# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1

# Configuration for security scanner.
# Run on PRs and pushes to `main` and `release/**` branches.
# See .github/workflows/security-scan.yml for CI config.

# To run manually, install scanner and then run `scan repository .`

# Scan results are triaged via the GitHub Security tab for this repo.
# See `security-scanner` docs for more information on how to add `triage` config
# for specific results or to exclude paths.

# .release/security-scan.hcl controls scanner config for release artifacts, which
# unlike the scans configured here, will block releases in CRT.

repository {
  go_modules   = true
  npm          = true
  osv          = true

  secrets {
    all = true
  }

  # Triage items that are _safe_ to ignore here. Note that this list should be
  # periodically cleaned up to remove items that are no longer found by the scanner.
  triage {
    suppress {
      # N.b. `vulnerabilites` is the correct spelling for this tool.
      vulnerabilites = [
        "GO-2024-2631", # go-jose/v3@v3.0.3 (false positive)
      ]
      paths = [
        "internal/tools/proto-gen-rpc-glue/e2e/consul/*",
        "test/integration/connect/envoy/test-sds-server/*",
        "test/integration/consul-container/*",
        "testing/deployer/*",
        "test-integ/*",
      ]
    }
  }
}