-
Notifications
You must be signed in to change notification settings - Fork 12
Expand file tree
/
Copy path.grype.yaml
More file actions
40 lines (34 loc) · 1.66 KB
/
Copy path.grype.yaml
File metadata and controls
40 lines (34 loc) · 1.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# Grype vulnerability scanning configuration for central-services-metrics
# This is a library project without Docker images, so we use source scanning
scan-type: source
# Enable vulnerability scanning
disabled: false
# Vulnerability ignore rules
# Add specific CVEs here if they are false positives or acceptable risks
ignore:
# Example format for ignoring specific vulnerabilities:
# - vulnerability: "CVE-2023-xxxxx"
# reason: "False positive in dev dependency that doesn't affect production"
# - vulnerability: "GHSA-xxxx-xxxx-xxxx"
# package:
# name: "package-name"
# version: "1.0.0"
# reason: "Not exploitable in our usage context"
# Output formats for scan results
output:
- "table" # Human-readable table format
- "json" # Machine-readable JSON for further processing
# Grype configuration options
quiet: false # Show progress and status messages
check-for-app-update: false # Don't check for Grype updates during CI
only-fixed: false # Show all vulnerabilities, not just those with fixes
add-cpes-if-none: false # Don't add CPEs if none are found
by-cve: false # Group by vulnerability rather than CVE
# Database settings
db:
auto-update: true # Auto-update the vulnerability database
validate-age: true # Validate the age of the vulnerability database
max-allowed-built-age: 120h # Maximum age of the vulnerability database (5 days)
# Severity thresholds (handled by the orb, but documented here for clarity)
# The build will fail on Critical, High, or Medium severity vulnerabilities
# Low and Negligible severities are reported but won't fail the build