NVIDIA · leofang · Apr 25, 2025 · Apr 24, 2025 · Apr 24, 2025
diff --git a/.bandit b/.bandit
@@ -0,0 +1,2 @@
+[bandit]
+skips = B101,B311
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -20,6 +20,9 @@ repos:
     rev: 8ff25e07e487f143571cc305e56dd0253c60bc7b  #v1.8.3
     hooks:
       - id: bandit
+        args:
+          - --ini
+          - .bandit
 
 default_language_version:
       python: python3
diff --git a/cuda_bindings/tests/test_cuda.py b/cuda_bindings/tests/test_cuda.py
@@ -647,7 +647,8 @@ def test_get_error_name_and_string():
 
 @pytest.mark.skipif(not callableBinary("nvidia-smi"), reason="Binary existance needed")
 def test_device_get_name():
-    import subprocess
+    # TODO: Refactor this test once we have nvml bindings to avoid the use of subprocess
+    import subprocess  # nosec B404
 
     (err,) = cuda.cuInit(0)
     assert err == cuda.CUresult.CUDA_SUCCESS
@@ -656,12 +657,12 @@ def test_device_get_name():
     err, ctx = cuda.cuCtxCreate(0, device)
     assert err == cuda.CUresult.CUDA_SUCCESS
 
-    p = subprocess.run(
-        ["nvidia-smi", "--query-gpu=name", "--format=csv,noheader"], stdout=subprocess.PIPE, stderr=subprocess.PIPE
-    )
+    p = subprocess.check_output(
+        ["nvidia-smi", "--query-gpu=name", "--format=csv,noheader"], shell=False, stderr=subprocess.PIPE
+    )  # nosec B603, B607
 
     delimiter = b"\r\n" if platform.system() == "Windows" else b"\n"
-    expect = p.stdout.split(delimiter)
+    expect = p.split(delimiter)
     size = 64
     _, got = cuda.cuDeviceGetName(size, device)
     got = got.split(b"\x00")[0]

diff --git a/cuda_core/tests/example_tests/utils.py b/cuda_core/tests/example_tests/utils.py
@@ -33,7 +33,8 @@ def run_example(samples_path, filename, env=None):
         sys.argv = [fullpath]
         old_sys_path = sys.path.copy()
         sys.path.append(samples_path)
-        exec(script, env if env else {})
+        # TODO: Refactor the examples to give them a common callable `main()` to avoid needing to use exec here?
+        exec(script, env if env else {})  # nosec B102
     except ImportError as e:
         # for samples requiring any of optional dependencies
         for m in ("cupy",):

diff --git a/cuda_python/setup.py b/cuda_python/setup.py
@@ -2,15 +2,16 @@
 #
 # SPDX-License-Identifier: LicenseRef-NVIDIA-SOFTWARE-LICENSE
 
+import ast
 from setuptools import setup
 
 # We want to keep the version in sync with cuda.bindings, but setuptools would not let
 # us to refer to any files outside of the project root, so we have to employ our own
 # run-time lookup using setup()...
 with open("../cuda_bindings/cuda/bindings/_version.py") as f:
-    exec(f.read())
-version = __version__  # noqa: F821
-del __version__  # noqa: F821
+    for line in f:
+        if line.startswith("__version__"):
+            version = ast.parse(line).body[0].value.value
 
 setup(
     version=version,