|
| 1 | +# Snyk (https://snyk.io) policy file, which patches or ignores known vulnerabilities. |
| 2 | +version: v1.25.0 |
| 3 | + |
| 4 | +# Language settings |
| 5 | +language-settings: |
| 6 | + python: "3.12" |
| 7 | + |
| 8 | +# Patches apply the minimum changes required to fix a vulnerability |
| 9 | +patches: [] |
| 10 | + |
| 11 | +# Ignore specific vulnerabilities |
| 12 | +ignore: {} |
| 13 | + |
| 14 | +# Exclude files and directories from scanning |
| 15 | +exclude: |
| 16 | + global: |
| 17 | + # Test files |
| 18 | + - "tests/**" |
| 19 | + - "**/test_*.py" |
| 20 | + - "**/*_test.py" |
| 21 | + |
| 22 | + # Documentation |
| 23 | + - "docs/**" |
| 24 | + - "*.md" |
| 25 | + |
| 26 | + # Development/build artifacts |
| 27 | + - ".venv/**" |
| 28 | + - "venv/**" |
| 29 | + - "env/**" |
| 30 | + - "dist/**" |
| 31 | + - "build/**" |
| 32 | + - "*.egg-info/**" |
| 33 | + - "__pycache__/**" |
| 34 | + - "*.pyc" |
| 35 | + |
| 36 | + # CI/CD and config files |
| 37 | + - ".github/**" |
| 38 | + - ".git/**" |
| 39 | + - "Makefile" |
| 40 | + - "docker-compose*.yml" |
| 41 | + - "docker-compose*.yaml" |
| 42 | + - "docker-compose*.yml" |
| 43 | + - "Dockerfile*" |
| 44 | + - "Containerfile*" |
| 45 | + |
| 46 | + # Security scan results |
| 47 | + - "devskim-results.sarif" |
| 48 | + - ".semgrep/**" |
| 49 | + - ".gitleaks/**" |
| 50 | + - "snyk-*.json" |
| 51 | + - "sbom-*.json" |
| 52 | + - "aibom.json" |
| 53 | + |
| 54 | + # IDE files |
| 55 | + - ".vscode/**" |
| 56 | + - ".idea/**" |
| 57 | + |
| 58 | + # Coverage and reports |
| 59 | + - "htmlcov/**" |
| 60 | + - ".coverage" |
| 61 | + - "*.cover" |
| 62 | + - ".pytest_cache/**" |
| 63 | + |
| 64 | + # Node/JS dependencies (if any) |
| 65 | + - "node_modules/**" |
| 66 | + |
| 67 | + # Certificates and secrets (should not be in repo anyway) |
| 68 | + - "certs/**" |
| 69 | + - "*.pem" |
| 70 | + - "*.key" |
| 71 | + - "*.crt" |
| 72 | + |
| 73 | + # Log files |
| 74 | + - "*.log" |
| 75 | + - "logs/**" |
| 76 | + |
| 77 | +# Custom rules for Python |
| 78 | +custom-rules: |
| 79 | + - id: "insecure-jwt-secret" |
| 80 | + title: "Hardcoded JWT secret key" |
| 81 | + description: "JWT secret keys should not be hardcoded in source code" |
| 82 | + severity: "high" |
| 83 | + cwe: ["CWE-798"] |
| 84 | + |
| 85 | + - id: "basic-auth-hardcoded" |
| 86 | + title: "Hardcoded basic authentication credentials" |
| 87 | + description: "Basic auth credentials should be stored securely, not in source code" |
| 88 | + severity: "high" |
| 89 | + cwe: ["CWE-798", "CWE-259"] |
| 90 | + |
| 91 | +# Severity threshold for failing builds |
| 92 | +# Options: low, medium, high, critical |
| 93 | +fail-on: high |
| 94 | + |
| 95 | +# Enable automatic fix PRs (if using Snyk with GitHub) |
| 96 | +enableAutomaticPRs: false |
| 97 | + |
| 98 | +# Python-specific settings |
| 99 | +python: |
| 100 | + # Scan for vulnerabilities in installed packages |
| 101 | + enableLicensesScan: true |
| 102 | + |
| 103 | + # Include dev dependencies in the scan |
| 104 | + includeDevDependencies: true |
| 105 | + |
| 106 | + # Scan requirements files |
| 107 | + scanRequirements: |
| 108 | + - "requirements.txt" |
| 109 | + - "pyproject.toml" |
| 110 | + |
| 111 | + # Additional pip arguments |
| 112 | + pipArgs: [] |
| 113 | + |
| 114 | + # Python version for compatibility checks |
