@@ -234,36 +234,41 @@ ovsx:
234234 scanning :
235235 enabled : true
236236
237- similarity :
238- enabled : true
239- enforced : true
240- levenshtein-threshold : 0.2 # Min 20% name difference allowed
241- skip-verified-publishers : true # Skip checks for verified publishers
242- check-against-verified-only : true # Compare only against verified extensions
243- exclude-owner-namespaces : true # Skip checks against extensions in namespaces owned by the same publisher
244- new-extensions-only : false # Skip checks for extension with existing versions, applies similarity checks only to new extensions
245-
246- secret-scanning :
247- enabled : true
248- rules-path : ' classpath:scanning/secret-scanning-custom-rules.yaml'
249-
250- auto-generate-rules : true
251- force-regenerate-rules : false
252- generated-rules-path : ' /tmp/secret-scanning-rules-gitleaks.yaml'
237+ # Shared archive limits for all scanning checks (secret detection, blocklist, etc.)
238+ max-archive-size-bytes : 1073741824 # 1 GB total archive limit
239+ max-single-file-bytes : 268435456 # 256 MB per-file limit
240+ max-entry-count : 100000 # Max ZIP entries to process
241+ blocklist-check :
242+ enabled : true
243+ enforced : false
253244
254- # File & Archive Limits
255- max-file-size-bytes : 5242880 # 5 MB per file
256- max-entry-count : 50000 # Max entries in archive
257- max-total-uncompressed-bytes : 104857600 # 100 MB total
258- max-findings : 200 # Stop after N secrets
245+ similarity :
246+ enabled : true
247+ enforced : false
248+ similarity-threshold : 0.2 # Min 20% name difference allowed
249+ skip-if-publisher-verified : false # Do not skip checks for verified publishers
250+ only-protect-verified-names : false
251+ allow-similarity-to-own-names : true # Skip checks against extensions in namespaces owned by the same publisher
252+ only-check-new-extensions : true # Skip checks for extension with existing versions, applies similarity checks only to new extensions
259253
260- # Line Processing
261- inline-suppressions : ' secret-scanner:ignore,gitleaks:allow,nosecret,@suppress-secret'
262- max-line-length : 10000
263- long-line-no-space-threshold : 1000
264- keyword-context-chars : 100
265- log-allowlisted-value-preview-length : 10
254+ secret-detection :
255+ enabled : true
256+ enforced : false
257+ rules-path : ' classpath:scanning/secret-detection-custom-rules.yaml'
258+ suppression-markers : ' secret-detector:ignore,gitleaks:allow,nosecret,@suppress-secret'
259+ gitleaks :
260+ auto-fetch : true
261+ force-refresh : true
262+ output-path : ' /tmp/secret-detection-rules-gitleaks.yaml'
263+ scheduled-refresh : true
264+ refresh-cron : ' 0 0 3 * * *' # Daily at 3 AM
265+ skip-rule-ids : ' generic-api-key' # Rule IDs that produce too many false positives
266+ max-findings : 200
267+ minified-line-threshold : 10000
268+ long-line-no-space-threshold : 1000
269+ regex-context-chars : 100
270+ debug-preview-chars : 10
266271
267- # Timeout & Performance
268- timeout-seconds : 5
269- timeout-check-every-n-lines : 100
272+ # Timeout & Performance
273+ timeout-seconds : 10
274+ timeout-check-interval : 100
0 commit comments