Add Security and IP related contributing guide and configure coderabbit to catch such issues

[kevalmorabia97]

What does this PR do?

• Add Security related coding practices in SECURITY.md and merge with 2_security.rst
• Update CONTRIBUTING.md for instructions to follow if copying code from other repositories
• Update PR template
• Cleanup dependency files
• New API mto.load_modelopt_state doing the insecure torch.load(f, weights_only=False) instead of doing it separately everywhere. This also allows us to later improve the input validation for modelopt_state_path or use safer alternatives to torch.load

Testing

N/A

Before your PR is "Ready for review"

Make sure you read and follow Contributor guidelines and your commits are signed (git commit -s -S).

Make sure you read and follow the Security Best Practices (e.g. hardcoded trust_remote_code=True, torch.load(..., weights_only=True), pickle, etc.).

• Is this change backward compatible?: ✅
• If you copied code from any other source, did you follow IP policy in CONTRIBUTING.md?: ✅
• Did you write any new necessary tests?: NA
• Did you add or update any necessary documentation and update Changelog?: NA

Summary by CodeRabbit

• Documentation

  • Expanded and reorganized security guidance and contributor procedures; updated PR template and several READMEs with clearer security, submission, and installation instructions
  • Replaced an older security document with an enhanced, centralized security guidance

• Chores

  • Adjusted example dependency lists and optional extras (adds, removals, and version constraints)
  • Enabled automated incremental reviews, added pre-merge security checks, and introduced a knowledge-base of coding/security guidelines

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Added repository-level security checks and knowledge-base entries, expanded and consolidated security and contributor documentation, updated PR template formatting, adjusted example README installation instructions, and changed several example dependency requirements and setup.py extras.

Changes

Cohort / File(s)	Summary
CI / Repo config \.coderabbit.yaml	Added path_instructions with security_instructions, enabled auto_incremental_review, and added pre_merge_checks including a "Security anti-patterns" error-mode check; introduced knowledge_base entries for code guidelines.
PR template .github/PULL_REQUEST_TEMPLATE.md	Reformatted headings and sections, converted several bold labels to plain text, added inline contributor signing instruction, and inserted a security-focused block in Additional Information.
Contributor & security docs CONTRIBUTING.md, SECURITY.md, docs/source/reference/2_security.rst	Rewrote CONTRIBUTING to emphasize security practices and code-copy rules; greatly expanded SECURITY.md with security considerations, concrete guidance, and secure-coding practices; removed the previous security content from docs/source/reference/2_security.rst.
Examples — requirements examples/.../requirements.txt examples/diffusers/requirements.txt, examples/gpt-oss/requirements.txt, examples/llm_qat/requirements.txt, examples/llm_sparsity/weight_sparsity/requirements.txt, examples/onnx_ptq/requirements.txt, examples/windows/accuracy_benchmark/perplexity_metrics/requirements.txt	Removed sentencepiece from several example requirement files, added/strengthened sentencepiece>=0.2.1 in others, removed multiple heavy dependencies from gpt-oss, and bumped torch/transformers minimums in the Windows example.
Examples — READMEs examples/gpt-oss/README.md, examples/llm_sparsity/weight_sparsity/README.md	Added or updated installation/prerequisite instructions to recommend pip install -U nvidia-modelopt[hf] and to call out installing example requirements.
Package extras setup.py	Moved sentencepiece>=0.2.1 into the hf extras and removed it from dev-test; removed nltk from hf extras in the changed edits (final extras updated).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly summarizes the main changes: adding security and IP-related contributing guides and configuring coderabbit for detection.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Security Anti-Patterns	✅ Passed	The PR does not introduce Python source code changes to modelopt//*.py or examples//*.py. Only setup.py (dependency file), documentation, configuration, and requirement files were modified.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch kmorabia/security-coding-guide

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[shengliangxu]

LGTM

[Copilot]

Pull request overview

This PR enhances security documentation and practices in the Model Optimizer repository by consolidating security guidance, adding IP policy instructions, updating the PR template with security checklists, and configuring CodeRabbit for automated security reviews. The changes also clean up dependency management by centralizing common dependencies in setup.py's optional dependency groups.

Changes:

• Consolidated security documentation from docs/source/reference/2_security.rst into SECURITY.md with expanded security coding practices for contributors
• Updated CONTRIBUTING.md with instructions for copying code from other sources, including license header format and IP policy compliance
• Enhanced PR template with security best practices checklist and IP policy acknowledgment
• Configured CodeRabbit YAML for automated incremental reviews with security anti-pattern detection
• Cleaned up dependency files by moving common dependencies (sentencepiece, peft, etc.) from individual example requirements.txt to setup.py's optional dependency groups

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
setup.py	Moved sentencepiece from dev-test to hf optional dependencies with version constraint and clarifying comment
examples/windows/accuracy_benchmark/perplexity_metrics/requirements.txt	Updated sentencepiece, torch, and transformers version constraints to match setup.py
examples/onnx_ptq/requirements.txt	Added version constraint to sentencepiece
examples/llm_sparsity/weight_sparsity/requirements.txt	Removed sentencepiece (now in hf optional deps)
examples/llm_sparsity/weight_sparsity/README.md	Added installation prerequisites section
examples/llm_qat/requirements.txt	Removed peft and sentencepiece (now in hf optional deps)
examples/gpt-oss/requirements.txt	Removed common dependencies covered by hf optional deps
examples/gpt-oss/README.md	Added installation command for hf optional dependencies
examples/diffusers/requirements.txt	Removed sentencepiece
docs/source/reference/2_security.rst	Removed (content migrated to SECURITY.md)
SECURITY.md	Consolidated and expanded security documentation with detailed coding practices section
CONTRIBUTING.md	Reorganized with security practices and IP policy sections, added guidance on copying code
.github/PULL_REQUEST_TEMPLATE.md	Updated with security checklist and IP policy acknowledgment
.coderabbit.yaml	Enabled incremental reviews, added security anti-pattern checks, and configured knowledge base

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.