cuda-python icon indicating copy to clipboard operation
cuda-python copied to clipboard
verified publisher icon NVIDIA

Add CodeQL and Bandit Static Analysis Scans

Open kkraus14 opened this issue 9 months ago • 11 comments

Description

Resolves #534

Adds scans using both CodeQL and Bandit. Could use some discussion on what level of reporting we wish to have here and when we want to error. I have updated the repo settings to alert on any Security alert severity level and set the Standard alert severity level to "Errors and warnings" as a starting point.

Checklist

  • [ ] New or existing tests cover these changes.
  • [ ] The documentation is up to date with these changes.

kkraus14 avatar Apr 15 '25 14:04 kkraus14

Auto-sync is disabled for ready for review pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

copy-pr-bot[bot] avatar Apr 15 '25 14:04 copy-pr-bot[bot]

/ok to test b8d0441

kkraus14 avatar Apr 15 '25 14:04 kkraus14

/ok to test b8d0441

kkraus14 avatar Apr 15 '25 14:04 kkraus14

Doc Preview CI :---: |

:rocket: View preview at
https://nvidia.github.io/cuda-python/pr-preview/pr-560/
|
https://nvidia.github.io/cuda-python/pr-preview/pr-560/cuda-core/
|
https://nvidia.github.io/cuda-python/pr-preview/pr-560/cuda-bindings/

|

Preview will be ready when the GitHub Pages deployment is complete.

github-actions[bot] avatar Apr 15 '25 15:04 github-actions[bot]

This needs the addition of bandit to the whitelist as noted in slack.

cryos avatar Apr 16 '25 18:04 cryos

Bandit should be allowed to run now if you want to retry it.

cryos avatar Apr 16 '25 21:04 cryos

/ok to test 634f56a

kkraus14 avatar Apr 17 '25 00:04 kkraus14

@leofang do you want me to add bandit / codeql to pre-commit before we merge this?

kkraus14 avatar Apr 17 '25 01:04 kkraus14

Do not merge. Needs an internal discussion before moving forward.

kkraus14 avatar Apr 17 '25 02:04 kkraus14

do you want me to add bandit / codeql to pre-commit before we merge this?

I think it is fine to do it in a separate PR, so we only need to resolve the internal discussion before merging.

leofang avatar Apr 17 '25 02:04 leofang

An issue here:

  • The GitHub action workflow for bandit runs pip install bandit[sarif] and doesn't give us a way to pin the version of bandit. (https://github.com/PyCQA/bandit-action/blob/8a1b30610f61f3f792fe7556e888c9d7dffa52de/action.yml#L80)
  • The pre-commit hook does allow us to pin the version of bandit, which I've done to the current release.
  • Running bandit via pre-commit.ci doesn't allow us to grab and upload the SARIF file into the GitHub code security tooling.

I've also temporarily moved the CodeQL action to be manually triggered only until our internal discussion is completed.

kkraus14 avatar Apr 17 '25 14:04 kkraus14

/ok to test 4d7632c

kkraus14 avatar Apr 21 '25 17:04 kkraus14

Merging for now and will create issues for following up on Bandit version pinning for the Action and CodeQL pre-commit hook.

kkraus14 avatar Apr 21 '25 19:04 kkraus14

Thanks, Keith!

leofang avatar Apr 21 '25 20:04 leofang

Doc Preview CI :---: Preview removed because the pull request was closed or merged.

github-actions[bot] avatar Apr 21 '25 20:04 github-actions[bot]