| 115 | + pythonVersion: "3.12" |
| 116 | + |
| 117 | +# Container scanning settings (for your Docker images) |
| 118 | +container: |
| 119 | + # Exclude base image vulnerabilities that can't be fixed |
| 120 | + exclude-base-image-vulns: false |
| 121 | + |
| 122 | + # Severity threshold for container scanning |
| 123 | + severity-threshold: medium |
| 124 | + |
| 125 | +# Infrastructure as Code settings |
| 126 | +iac: |
| 127 | + # Scan docker-compose, containers and charts |
| 128 | + scan: |
| 129 | + - "docker-compose.yml" |
| 130 | + - "docker-compose.yaml" |
| 131 | + - "docker-compose.*.yml" |
| 132 | + - "docker-compose.*.yaml" |
| 133 | + - "Containerfile" |
| 134 | + - "Containerfile.lite" |
| 135 | + - "Containerfile.*" |
| 136 | + - "charts/mcp-stack/**/*.yaml" |
| 137 | + - "charts/mcp-stack/**/*.yml" |
| 138 | + - "charts/**/values.yaml" |
| 139 | + - "charts/**/templates/*.yaml" |
| 140 | + |
| 141 | + # Severity threshold for IaC issues |
| 142 | + severity-threshold: medium |
| 143 | + |
| 144 | +# Code quality settings |
| 145 | +code: |
| 146 | + # Enable SAST (Static Application Security Testing) |
| 147 | + enableSAST: true |
| 148 | + |
| 149 | + # Severity threshold for code issues |
| 150 | + severity-threshold: medium |
| 151 | + |
| 152 | +# Integration settings |
| 153 | +integrations: |
| 154 | + # Integrate with your existing tools |
| 155 | + webhooks: |
| 156 | + - name: "security-alerts" |
| 157 | + enabled: false |
| 158 | + |
| 159 | + # JIRA integration (if applicable) |
| 160 | + jira: |
| 161 | + enabled: false |
| 162 | + projectKey: "" |
| 163 | + issueType: "Bug" |
| 164 | + |
| 165 | + # Slack integration (if applicable) |
| 166 | + slack: |
| 167 | + enabled: false |
| 168 | + webhookUrl: "" |
| 169 | + channel: "#security-alerts" |
| 170 | + severity-threshold: high |
| 171 | + |
| 172 | +# License policies |
| 173 | +license-policies: |
| 174 | + # Allow only these licenses |
| 175 | + allow: |
| 176 | + - "MIT" |
| 177 | + - "Apache-2.0" |
| 178 | + - "BSD-3-Clause" |
| 179 | + - "BSD-2-Clause" |
| 180 | + - "ISC" |
| 181 | + - "Python-2.0" |
| 182 | + - "PSF-2.0" |
| 183 | + - "LGPL-3.0" |
| 184 | + - "LGPL-2.1" |
| 185 | + |
| 186 | + # Explicitly deny these licenses |
| 187 | + deny: |
| 188 | + - "GPL-3.0" |
| 189 | + - "AGPL-3.0" |
| 190 | + - "SSPL" |
| 191 | + |
| 192 | + # Review required for these licenses |
| 193 | + review: |
| 194 | + - "MPL-2.0" |
| 195 | + - "LGPL-2.0" |
| 196 | + - "CC-BY-SA-4.0" |
| 197 | + |
| 198 | +# Monitoring settings |
| 199 | +monitoring: |
| 200 | + # Enable runtime monitoring (Snyk Runtime) |
| 201 | + runtime: |
| 202 | + enabled: false |
| 203 | + |
| 204 | + # Alert on new vulnerabilities |
| 205 | + newVulnerabilities: |
| 206 | + enabled: false |
| 207 | + severity-threshold: medium |
| 208 | + |
| 209 | + # Weekly summary reports |
| 210 | + weeklyReport: |
| 211 | + enabled: false |
| 212 | + day: "monday" |
| 213 | + |
| 214 | +# CLI behavior |
| 215 | +cli: |
| 216 | + # Fail on issues of this severity or higher |
| 217 | + fail-on-issues: high |
| 218 | + |
| 219 | + # Show all vulnerability paths |
| 220 | + show-vulnerable-paths: all |
| 221 | + |
| 222 | + # Output format for CI/CD |
| 223 | + output: json |
| 224 | + |
| 225 | + # Trust policies from this file |
| 226 | + trust-policies: true |
0 commit comments