-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.security-config.toml
More file actions
55 lines (49 loc) · 1.5 KB
/
Copy path.security-config.toml
File metadata and controls
55 lines (49 loc) · 1.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# Security Scanning Configuration
# This file helps security scanners avoid false positives in our Ansible project
[security-exclusions]
# Comment decorations that look like secrets but aren't
exclude_patterns = [
"^#.*=+.*$", # Comment lines with equals decorations
"^\\s*#.*=+.*$", # Indented comment lines with equals
"========================================", # YAML comment decorations
"# ========================================", # YAML comment lines
]
# Files that contain test/example data and should be scanned differently
test_files = [
"**/test*.yml",
"**/test*.yaml",
"**/validation/**",
"**/docs/research/**",
"**/*test*",
"**/*example*"
]
# AWS False Positive Exclusions
[aws-exclusions]
# These patterns in validation files are NOT AWS secret access keys
false_positives = [
"========================================",
"# ========================================"
]
# Project context
[project]
type = "ansible"
framework = "ansible-collection"
ignore_validation_files = true
# Known false positive patterns specific to this project
ansible_false_positives = [
"# =============================================================================",
"========================================",
"# Test configuration",
"# Experimental",
]
[scan-context]
project_type = "ansible-collection"
framework = "infrastructure-automation"
exclude_directories = [
".git",
"node_modules",
"venv",
".venv",
"__pycache__",
".pytest_cache"
]