chore(dev-tools): port bandit config to ruff (NVIDIA#1033)

cpcloud · web-flow · commit a090753adfa0 · 2025-09-29T14:04:53.000-07:00
* chore(deps): run ruff with config toml

* chore(autofix): ruff formatting

* chore: port bandit config to ruff

* ci: port bandit scan to ruff

* chore: port bandit ignore comments to ruff

* chore: remove bandit from pre-commit config

* chore: let config fall through

* chore: unify bandit config for cuda_pathfinder

* chore(autofix): imports

* ci: compute codes so that we do not have to remember to keep things in sync

* chore: remove unused nosec comments

* chore: set up errors and use uvx

* ci: pass `check` to ruff args

* ci: install uv to pick up uvx

* chore: fix misspelling

* ci: use hash to install setup-uv action

* ci: simplify munging
diff --git a/.bandit b/.bandit
diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
@@ -19,10 +19,27 @@ jobs:
     permissions:
       security-events: write
     steps:
-      - name: Perform Bandit Analysis
-        # KEEP IN SYNC WITH bandit rev in .pre-commit-config.yaml
-        # Current runner uses Python 3.8, so the action installs bandit==1.7.10
-        # via `pip install bandit[sarif]`. If runner Python moves to >=3.9,
-        # the action will resolve to 1.8.x and you'll need to bump pre-commit.
-        # (Bandit >=1.8.0 dropped Python 3.8 via Requires-Python metadata.)
-        uses: PyCQA/bandit-action@8a1b30610f61f3f792fe7556e888c9d7dffa52de  # v1.0.0
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@b75a909f75acd358c2196fb9a5f1299a9a8868a4  # v6.7.0
+
+      - name: Get ignore codes
+        id: ignore-codes
+        # This are computed so that we can run only the `S` (bandit)
+        # checks. Passing --select to ruff overrides any config files
+        # (ruff.toml, pyproject.toml, etc), so to avoid having keep everything
+        # in sync we grab them from the TOML programmatically
+        run: |
+          set -euxo pipefail
+
+          echo "codes=$(uvx toml2json ./ruff.toml | jq -r '.lint.ignore | map(select(test("^S\\d+"))) | join(",")')" >> "$GITHUB_OUTPUT"
+      - name: Perform Bandit Analysis using Ruff
+        uses: astral-sh/ruff-action@57714a7c8a2e59f32539362ba31877a1957dded1  # v3.5.1
+        with:
+          args: "check --select S --ignore ${{ steps.ignore-codes.outputs.codes }} --output-format sarif --output-file results.sarif"
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -64,14 +64,6 @@ repos:
     - id: rst-directive-colons
     - id: rst-inline-touching-normal
 
-  - repo: https://github.com/PyCQA/bandit
-    rev: "36fd65054fc8864b4037d0918904f9331512feb5"  # frozen: 1.7.10 KEEP IN SYNC WITH .github/workflows/bandit.yml
-    hooks:
-      - id: bandit
-        args:
-          - --ini
-          - .bandit
-
   - repo: https://github.com/pre-commit/mirrors-mypy
     rev: 0f86793af5ef5f6dc63c8d04a3cabfa3ea8f9c6a  # frozen: v1.16.1
     hooks:
diff --git a/cuda_bindings/tests/test_cuda.py b/cuda_bindings/tests/test_cuda.py
@@ -653,7 +653,7 @@ def test_get_error_name_and_string():
 @pytest.mark.skipif(not callableBinary("nvidia-smi"), reason="Binary existance needed")
 def test_device_get_name():
     # TODO: Refactor this test once we have nvml bindings to avoid the use of subprocess
-    import subprocess  # nosec B404
+    import subprocess
 
     (err,) = cuda.cuInit(0)
     assert err == cuda.CUresult.CUDA_SUCCESS
@@ -663,8 +663,10 @@ def test_device_get_name():
     assert err == cuda.CUresult.CUDA_SUCCESS
 
     p = subprocess.check_output(
-        ["nvidia-smi", "--query-gpu=name", "--format=csv,noheader"], shell=False, stderr=subprocess.PIPE
-    )  # nosec B603, B607
+        ["nvidia-smi", "--query-gpu=name", "--format=csv,noheader"],  # noqa: S607
+        shell=False,
+        stderr=subprocess.PIPE,
+    )
 
     delimiter = b"\r\n" if platform.system() == "Windows" else b"\n"
     expect = p.split(delimiter)
diff --git a/cuda_bindings/tests/test_utils.py b/cuda_bindings/tests/test_utils.py
@@ -3,7 +3,7 @@
 
 import platform
 import random
-import subprocess  # nosec B404
+import subprocess
 import sys
 from pathlib import Path
 
