ansys · FedericoNegri · Jul 8, 2025 · Jul 8, 2025 · Jul 8, 2025 · Jul 8, 2025
diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml
@@ -140,9 +140,20 @@ jobs:
           operating-system: ${{ matrix.os }}
           python-version: ${{ matrix.python-version }}
 
+  check-vulnerabilities:
+    name: "Check library vulnerabilities"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: ansys/actions/check-vulnerabilities@v10
+        with:
+          python-version: ${{ env.MAIN_PYTHON_VERSION }}
+          token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
+          python-package-name: 'ansys-hps-client'
+          dev-mode: ${{ github.ref != 'refs/heads/main' }}
+
   package:
     name: Package library
-    needs: [tests, docs, smoke-tests]
+    needs: [tests, docs, smoke-tests, check-vulnerabilities]
     runs-on: ubuntu-latest
     steps:
       - name: Build library source and wheel artifacts

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,16 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+> [!CAUTION]
+> Do not use GitHub issues to report any security vulnerabilities.
+
+If you detect a vulnerability, contact the [PyAnsys Core team](mailto:pyansys.core@ansys.com),
+mentioning the repository and the details of your finding. The team will address it as soon as possible.
+
+Provide the PyAnsys Core team with this information:
+
+- Any specific configuration settings needed to reproduce the problem
+- Step-by-step guidance to reproduce the problem
+- The exact location of the problematic source code, including tag, branch, commit, or a direct URL
+- The potential consequences of the vulnerability, along with a description of how an attacker could take advantage of the issue
diff --git a/src/ansys/hps/client/common/base_resource.py b/src/ansys/hps/client/common/base_resource.py
@@ -99,7 +99,9 @@ def __str__(self):
             try:
                 value = field_obj.serialize(attr_name, self, accessor=schema.get_attribute)
             except Exception:
-                pass
+                # if the field cannot be serialized, we skip it and leave it marked as missing
+                pass  # nosec B110
+
             if value is missing:
                 continue
             key = field_obj.data_key if field_obj.data_key is not None else attr_name

diff --git a/src/ansys/hps/client/common/restricted_value.py b/src/ansys/hps/client/common/restricted_value.py
@@ -41,11 +41,13 @@ def __init__(self):
 
     def _deserialize(self, value, attr, obj, **kwargs):
         """Convert string to restricted value object."""
+        # try each restricted field type until one succeeds
+        # if none succeed, raise a validation error
         for field in self.restricted_fields:
             try:
                 return field._deserialize(value, attr, obj, **kwargs)
             except Exception:
-                pass
+                pass  # nosec B110
 
         self.raise_validation_error()