-
Notifications
You must be signed in to change notification settings - Fork 295
Expand file tree
/
Copy path.coderabbit.yaml
More file actions
41 lines (41 loc) · 2.15 KB
/
.coderabbit.yaml
File metadata and controls
41 lines (41 loc) · 2.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# Reference: https://docs.coderabbit.ai/getting-started/yaml-configuration
language: "en-US"
reviews:
profile: chill
collapse_walkthrough: true
poem: false
path_instructions:
- path: "modelopt/**/*.py"
instructions: &security_instructions |
Review all modelopt package and examples Python changes against the security coding practices in
SECURITY.md. Flag any of the following as CRITICAL security issues,
request changes, and fail the check if ANY are present:
1. torch.load(..., weights_only=False) with no inline comment justifying why it is safe
(e.g. confirming the file is internally-generated and not user-supplied).
2. numpy.load(..., allow_pickle=True) with no inline comment justifying why it is safe.
Should expose allow_pickle as a caller-configurable parameter defaulting to False, not hardcode True.
3. trust_remote_code=True hardcoded for transformers model or tokenizer loading.
Code should expose it as a caller-configurable parameter defaulting to False, not hardcode True.
4. eval() or exec() on any input that could originate from outside the process.
5. Any use of "# nosec" comments to bypass Bandit security checks is not allowed.
If a security-sensitive pattern is genuinely necessary, the PR must be reviewed and approved
by @NVIDIA/modelopt-setup-codeowners with an explicit justification in the PR description.
6. Any addition of new PIP dependencies in pyproject.toml or requirements.txt that are not
permissive licenses (e.g. MIT, Apache 2) must be reviewed and approved by
@NVIDIA/modelopt-setup-codeowners with an explicit justification in the PR description.
- path: "examples/**/*.py"
instructions: *security_instructions
auto_review:
auto_incremental_review: true
drafts: false
base_branches: ["main", "release/.*", "feature/.*"]
pre_merge_checks:
custom_checks:
- name: "Security anti-patterns"
mode: "error"
instructions: *security_instructions
knowledge_base:
code_guidelines:
filePatterns:
- "CONTRIBUTING.md"
- "SECURITY.md"