@@ -72,7 +72,7 @@ def test_ptx_utils(kernel, actual_ptx_ver, min_cuda_ver):
     ),
 )
 def test_get_handle(target):
-    ptr = random.randint(1, 1024)
+    ptr = random.randint(1, 1024)  # noqa: S311
     obj = target(ptr)
     handle = get_cuda_native_handle(obj)
     assert handle == ptr
@@ -105,6 +105,6 @@ def test_get_handle_error(target):
     ],
 )
 def test_cyclical_imports(module):
-    subprocess.check_call(  # nosec B603
+    subprocess.check_call(  # noqa: S603
         [sys.executable, Path(__file__).parent / "utils" / "check_cyclical_import.py", f"cuda.bindings.{module}"],
     )
diff --git a/cuda_core/tests/example_tests/utils.py b/cuda_core/tests/example_tests/utils.py
@@ -29,7 +29,7 @@ def run_example(samples_path, filename, env=None):
         old_sys_path = sys.path.copy()
         sys.path.append(samples_path)
         # TODO: Refactor the examples to give them a common callable `main()` to avoid needing to use exec here?
-        exec(script, env if env else {})  # nosec B102
+        exec(script, env if env else {})  # noqa: S102
     except ImportError as e:
         # for samples requiring any of optional dependencies
         for m in ("cupy", "torch"):
diff --git a/cuda_core/tests/test_module.py b/cuda_core/tests/test_module.py
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 import ctypes
-import pickle  # nosec B403, B301
+import pickle
 import warnings
 
 import cuda.core.experimental
@@ -372,7 +372,7 @@ def test_occupancy_max_potential_cluster_size(get_saxpy_kernel):
 
 def test_module_serialization_roundtrip(get_saxpy_kernel):
     _, objcode = get_saxpy_kernel
-    result = pickle.loads(pickle.dumps(objcode))  # nosec B403, B301
+    result = pickle.loads(pickle.dumps(objcode))  # noqa: S403, S301
 
     assert isinstance(result, ObjectCode)
     assert objcode.code == result.code
diff --git a/cuda_pathfinder/cuda/pathfinder/_utils/platform_aware.py b/cuda_pathfinder/cuda/pathfinder/_utils/platform_aware.py
@@ -8,8 +8,8 @@
 
 def quote_for_shell(s: str) -> str:
     if IS_WINDOWS:
-        # This is a relatively heavy import; keep pathfinder if possible.
-        from subprocess import list2cmdline  # nosec B404
+        # This is a relatively heavy import; keep pathfinder lean if possible.
+        from subprocess import list2cmdline
 
         return list2cmdline([s])
     else:
diff --git a/cuda_pathfinder/pyproject.toml b/cuda_pathfinder/pyproject.toml
@@ -73,9 +73,16 @@ select = [
     "RUF",   # Ruff-specific rules
     "PT",    # flake8-pytest-style
     "DTZ",   # flake8-datetimez
+    "S",
 ]
 extend-select = ["B9"]
 
+ignore = [
+  "S101",   # asserts
+  "S311",   # allow use of the random.* even though many are not cryptographically secure
+  "S404",   # allow importing the subprocess module
+]
+
 [tool.ruff.lint.flake8-quotes]
 inline-quotes = "double"
 
diff --git a/cuda_pathfinder/tests/spawned_process_runner.py b/cuda_pathfinder/tests/spawned_process_runner.py
@@ -53,7 +53,7 @@ def __call__(self):
             sys.stderr = old_stderr
             try:  # noqa: SIM105
                 self.result_queue.put((returncode, stdout, stderr))
-            except Exception:  # nosec B110
+            except Exception:  # noqa: S110
                 # If the queue is broken (e.g., parent gone), best effort logging
                 pass
 
@@ -120,7 +120,7 @@ def run_in_spawned_child_process(
         try:
             result_queue.close()
             result_queue.join_thread()
-        except Exception:  # nosec B110
+        except Exception:  # noqa: S110
             pass
         if process.is_alive():
             process.kill()
diff --git a/ruff.toml b/ruff.toml
@@ -26,6 +26,8 @@ select = [
   "SIM",
   # isort
   "I",
+  # flake8 bandit
+  "S",
 ]
 
 ignore = [
@@ -35,6 +37,9 @@ ignore = [
   "UP035",  # UP006, UP007, UP035 complain about deprecated Typing.<type> use, but disregard backward compatibility of python version
   "UP006",  # leave old-style typing as-is, e.g., Dict is allowed instead of requiring dict
   "SIM108", # ternary if/else
+  "S101",   # asserts
+  "S311",   # allow use of the random.* even though many are not cryptographically secure
+  "S404",   # allow importing the subprocess module
 ]
 
 exclude = ["**/_version.py"]
