mirror of https://github.com/hashicorp/consul
44 lines
1.3 KiB
HCL
44 lines
1.3 KiB
HCL
# Copyright (c) HashiCorp, Inc.
|
|
# SPDX-License-Identifier: BUSL-1.1
|
|
|
|
# Configuration for security scanner.
|
|
# Run on PRs and pushes to `main` and `release/**` branches.
|
|
# See .github/workflows/security-scan.yml for CI config.
|
|
|
|
# To run manually, install scanner and then run `scan repository .`
|
|
|
|
# Scan results are triaged via the GitHub Security tab for this repo.
|
|
# See `security-scanner` docs for more information on how to add `triage` config
|
|
# for specific results or to exclude paths.
|
|
|
|
# .release/security-scan.hcl controls scanner config for release artifacts, which
|
|
# unlike the scans configured here, will block releases in CRT.
|
|
|
|
repository {
|
|
go_modules = true
|
|
npm = true
|
|
osv = true
|
|
|
|
secrets {
|
|
all = true
|
|
}
|
|
|
|
# Triage items that are _safe_ to ignore here. Note that this list should be
|
|
# periodically cleaned up to remove items that are no longer found by the scanner.
|
|
triage {
|
|
suppress {
|
|
# N.b. `vulnerabilites` is the correct spelling for this tool.
|
|
vulnerabilites = [
|
|
"GO-2024-2631", # go-jose/v3@v3.0.3 (false positive)
|
|
]
|
|
paths = [
|
|
"internal/tools/proto-gen-rpc-glue/e2e/consul/*",
|
|
"test/integration/connect/envoy/test-sds-server/*",
|
|
"test/integration/consul-container/*",
|
|
"testing/deployer/*",
|
|
"test-integ/*",
|
|
]
|
|
}
|
|
}
|
|
}
|