-
Notifications
You must be signed in to change notification settings - Fork 169
Expand file tree
/
Copy pathscan.hcl
More file actions
69 lines (53 loc) · 1.54 KB
/
Copy pathscan.hcl
File metadata and controls
69 lines (53 loc) · 1.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# Copyright IBM Corp. 2025
# SPDX-License-Identifier: MPL-2.0
# Configuration for security scanner.
# Run on PRs and pushes to `main` and `release/**` branches.
# See .github/workflows/security-scan.yml for CI config.
# To run manually, install scanner and then run `scan repository .`
# Scan results are triaged via the GitHub Security tab for this repo.
# See `security-scanner` docs for more information on how to add `triage` config
# for specific results or to exclude paths.
# .release/security-scan.hcl controls scanner config for release artifacts, which
# unlike the scans configured here, will block releases in CRT.
repository {
go_modules = true
osv = true
go_stdlib_version_file = ".go-version"
secrets {
all = true
}
github_actions {
pinned_hashes = true
injection = true
}
dependabot {
required = true
check_config = true
}
dockerfile {
pinned_hashes = true
curl_bash = true
}
github_branch_protections {
branch "main" {
include_administrators = true
require_pr {
required_approvals = 1
dismiss_stale = true
}
}
}
plugin "codeql" {
languages = ["go"]
}
# Triage items that are _safe_ to ignore here. Note that this list should be
# periodically cleaned up to remove items that are no longer found by the scanner.
triage {
suppress {
vulnerabilities = []
# Vulnerabilities that are false positives
paths = []
# Paths that are not relevant to the scan
}
}
}