diff --git a/api/.ruff.toml b/api/.ruff.toml
index f058731ada..41a24abad9 100644
--- a/api/.ruff.toml
+++ b/api/.ruff.toml
@@ -37,6 +37,12 @@ select = [
     "UP", # pyupgrade rules
     "W191", # tab-indentation
     "W605", # invalid-escape-sequence
+    # security related linting rules
+    # RCE proctection (sort of)
+    "S102", # exec-builtin, disallow use of `exec`
+    "S307", # suspicious-eval-usage, disallow use of `eval` and `ast.literal_eval`
+    "S301", # suspicious-pickle-usage, disallow use of `pickle` and its wrappers.
+    "S302", # suspicious-marshal-usage, disallow use of `marshal` module
 ]
 
 ignore = [
diff --git a/api/models/dataset.py b/api/models/dataset.py
index 28589eb8c1..f104c32b53 100644
--- a/api/models/dataset.py
+++ b/api/models/dataset.py
@@ -910,7 +910,7 @@ class Embedding(db.Model):  # type: ignore[name-defined]
         self.embedding = pickle.dumps(embedding_data, protocol=pickle.HIGHEST_PROTOCOL)
 
     def get_embedding(self) -> list[float]:
-        return cast(list[float], pickle.loads(self.embedding))
+        return cast(list[float], pickle.loads(self.embedding))  # noqa: S301
 
 
 class DatasetCollectionBinding(db.Model):  # type: ignore[name-defined]