**This issue will be made public a few weeks after the 6.11 release.** In tails/tails-private!2 we added `-I` all over the place to avoid a whole class of security vulnerabilities. Is there a way to ensure we don't forget to add `-I` to the shebang in newly added Python scripts in the future? Scope: * scripts that are included in Tails Out of scope: * scripts meant to be run by developers on their own trusted system * Python library files that are not meant to be executed directly (they are never used, on their own, in any of our privilege raising/dropping code paths) Note: we already have heuristics, in our GitLab CI setup, to identify Python code (e.g. `git ls-files | ./bin/test-utils/is-file-type filter python` should list all Python files but actually if the new check is written in Python, it should probably use `is-file-type` as a library).