chore: reduce DevSkim false positives and fix Azure SQL bulkcopy test

- Exclude tests/, **/test_*.py, and benchmarks/ from DevSkim scanning
  (localhost in test connection strings is not debug code)
- Suppress DS176209 (TODO comments) — informational, not a security concern
- DS137138 (localhost) left enabled — path exclusions handle test files,
  keeps coverage for accidental localhost in production code
- Fix test_bulkcopy_without_database_parameter: remove USE statement
  which is not supported on Azure SQL Database, use fully qualified
  table names with the default database instead

Author: bewithgaurav

.github/workflows/devskim.yml

@@ -27,6 +27,10 @@ jobs:
 
       - name: Run DevSkim scanner
         uses: microsoft/DevSkim-Action@v1
+        with:
+          ignore_globs: "tests/**,**/test_*.py,benchmarks/**"
+          # DS176209: TODO comments — not a security concern
+          ignore_rules_list: "DS176209"
 
       - name: Upload DevSkim scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3

tests/test_019_bulkcopy.py

@@ -99,9 +99,6 @@ def test_bulkcopy_without_database_parameter(conn_str):
     parser = _ConnectionStringParser(validate_keywords=False)
     params = parser._parse(conn_str)
 
-    # Save the original database name to use it explicitly in our operations
-    original_database = params.get("database")
-
     # Remove DATABASE parameter if present (case-insensitive, handles all synonyms)
     params.pop("database", None)
 
@@ -119,11 +116,7 @@ def test_bulkcopy_without_database_parameter(conn_str):
         current_db = cursor.fetchone()[0]
         assert current_db is not None, "Should be connected to a database"
 
-        # If original database was specified, switch to it to ensure we have permissions
-        if original_database:
-            cursor.execute(f"USE [{original_database}]")
-
-        # Create test table in the current database
+        # Create test table in the current (default) database
         table_name = "mssql_python_bulkcopy_no_db_test"
         cursor.execute(f"IF OBJECT_ID('{table_name}', 'U') IS NOT NULL DROP TABLE {table_name}")
         cursor.execute(f"CREATE TABLE {table_name} (id INT, name VARCHAR(50), value FLOAT)")
@@ -137,11 +130,9 @@ def test_bulkcopy_without_database_parameter(conn_str):
         ]
 
         # Perform bulkcopy - this should NOT raise ValueError about missing DATABASE
-        # Note: bulkcopy creates its own connection, so we need to use fully qualified table name
-        # if we had a database in the original connection string
-        bulkcopy_table_name = (
-            f"[{original_database}].[dbo].{table_name}" if original_database else table_name
-        )
+        # Use fully qualified name with the actual current database (not the
+        # original one we stripped — that may differ from where we landed).
+        bulkcopy_table_name = f"[{current_db}].[dbo].{table_name}"
         result = cursor.bulkcopy(bulkcopy_table_name, data, timeout=60)
 
         # Verify result
@@ -189,13 +180,15 @@ def test_bulkcopy_with_server_synonyms(conn_str):
 
         # Create table
         cursor.execute(f"DROP TABLE IF EXISTS {table_name}")
-        cursor.execute(f"""
+        cursor.execute(
+            f"""
             CREATE TABLE {table_name} (
                 id INT,
                 name NVARCHAR(50),
                 value FLOAT
             )
-        """)
+        """
+        )
         conn.commit()
 
         # Test data
@@ -236,13 +229,15 @@ def test_bulkcopy_with_server_synonyms(conn_str):
 
         # Create table
         cursor.execute(f"DROP TABLE IF EXISTS {table_name}")
-        cursor.execute(f"""
+        cursor.execute(
+            f"""
             CREATE TABLE {table_name} (
                 id INT,
                 name NVARCHAR(50),
                 value FLOAT
             )
-        """)
+        """
+        )
         conn.commit()
 
         # Test data