|
1 | | -# Safety Security and License Configuration file |
2 | | -# We recommend checking this file into your source control in the root of your Python project |
3 | | -# If this file is named .safety-policy.yml and is in the same directory where you run `safety check` it will be used by default. |
4 | | -# Otherwise, you can use the flag `safety check --policy-file <path-to-this-file>` to specify a custom location and name for the file. |
5 | | -# To validate and review your policy file, run the validate command: `safety validate policy_file --path <path-to-this-file>` |
6 | | -security: # configuration for the `safety check` command |
7 | | - ignore-cvss-severity-below: 0 # A severity number between 0 and 10. Some helpful reference points: 9=ignore all vulnerabilities except CRITICAL severity. 7=ignore all vulnerabilities except CRITICAL & HIGH severity. 4=ignore all vulnerabilities except CRITICAL, HIGH & MEDIUM severity. |
8 | | - ignore-cvss-unknown-severity: False # True or False. We recommend you set this to False. |
9 | | - ignore-vulnerabilities: # Here you can list multiple specific vulnerabilities you want to ignore (optionally for a time period) |
10 | | - # We recommend making use of the optional `reason` and `expires` keys for each vulnerability that you ignore. |
11 | | - 25853: # Example vulnerability ID |
12 | | - reason: we don't use the vulnerable function # optional, for internal note purposes to communicate with your team. This reason will be reported in the Safety reports |
13 | | - expires: '2022-10-21' # datetime string - date this ignore will expire, best practice to use this variable |
14 | | - 51457: |
15 | | - reason: > |
16 | | - This vulnerability affects some dead code in the `py` dependency. This dependency is used by pytest but |
17 | | - it does not use the affected code. More info: https://github.com/pytest-dev/py/issues/287 |
18 | | - continue-on-vulnerability-error: False # Suppress non-zero exit codes when vulnerabilities are found. Enable this in pipelines and CI/CD processes if you want to pass builds that have vulnerabilities. We recommend you set this to False. |
19 | | -alert: # configuration for the `safety alert` command |
20 | | - security: |
21 | | - # Configuration specific to Safety's GitHub Issue alerting |
22 | | - github-issue: |
23 | | - # Same as for security - these allow controlling if this alert will fire based |
24 | | - # on severity information. |
25 | | - # default: not set |
26 | | - # ignore-cvss-severity-below: 6 |
27 | | - # ignore-cvss-unknown-severity: False |
| 1 | +version: '3.0' |
| 2 | + |
| 3 | +scanning-settings: |
| 4 | + max-depth: 6 |
| 5 | + exclude: [] |
| 6 | + include-files: [] |
| 7 | + system: |
| 8 | + targets: [] |
| 9 | + |
| 10 | + |
| 11 | +report: |
| 12 | + dependency-vulnerabilities: |
| 13 | + enabled: true |
| 14 | + auto-ignore-in-report: |
| 15 | + python: |
| 16 | + environment-results: true |
| 17 | + unpinned-requirements: true |
| 18 | + cvss-severity: [] |
| 19 | + |
| 20 | + |
| 21 | +fail-scan-with-exit-code: |
| 22 | + dependency-vulnerabilities: |
| 23 | + enabled: true |
| 24 | + fail-on-any-of: |
| 25 | + cvss-severity: |
| 26 | + - high |
| 27 | + - critical |
| 28 | + - medium |
| 29 | + exploitability: |
| 30 | + - high |
| 31 | + - critical |
| 32 | + - medium |
| 33 | + |
| 34 | +security-updates: |
| 35 | + dependency-vulnerabilities: |
| 36 | + auto-security-updates-limit: |
| 37 | + - patch |
28 | 38 |
|
29 | | - # Add a label to pull requests with the cvss severity, if available |
30 | | - # default: true |
31 | | - # label-severity: True |
32 | | - |
33 | | - # Add a label to pull requests, default is 'security' |
34 | | - # requires private repo permissions, even on public repos |
35 | | - # default: security |
36 | | - # labels: |
37 | | - # - security |
38 | | - |
39 | | - # Assign users to pull requests, default is not set |
40 | | - # requires private repo permissions, even on public repos |
41 | | - # default: empty |
42 | | - # assignees: |
43 | | - # - example-user |
44 | | - |
45 | | - # Prefix to give issues when creating them. Note that changing |
46 | | - # this might cause duplicate issues to be created. |
47 | | - # default: "[PyUp] " |
48 | | - # issue-prefix: "[PyUp] " |
49 | | - |
50 | | - # Configuration specific to Safety's GitHub PR alerting |
51 | | - github-pr: |
52 | | - # Same as for security - these allow controlling if this alert will fire based |
53 | | - # on severity information. |
54 | | - # default: not set |
55 | | - # ignore-cvss-severity-below: 6 |
56 | | - # ignore-cvss-unknown-severity: False |
57 | | - |
58 | | - # Set the default branch (ie, main, master) |
59 | | - # default: empty, the default branch on GitHub |
60 | | - branch: '' |
61 | | - |
62 | | - # Add a label to pull requests with the cvss severity, if available |
63 | | - # default: true |
64 | | - # label-severity: True |
65 | | - |
66 | | - # Add a label to pull requests, default is 'security' |
67 | | - # requires private repo permissions, even on public repos |
68 | | - # default: security |
69 | | - # labels: |
70 | | - # - security |
71 | | - |
72 | | - # Assign users to pull requests, default is not set |
73 | | - # requires private repo permissions, even on public repos |
74 | | - # default: empty |
75 | | - # assignees: |
76 | | - # - example-user |
77 | | - |
78 | | - # Configure the branch prefix for PRs created by this alert. |
79 | | - # NB: Changing this will likely cause duplicate PRs. |
80 | | - # default: pyup/ |
81 | | - branch-prefix: pyup/ |
82 | | - |
83 | | - # Set a global prefix for PRs |
84 | | - # default: "[PyUp] " |
85 | | - pr-prefix: "[PyUp] " |
0 commit comments