CI: Add vulnerability checking

.github/workflows/ci_cd.yml

@@ -40,6 +40,17 @@ jobs:
           bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }}
           use-upper-case: true
 
+  vulnerabilities:
+    name: "Vulnerabilities"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: ansys/actions/check-vulnerabilities@v9
+        with:
+          python-version: ${{ env.MAIN_PYTHON_VERSION }}
+          python-package-name: ${{ env.PACKAGE_NAME }}
+          token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
+          dev-mode: ${{ github.ref != 'refs/heads/main' }}
+
   # NOTE: We do not allow dependabot to trigger the CI/CD pipeline automatically.
   # This is to mitigate supply chain attacks, where a malicious dependency update
   # could execute arbitrary code in our build environment.

SECURITY.md

@@ -22,9 +22,17 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 -->
 
-# Security Policy
+ ## Reporting a vulnerability
 
-## Reporting a Vulnerability
+ > [!CAUTION]
+ > Do not use GitHub issues to report any security vulnerabilities.
 
-If you detect a vulnerability, contact the [PyAnsys Core team](mailto:[email protected])
-mentioning the repository and the details of your finding. The team will address it as soon as possible.
+ If you detect a vulnerability, contact the [PyAnsys Core team](mailto:[email protected]),
+ mentioning the repository and the details of your finding. The team will address it as soon as possible.
+
+Provide the PyAnsys Core team with this information:
+
+ - Any specific configuration settings needed to reproduce the problem
+ - Step-by-step guidance to reproduce the problem
+ - The exact location of the problematic source code, including tag, branch, commit, or a direct URL
+ - The potential consequences of the vulnerability, along with a description of how an attacker could take advantage of the issue

doc/changelog.d/6112.maintenance.md

@@ -0,0 +1 @@
+Add vulnerability checking