect">B113: request_without_timeout</a>
+    - <a href="b201_flask_debug_true.html" class="reference internal"
+      shape="rect">B201: flask_debug_true</a>
+    - <a href="b202_tarfile_unsafe_members.html" class="reference internal"
+      shape="rect">B202: tarfile_unsafe_members</a>
+    - <a href="b324_hashlib.html" class="reference internal"
+      shape="rect">B324: hashlib</a>
+    - <a href="b501_request_with_no_cert_validation.html"
+      class="reference internal" shape="rect">B501:
+      request_with_no_cert_validation</a>
+    - <a href="b502_ssl_with_bad_version.html" class="reference internal"
+      shape="rect">B502: ssl_with_bad_version</a>
+    - <a href="b503_ssl_with_bad_defaults.html" class="reference internal"
+      shape="rect">B503: ssl_with_bad_defaults</a>
+    - <a href="b504_ssl_with_no_version.html" class="reference internal"
+      shape="rect">B504: ssl_with_no_version</a>
+    - <a href="b505_weak_cryptographic_key.html" class="reference internal"
+      shape="rect">B505: weak_cryptographic_key</a>
+    - <a href="b506_yaml_load.html" class="reference internal"
+      shape="rect">B506: yaml_load</a>
+    - <a href="b507_ssh_no_host_key_verification.html"
+      class="reference internal" shape="rect">B507:
+      ssh_no_host_key_verification</a>
+    - <a href="b508_snmp_insecure_version.html" class="reference internal"
+      shape="rect">B508: snmp_insecure_version</a>
+    - <a href="b509_snmp_weak_cryptography.html" class="reference internal"
+      shape="rect">B509: snmp_weak_cryptography</a>
+    - <a href="b601_paramiko_calls.html" class="reference internal"
+      shape="rect">B601: paramiko_calls</a>
+    - <a href="b602_subprocess_popen_with_shell_equals_true.html"
+      class="reference internal" shape="rect">B602:
+      subprocess_popen_with_shell_equals_true</a>
+    - <a href="b603_subprocess_without_shell_equals_true.html"
+      class="reference internal" shape="rect">B603:
+      subprocess_without_shell_equals_true</a>
+    - <a href="b604_any_other_function_with_shell_equals_true.html"
+      class="reference internal" shape="rect">B604:
+      any_other_function_with_shell_equals_true</a>
+    - <a href="b605_start_process_with_a_shell.html"
+      class="reference internal" shape="rect">B605:
+      start_process_with_a_shell</a>
+    - <a href="b606_start_process_with_no_shell.html"
+      class="reference internal" shape="rect">B606:
+      start_process_with_no_shell</a>
+    - <a href="b607_start_process_with_partial_path.html"
+      class="reference internal" shape="rect">B607:
+      start_process_with_partial_path</a>
+    - <a href="b608_hardcoded_sql_expressions.html" class="reference internal"
+      shape="rect">B608: hardcoded_sql_expressions</a>
+    - <a href="b609_linux_commands_wildcard_injection.html"
+      class="reference internal" shape="rect">B609:
+      linux_commands_wildcard_injection</a>
+    - <a href="b610_django_extra_used.html" class="reference internal"
+      shape="rect">B610: django_extra_used</a>
+    - <a href="b611_django_rawsql_used.html" class="reference internal"
+      shape="rect">B611: django_rawsql_used</a>
+    - <a href="b612_logging_config_insecure_listen.html"
+      class="reference internal" shape="rect">B612:
+      logging_config_insecure_listen</a>
+    - <a href="b613_trojansource.html" class="reference internal"
+      shape="rect">B613: trojansource</a>
+    - <a href="b614_pytorch_load.html" class="reference internal"
+      shape="rect">B614: pytorch_load</a>
+    - <a href="b615_huggingface_unsafe_download.html"
+      class="reference internal" shape="rect">B615:
+      huggingface_unsafe_download</a>
+    - <a href="b701_jinja2_autoescape_false.html" class="reference internal"
+      shape="rect">B701: jinja2_autoescape_false</a>
+    - <a href="b702_use_of_mako_templates.html" class="reference internal"
+      shape="rect">B702: use_of_mako_templates</a>
+    - <a href="b703_django_mark_safe.html" class="reference internal"
+      shape="rect">B703: django_mark_safe</a>
+    - <a href="#" class="current reference internal" shape="rect">B704:
+      markupsafe_markup_xss</a>
+- <a href="../blacklists/index.html" class="reference internal"
+  shape="rect">Blacklist Plugins</a>
+- <a href="../formatters/index.html" class="reference internal"
+  shape="rect">Report Formatters</a>
+- <a href="../ci-cd/index.html" class="reference internal"
+  shape="rect">Continuous Integration and Deployment (CI/CD)</a>
+- <a href="../faq.html" class="reference internal" shape="rect">Frequently
+  Asked Questions</a>
+
+<a href="../index.html" shape="rect">Bandit</a>
+
+- <a href="../index.html" class="icon icon-home" aria-label="Home"
+  shape="rect"></a>
+- <a href="index.html" shape="rect">Test Plugins</a>
+- B704: markupsafe_markup_xss
+- <a href="../_sources/plugins/b704_markupsafe_markup_xss.rst.txt"
+  rel="nofollow" shape="rect">View page source</a>
+
+------------------------------------------------------------------------
+
+# B704: markupsafe_markup_xss<a href="#b704-markupsafe-markup-xss" class="headerlink" shape="rect"
+title="Link to this heading"></a>
+
+<a href="b703_django_mark_safe.html" class="btn btn-neutral float-left"
+rel="prev" accesskey="p" shape="rect"
+title="B703: django_mark_safe">Previous</a>
+<a href="../blacklists/index.html" class="btn btn-neutral float-right"
+rel="next" accesskey="n" shape="rect" title="Blacklist Plugins">Next</a>
+
+------------------------------------------------------------------------
+
+© Copyright 2025, Bandit Developers.
+
+Built with <a href="https://www.sphinx-doc.org/" shape="rect">Sphinx</a>
+using a <a href="https://github.com/readthedocs/sphinx_rtd_theme"
+shape="rect">theme</a> provided by
+<a href="https://readthedocs.org" shape="rect">Read the Docs</a>.
diff --git a/requirements.txt b/requirements.txt
index 7e4787d..b055de0 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1 +1 @@
-bandit==1.8.3
+bandit==1.8.6