NVIDIA
diff --git a/‎.bandit
Lines changed: 2 additions & 0 deletions b/‎.bandit
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/actions/fetch_ctk/action.yml
Lines changed: 18 additions & 13 deletions b/‎.github/actions/fetch_ctk/action.yml
Lines changed: 18 additions & 13 deletions
diff --git a/‎.github/workflows/bandit.yml
Lines changed: 19 additions & 0 deletions b/‎.github/workflows/bandit.yml
Lines changed: 19 additions & 0 deletions
diff --git a/‎.github/workflows/codeql.yml
Lines changed: 39 additions & 0 deletions b/‎.github/workflows/codeql.yml
Lines changed: 39 additions & 0 deletions
diff --git a/‎.pre-commit-config.yaml
Lines changed: 9 additions & 2 deletions b/‎.pre-commit-config.yaml
Lines changed: 9 additions & 2 deletions
diff --git a/‎cuda_bindings/cuda/__init__.pxd b/‎cuda_bindings/cuda/__init__.pxd
diff --git a/‎cuda_bindings/cuda/__init__.py
Lines changed: 0 additions & 14 deletions b/‎cuda_bindings/cuda/__init__.py
Lines changed: 0 additions & 14 deletions
@@ -0,0 +1,2 @@
+[bandit]
+skips = B101,B311
@@ -9,15 +9,22 @@ inputs:
   cuda-version:
     required: true
     type: string
+  cuda-components:
+    description: "A list of the CTK components to install as a comma-separated list. e.g. 'cuda_nvcc,cuda_nvrtc,cuda_cudart'"
+    required: false
+    type: string
+    default: "cuda_nvcc,cuda_cudart,cuda_nvrtc,cuda_profiler_api,cuda_cccl,cuda_sanitizer_api,libnvjitlink"
 
 runs:
   using: composite
   steps:
     - name: Set up CTK cache variable
       shell: bash --noprofile --norc -xeuo pipefail {0}
       run: |
-        echo "CTK_CACHE_KEY=mini-ctk-${{ inputs.cuda-version }}-${{ inputs.host-platform }}" >> $GITHUB_ENV
-        echo "CTK_CACHE_FILENAME=mini-ctk-${{ inputs.cuda-version }}-${{ inputs.host-platform }}.tar.gz" >> $GITHUB_ENV
+        HASH=$(echo -n "${{ inputs.cuda-components }}" | sha256sum | awk '{print $1}')
+        echo "CTK_CACHE_KEY=mini-ctk-${{ inputs.cuda-version }}-${{ inputs.host-platform }}-$HASH" >> $GITHUB_ENV
+        echo "CTK_CACHE_FILENAME=mini-ctk-${{ inputs.cuda-version }}-${{ inputs.host-platform }}-$HASH.tar.gz" >> $GITHUB_ENV
+        echo "CTK_CACHE_COMPONENTS=${{ inputs.cuda-components }}" >> $GITHUB_ENV
 
     - name: Install dependencies
       uses: ./.github/actions/install_unix_deps
@@ -78,18 +85,16 @@ runs:
           rm $CTK_COMPONENT_COMPONENT_FILENAME
         }
 
-        # Get headers and shared libraries in place
-        # Note: the existing artifact would need to be manually deleted (ex: through web UI)
-        # if this list is changed, as the artifact actions do not offer any option for us to
-        # invalidate the artifact.
-        populate_cuda_path cuda_nvcc
-        populate_cuda_path cuda_cudart
-        populate_cuda_path cuda_nvrtc
-        populate_cuda_path cuda_profiler_api
-        populate_cuda_path cuda_cccl
-        if [[ "$(cut -d '.' -f 1 <<< ${{ inputs.cuda-version }})" -ge 12 ]]; then
-          populate_cuda_path libnvjitlink
+        # Conditionally strip out libnvjitlink for CUDA versions < 12
+        if [[ "$(cut -d '.' -f 1 <<< ${{ inputs.cuda-version }})" -lt 12 ]]; then
+          CTK_CACHE_COMPONENTS="${CTK_CACHE_COMPONENTS//libnvjitlink/}"
         fi
+        # Cleanup stray commas after removing components
+        CTK_CACHE_COMPONENTS="${CTK_CACHE_COMPONENTS//,,/,}"
+        # Get headers and shared libraries in place
+        for item in $(echo $CTK_CACHE_COMPONENTS | tr ',' ' '); do
+            populate_cuda_path "$item"
+        done
         ls -l $CUDA_PATH
 
         # Prepare the cache
 
@@ -0,0 +1,19 @@
+name: "Static Analysis: Bandit Scan"
+
+on:
+  push:
+    branches:
+      - "pull-request/[0-9]+"
+      - "main"
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Perform Bandit Analysis
+        uses: PyCQA/bandit-action@8a1b30610f61f3f792fe7556e888c9d7dffa52de  # v1.0.0
@@ -0,0 +1,39 @@
+name: "Static Analysis: CodeQL Scan"
+
+on:
+  push:
+    branches:
+      - "pull-request/[0-9]+"
+      - "main"
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: python
+          build-mode: none
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        queries: security-extended
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"
@@ -6,16 +6,23 @@ ci:
     autoupdate_branch: ''
     autoupdate_commit_msg: '[pre-commit.ci] pre-commit autoupdate'
     autoupdate_schedule: quarterly
-    skip: []
+    skip: [bandit]
     submodules: false
 
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.11.4
+    rev: 971923581912ef60a6b70dbf0c3e9a39563c9d47  #v0.11.4
     hooks:
       - id: ruff
         args: [--fix, --show-fixes]
       - id: ruff-format
+  - repo: https://github.com/PyCQA/bandit
+    rev: 8ff25e07e487f143571cc305e56dd0253c60bc7b  #v1.8.3
+    hooks:
+      - id: bandit
+        args:
+          - --ini
+          - .bandit
 
 default_language_version:
       python: python3