diff --git a/.woodpecker/coordinator.yml b/.woodpecker/coordinator.yml
index 6331e2b..ddfc795 100644
--- a/.woodpecker/coordinator.yml
+++ b/.woodpecker/coordinator.yml
@@ -29,6 +29,7 @@ steps:
       - cd apps/coordinator
       - python -m venv venv
       - . venv/bin/activate
+      - pip install --no-cache-dir --upgrade "pip>=25.3"
       - pip install --no-cache-dir -e ".[dev]"
       - pip install --no-cache-dir bandit pip-audit
 
@@ -52,7 +53,7 @@ steps:
     image: *python_image
     commands:
       - *activate_venv
-      - bandit -r src/ -f screen
+      - bandit -r src/ -c bandit.yaml -f screen
     depends_on:
       - install
 
diff --git a/apps/coordinator/src/config.py b/apps/coordinator/src/config.py
index a2c6b7b..29c75c0 100644
--- a/apps/coordinator/src/config.py
+++ b/apps/coordinator/src/config.py
@@ -21,7 +21,8 @@ class Settings(BaseSettings):
     anthropic_api_key: str
 
     # Server Configuration
-    host: str = "0.0.0.0"  # nosec B104 — Container-bound: listen on all interfaces inside Docker
+    # Container-bound: listen on all interfaces inside Docker
+    host: str = "0.0.0.0"  # nosec B104
     port: int = 8000
 
     # Logging
diff --git a/apps/coordinator/src/telemetry.py b/apps/coordinator/src/telemetry.py
index f21f3bd..e2ec7c2 100644
--- a/apps/coordinator/src/telemetry.py
+++ b/apps/coordinator/src/telemetry.py
@@ -139,7 +139,8 @@ class TelemetryService:
         if self._tracer is None:
             # Initialize if not already done
             self.initialize()
-        assert self._tracer is not None  # nosec B101 — Type narrowing after None guard
+        # Type narrowing after None guard
+        assert self._tracer is not None  # nosec B101
         return self._tracer
 
     def shutdown(self) -> None: