From 85acf36c4cad33faaf1e704166317fa1ad93884c Mon Sep 17 00:00:00 2001
From: Federico Negri <federico.negri@ansys.com>
Date: Tue, 8 Jul 2025 09:31:04 +0200
Subject: [PATCH 1/6] add check-vulnerabilities action

---
 .github/workflows/ci_cd.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml
index a459a6c6f..e2f4de869 100644
--- a/.github/workflows/ci_cd.yml
+++ b/.github/workflows/ci_cd.yml
@@ -140,6 +140,17 @@ jobs:
           operating-system: ${{ matrix.os }}
           python-version: ${{ matrix.python-version }}
 
+  check-vulnerabilities:
+    name: "Check library vulnerabilities"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: ansys/actions/check-vulnerabilities@v10
+        with:
+          python-version: ${{ env.MAIN_PYTHON_VERSION }}
+          token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
+          python-package-name: 'ansys-hps-client'
+          dev-mode: ${{ github.ref != 'refs/heads/main' }}
+
   package:
     name: Package library
     needs: [tests, docs, smoke-tests]

From 4370e04a3d37528618a2e935a16caa273064258c Mon Sep 17 00:00:00 2001
From: Federico Negri <federico.negri@ansys.com>
Date: Tue, 8 Jul 2025 10:35:47 +0200
Subject: [PATCH 2/6] show log

---
 .github/workflows/ci_cd.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml
index e2f4de869..83694a5ed 100644
--- a/.github/workflows/ci_cd.yml
+++ b/.github/workflows/ci_cd.yml
@@ -150,6 +150,7 @@ jobs:
           token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
           python-package-name: 'ansys-hps-client'
           dev-mode: ${{ github.ref != 'refs/heads/main' }}
+          hide-log: false
 
   package:
     name: Package library

From b58bf49d1a3904a9d062ca8fae89736475cc6b8d Mon Sep 17 00:00:00 2001
From: Federico Negri <federico.negri@ansys.com>
Date: Tue, 8 Jul 2025 10:43:20 +0200
Subject: [PATCH 3/6] suppress B110 try-except-pass rule on individual lines

---
 src/ansys/hps/client/common/base_resource.py    | 2 +-
 src/ansys/hps/client/common/restricted_value.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/ansys/hps/client/common/base_resource.py b/src/ansys/hps/client/common/base_resource.py
index 32f3db209..0a48be60b 100644
--- a/src/ansys/hps/client/common/base_resource.py
+++ b/src/ansys/hps/client/common/base_resource.py
@@ -99,7 +99,7 @@ def __str__(self):
             try:
                 value = field_obj.serialize(attr_name, self, accessor=schema.get_attribute)
             except Exception:
-                pass
+                pass  # nosec
             if value is missing:
                 continue
             key = field_obj.data_key if field_obj.data_key is not None else attr_name
diff --git a/src/ansys/hps/client/common/restricted_value.py b/src/ansys/hps/client/common/restricted_value.py
index fe7755e03..de43bf495 100644
--- a/src/ansys/hps/client/common/restricted_value.py
+++ b/src/ansys/hps/client/common/restricted_value.py
@@ -45,7 +45,7 @@ def _deserialize(self, value, attr, obj, **kwargs):
             try:
                 return field._deserialize(value, attr, obj, **kwargs)
             except Exception:
-                pass
+                pass  # nosec
 
         self.raise_validation_error()
 

From dec0465cdfb36507bee329133f38802dfdcd1341 Mon Sep 17 00:00:00 2001
From: Federico Negri <federico.negri@ansys.com>
Date: Tue, 8 Jul 2025 10:45:47 +0200
Subject: [PATCH 4/6] Add SECURITY.md file

---
 SECURITY.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..2752e13de
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,16 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+> [!CAUTION]
+> Do not use GitHub issues to report any security vulnerabilities.
+
+If you detect a vulnerability, contact the [PyAnsys Core team](mailto:pyansys.core@ansys.com),
+mentioning the repository and the details of your finding. The team will address it as soon as possible.
+
+Provide the PyAnsys Core team with this information:
+
+- Any specific configuration settings needed to reproduce the problem
+- Step-by-step guidance to reproduce the problem
+- The exact location of the problematic source code, including tag, branch, commit, or a direct URL
+- The potential consequences of the vulnerability, along with a description of how an attacker could take advantage of the issue
\ No newline at end of file

From 0a2706e10f7cbbcbe97c4531294b9b7e2a493b26 Mon Sep 17 00:00:00 2001
From: Federico Negri <federico.negri@ansys.com>
Date: Tue, 8 Jul 2025 10:47:48 +0200
Subject: [PATCH 5/6] clean up

---
 .github/workflows/ci_cd.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml
index 83694a5ed..a8f44dbc8 100644
--- a/.github/workflows/ci_cd.yml
+++ b/.github/workflows/ci_cd.yml
@@ -150,11 +150,10 @@ jobs:
           token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
           python-package-name: 'ansys-hps-client'
           dev-mode: ${{ github.ref != 'refs/heads/main' }}
-          hide-log: false
 
   package:
     name: Package library
-    needs: [tests, docs, smoke-tests]
+    needs: [tests, docs, smoke-tests, check-vulnerabilities]
     runs-on: ubuntu-latest
     steps:
       - name: Build library source and wheel artifacts

From c61d7cd4be3b2e91202c10bac68c562cdf1d6588 Mon Sep 17 00:00:00 2001
From: Federico Negri <federico.negri@ansys.com>
Date: Tue, 8 Jul 2025 14:09:32 +0200
Subject: [PATCH 6/6] more specific nosec marker

---
 src/ansys/hps/client/common/base_resource.py    | 4 +++-
 src/ansys/hps/client/common/restricted_value.py | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/ansys/hps/client/common/base_resource.py b/src/ansys/hps/client/common/base_resource.py
index 0a48be60b..4765ded0a 100644
--- a/src/ansys/hps/client/common/base_resource.py
+++ b/src/ansys/hps/client/common/base_resource.py
@@ -99,7 +99,9 @@ def __str__(self):
             try:
                 value = field_obj.serialize(attr_name, self, accessor=schema.get_attribute)
             except Exception:
-                pass  # nosec
+                # if the field cannot be serialized, we skip it and leave it marked as missing
+                pass  # nosec B110
+
             if value is missing:
                 continue
             key = field_obj.data_key if field_obj.data_key is not None else attr_name
diff --git a/src/ansys/hps/client/common/restricted_value.py b/src/ansys/hps/client/common/restricted_value.py
index de43bf495..e66746327 100644
--- a/src/ansys/hps/client/common/restricted_value.py
+++ b/src/ansys/hps/client/common/restricted_value.py
@@ -41,11 +41,13 @@ def __init__(self):
 
     def _deserialize(self, value, attr, obj, **kwargs):
         """Convert string to restricted value object."""
+        # try each restricted field type until one succeeds
+        # if none succeed, raise a validation error
         for field in self.restricted_fields:
             try:
                 return field._deserialize(value, attr, obj, **kwargs)
             except Exception:
-                pass  # nosec
+                pass  # nosec B110
 
         self.raise_validation_error()