Skip to content

Commit 6d69cc2

Browse files
committed
Merge remote-tracking branch 'origin/main' into handle-invalid-gateway-url
2 parents 77500dd + 45c897d commit 6d69cc2

22 files changed

+1542
-159
lines changed

.github/workflows/snyk.yml.inactive

Lines changed: 412 additions & 0 deletions
Large diffs are not rendered by default.

.snyk

Lines changed: 226 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,226 @@
1+
# Snyk (https://snyk.io) policy file, which patches or ignores known vulnerabilities.
2+
version: v1.25.0
3+
4+
# Language settings
5+
language-settings:
6+
python: "3.12"
7+
8+
# Patches apply the minimum changes required to fix a vulnerability
9+
patches: []
10+
11+
# Ignore specific vulnerabilities
12+
ignore: {}
13+
14+
# Exclude files and directories from scanning
15+
exclude:
16+
global:
17+
# Test files
18+
- "tests/**"
19+
- "**/test_*.py"
20+
- "**/*_test.py"
21+
22+
# Documentation
23+
- "docs/**"
24+
- "*.md"
25+
26+
# Development/build artifacts
27+
- ".venv/**"
28+
- "venv/**"
29+
- "env/**"
30+
- "dist/**"
31+
- "build/**"
32+
- "*.egg-info/**"
33+
- "__pycache__/**"
34+
- "*.pyc"
35+
36+
# CI/CD and config files
37+
- ".github/**"
38+
- ".git/**"
39+
- "Makefile"
40+
- "docker-compose*.yml"
41+
- "docker-compose*.yaml"
42+
- "docker-compose*.yml"
43+
- "Dockerfile*"
44+
- "Containerfile*"
45+
46+
# Security scan results
47+
- "devskim-results.sarif"
48+
- ".semgrep/**"
49+
- ".gitleaks/**"
50+
- "snyk-*.json"
51+
- "sbom-*.json"
52+
- "aibom.json"
53+
54+
# IDE files
55+
- ".vscode/**"
56+
- ".idea/**"
57+
58+
# Coverage and reports
59+
- "htmlcov/**"
60+
- ".coverage"
61+
- "*.cover"
62+
- ".pytest_cache/**"
63+
64+
# Node/JS dependencies (if any)
65+
- "node_modules/**"
66+
67+
# Certificates and secrets (should not be in repo anyway)
68+
- "certs/**"
69+
- "*.pem"
70+
- "*.key"
71+
- "*.crt"
72+
73+
# Log files
74+
- "*.log"
75+
- "logs/**"
76+
77+
# Custom rules for Python
78+
custom-rules:
79+
- id: "insecure-jwt-secret"
80+
title: "Hardcoded JWT secret key"
81+
description: "JWT secret keys should not be hardcoded in source code"
82+
severity: "high"
83+
cwe: ["CWE-798"]
84+
85+
- id: "basic-auth-hardcoded"
86+
title: "Hardcoded basic authentication credentials"
87+
description: "Basic auth credentials should be stored securely, not in source code"
88+
severity: "high"
89+
cwe: ["CWE-798", "CWE-259"]
90+
91+
# Severity threshold for failing builds
92+
# Options: low, medium, high, critical
93+
fail-on: high
94+
95+
# Enable automatic fix PRs (if using Snyk with GitHub)
96+
enableAutomaticPRs: false
97+
98+
# Python-specific settings
99+
python:
100+
# Scan for vulnerabilities in installed packages
101+
enableLicensesScan: true
102+
103+
# Include dev dependencies in the scan
104+
includeDevDependencies: true
105+
106+
# Scan requirements files
107+
scanRequirements:
108+
- "requirements.txt"
109+
- "pyproject.toml"
110+
111+
# Additional pip arguments
112+
pipArgs: []
113+
114+
# Python version for compatibility checks
115+
pythonVersion: "3.12"
116+
117+
# Container scanning settings (for your Docker images)
118+
container:
119+
# Exclude base image vulnerabilities that can't be fixed
120+
exclude-base-image-vulns: false
121+
122+
# Severity threshold for container scanning
123+
severity-threshold: medium
124+
125+
# Infrastructure as Code settings
126+
iac:
127+
# Scan docker-compose, containers and charts
128+
scan:
129+
- "docker-compose.yml"
130+
- "docker-compose.yaml"
131+
- "docker-compose.*.yml"
132+
- "docker-compose.*.yaml"
133+
- "Containerfile"
134+
- "Containerfile.lite"
135+
- "Containerfile.*"
136+
- "charts/mcp-stack/**/*.yaml"
137+
- "charts/mcp-stack/**/*.yml"
138+
- "charts/**/values.yaml"
139+
- "charts/**/templates/*.yaml"
140+
141+
# Severity threshold for IaC issues
142+
severity-threshold: medium
143+
144+
# Code quality settings
145+
code:
146+
# Enable SAST (Static Application Security Testing)
147+
enableSAST: true
148+
149+
# Severity threshold for code issues
150+
severity-threshold: medium
151+
152+
# Integration settings
153+
integrations:
154+
# Integrate with your existing tools
155+
webhooks:
156+
- name: "security-alerts"
157+
enabled: false
158+
159+
# JIRA integration (if applicable)
160+
jira:
161+
enabled: false
162+
projectKey: ""
163+
issueType: "Bug"
164+
165+
# Slack integration (if applicable)
166+
slack:
167+
enabled: false
168+
webhookUrl: ""
169+
channel: "#security-alerts"
170+
severity-threshold: high
171+
172+
# License policies
173+
license-policies:
174+
# Allow only these licenses
175+
allow:
176+
- "MIT"
177+
- "Apache-2.0"
178+
- "BSD-3-Clause"
179+
- "BSD-2-Clause"
180+
- "ISC"
181+
- "Python-2.0"
182+
- "PSF-2.0"
183+
- "LGPL-3.0"
184+
- "LGPL-2.1"
185+
186+
# Explicitly deny these licenses
187+
deny:
188+
- "GPL-3.0"
189+
- "AGPL-3.0"
190+
- "SSPL"
191+
192+
# Review required for these licenses
193+
review:
194+
- "MPL-2.0"
195+
- "LGPL-2.0"
196+
- "CC-BY-SA-4.0"
197+
198+
# Monitoring settings
199+
monitoring:
200+
# Enable runtime monitoring (Snyk Runtime)
201+
runtime:
202+
enabled: false
203+
204+
# Alert on new vulnerabilities
205+
newVulnerabilities:
206+
enabled: false
207+
severity-threshold: medium
208+
209+
# Weekly summary reports
210+
weeklyReport:
211+
enabled: false
212+
day: "monday"
213+
214+
# CLI behavior
215+
cli:
216+
# Fail on issues of this severity or higher
217+
fail-on-issues: high
218+
219+
# Show all vulnerability paths
220+
show-vulnerable-paths: all
221+
222+
# Output format for CI/CD
223+
output: json
224+
225+
# Trust policies from this file
226+
trust-policies: true

MANIFEST.in

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@ include .coveragerc
4343
include .bumpversion.cfg
4444
include .yamllint
4545
include .editorconfig
46+
include .snyk
4647

4748
# 4️⃣ Runtime data that lives *inside* the package at import time
4849
recursive-include mcpgateway/templates *.html
@@ -68,6 +69,7 @@ prune charts
6869
prune k8s
6970
prune .devcontainer
7071

72+
7173
# Exclude deployment, mcp-servers and agent_runtimes
7274
prune deployment
7375
prune mcp-servers

0 commit comments

Comments
 (0)