We actively support the following versions with security updates:

Note: We recommend always using the latest version to ensure you have the most recent security patches.

Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching in vulnerable older releases. This package declares Pygments ≥ 2.20 as a direct dependency so installs resolve patched releases.

Tools such as tox and virtualenv depend on filelock. Older filelock versions were affected by a time-of-check–time-of-use (TOCTOU) issue in SoftFileLock, including a race that could allow symlink attacks during lock file creation. This package declares Python ≥ 3.10 and filelock ≥ 3.20.3 for Poetry dev dependencies so installs resolve filelock releases that include the relevant fixes.

pytest through 9.0.2 on UNIX used predictable /tmp/pytest-of-{user} paths in ways that allowed local symlink / TOCTOU attacks, leading to denial of service or possible privilege escalation (CVE-2025-71176, CVSS 6.8). This repository requires pytest ≥ 9.0.3 in dev / test requirements and Poetry lockfile so CI and contributors resolve a patched release. Upstream references: pytest PR #14279, CVE-2025-71176.

We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these steps:

1. Do NOT open a public GitHub issue for security vulnerabilities
2. Email security details to: security@graphiant.com
3. Include the following information:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if available)
   • Your contact information

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Resolution: Depends on severity (see below)

• Acknowledgment: You will receive an acknowledgment email within 48 hours
• Updates: Regular updates on the status of the vulnerability
• Credit: With your permission, we will credit you in security advisories
• Disclosure: We will coordinate public disclosure after a fix is available

• Never commit secrets: Never commit API keys, tokens, passwords, or other sensitive information to the repository
• Use environment variables: Store credentials in environment variables

  import os
  
  username = os.getenv("GRAPHIANT_USERNAME")
  password = os.getenv("GRAPHIANT_PASSWORD")
  host = os.getenv("GRAPHIANT_HOST", "https://api.graphiant.com")

• Use secure storage: For production applications, use secure secret management systems (e.g., AWS Secrets Manager, HashiCorp Vault)
• Rotate credentials: Regularly rotate API keys and passwords
• Use .env files carefully: Never commit .env files to version control

• Input Validation: Always validate and sanitize user inputs
• Error Handling: Don't expose sensitive information in error messages
• Dependency Management: Keep dependencies up to date

  pip list --outdated
  pip install --upgrade package-name

• Security Scanning: Use tools like bandit for security analysis

  pip install bandit
  bandit -r graphiant_sdk/

• Dependency Vulnerability Scanning: Use safety to check for known vulnerabilities

  pip install safety
  safety check

• Regular Updates: Regularly update dependencies to patch security vulnerabilities
• Vulnerability Scanning: Use safety or pip-audit to scan for known vulnerabilities

  pip install pip-audit
  pip-audit

• Minimal Dependencies: Only include necessary dependencies in requirements.txt
• Version Pinning: Use specific versions in requirements.txt for production
• Virtual Environments: Always use virtual environments to isolate dependencies

• GitHub Actions Secrets: Use GitHub Secrets for sensitive data (never hardcode)
• Branch Protection: All changes require review and signed commits
• Code Scanning: Automated security scanning in CI/CD pipelines
• Dependency Scanning: Automated dependency vulnerability scanning

• CODEOWNERS: Code owners are automatically requested for review
• Branch Protection: Main branch is protected with required reviews
• Signed Commits: All commits must be verified with GPG signatures
• Access Control: Repository access is restricted to authorized team members

• SQL Injection: Use parameterized queries if interacting with databases
• Code Injection: Never use eval() or exec() with user input
• Path Traversal: Validate file paths and use os.path.join() or pathlib
• Deserialization: Be cautious with pickle and use safer alternatives like json
• Type Safety: Use type hints and mypy to catch type-related issues
• Exception Handling: Always handle exceptions explicitly

When using environment variables for credentials:

import os
from typing import Optional

def get_credentials() -> tuple[str, str, str]:
    """
    Get credentials from environment variables.
    
    Returns:
        Tuple of (host, username, password)
        
    Raises:
        ValueError: If required credentials are missing
    """
    username = os.getenv("GRAPHIANT_USERNAME")
    if not username:
        raise ValueError("GRAPHIANT_USERNAME environment variable is required")
    
    password = os.getenv("GRAPHIANT_PASSWORD")
    if not password:
        raise ValueError("GRAPHIANT_PASSWORD environment variable is required")
    
    host = os.getenv("GRAPHIANT_HOST", "https://api.graphiant.com")
    
    return host, username, password

from graphiant_sdk import Configuration, ApiClient
import os

# Secure configuration using environment variables
config = Configuration(
    host=os.getenv("GRAPHIANT_HOST", "https://api.graphiant.com"),
    username=os.getenv("GRAPHIANT_USERNAME"),
    password=os.getenv("GRAPHIANT_PASSWORD")
)

# Never hardcode credentials
# BAD: config = Configuration(username="user", password="pass")

• Test with invalid inputs: Test error handling and edge cases
• Test authentication: Verify authentication and authorization work correctly
• Review test coverage: Ensure security-critical paths are tested
• Test error messages: Ensure error messages don't leak sensitive information

• No secrets in examples: Never include real credentials in documentation or examples
• Security warnings: Document security considerations for sensitive operations
• Best practices: Include security best practices in documentation

Before submitting a pull request, ensure:

• No secrets or credentials are committed
• Input validation is implemented
• Error messages don't expose sensitive information
• Dependencies are up to date
• Tests cover security-critical paths
• Code follows Python security best practices
• No hardcoded credentials or API keys
• Environment variables are used for configuration
• Security scanning tools pass (bandit, safety)

# Install
pip install bandit

# Run security scan
bandit -r graphiant_sdk/

# Generate HTML report
bandit -r graphiant_sdk/ -f html -o bandit-report.html

# Install
pip install safety

# Check dependencies
safety check

# Check with requirements file
safety check -r requirements.txt

# Install
pip install pip-audit

# Audit dependencies
pip-audit

# Generate requirements file
pip-audit --desc -r requirements.txt

• Python Security Best Practices
• OWASP Python Security Cheat Sheet
• Python Security Guide
• Bandit Documentation
• Safety Documentation

For security concerns, please contact: security@graphiant.com

Last Updated: 2026-05-01