-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy path.safety-policy.yml
94 lines (81 loc) · 4.82 KB
/
.safety-policy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# Safety Security and License Configuration file
# We recommend checking this file into your source control in the root of your Python project
# If this file is named .safety-policy.yml and is in the same directory where you run `safety check` it will be used by default.
# Otherwise, you can use the flag `safety check --policy-file <path-to-this-file>` to specify a custom location and name for the file.
# To validate and review your policy file, run the validate command: `safety validate policy_file --path <path-to-this-file>`
security: # configuration for the `safety check` command
ignore-cvss-severity-below: 4 # A severity number between 0 and 10. Some helpful reference points: 9=ignore all vulnerabilities except CRITICAL severity. 7=ignore all vulnerabilities except CRITICAL & HIGH severity. 4=ignore all vulnerabilities except CRITICAL, HIGH & MEDIUM severity.
ignore-cvss-unknown-severity: False # True or False. We recommend you set this to False.
ignore-vulnerabilities: # Here you can list multiple specific vulnerabilities you want to ignore (optionally for a time period)
# We recommend making use of the optional `reason` and `expires` keys for each vulnerability that you ignore.
59399: # Vulnerability ID
reason: the scipy developers identified its CVE classification as unwarranted # optional, for internal note purposes to communicate with your team. This reason will be reported in the Safety reports
# this exception can be removed when Python 3.8 is not supported
# expires: '2022-10-21' # datetime string - date this ignore will expire, best practice to use this variable
65212: # Vulnerability ID
reason: this is for a crypto error that is not relevant to us functionally, and only happens on PowerPCs.
67599:
reason: this only affects the --extra-index-url option in pip which we don't currently use. It is also intended behavior and is up to the user to operate --extra-index-url safely.
70612:
reason: we're only using jinja on the client side to template notebooks
71064:
reason: the CVE-2024-35195 vulnerability affects the use of "verify=False" in requests, but our project does not use this parameter in any API calls, so this risk can be ignored. If this version fixes our bug, we will find another solution.
73725:
reason: We aren't using starlette directly. It is pulled in as a transitive dependency from the Modal SDK
continue-on-vulnerability-error: False # Suppress non-zero exit codes when vulnerabilities are found. Enable this in pipelines and CI/CD processes if you want to pass builds that have vulnerabilities. We recommend you set this to False.
alert: # configuration for the `safety alert` command
security:
# Configuration specific to Safety's GitHub Issue alerting
github-issue:
# Same as for security - these allow controlling if this alert will fire based
# on severity information.
# default: not set
# ignore-cvss-severity-below: 6
# ignore-cvss-unknown-severity: False
# Add a label to pull requests with the cvss severity, if available
# default: true
# label-severity: True
# Add a label to pull requests, default is 'security'
# requires private repo permissions, even on public repos
# default: security
# labels:
# - security
# Assign users to pull requests, default is not set
# requires private repo permissions, even on public repos
# default: empty
# assignees:
# - example-user
# Prefix to give issues when creating them. Note that changing
# this might cause duplicate issues to be created.
# default: "[PyUp] "
# issue-prefix: "[PyUp] "
# Configuration specific to Safety's GitHub PR alerting
github-pr:
# Same as for security - these allow controlling if this alert will fire based
# on severity information.
# default: not set
# ignore-cvss-severity-below: 6
# ignore-cvss-unknown-severity: False
# Set the default branch (ie, main, master)
# default: empty, the default branch on GitHub
branch: ""
# Add a label to pull requests with the cvss severity, if available
# default: true
# label-severity: True
# Add a label to pull requests, default is 'security'
# requires private repo permissions, even on public repos
# default: security
# labels:
# - security
# Assign users to pull requests, default is not set
# requires private repo permissions, even on public repos
# default: empty
# assignees:
# - example-user
# Configure the branch prefix for PRs created by this alert.
# NB: Changing this will likely cause duplicate PRs.
# default: pyup/
branch-prefix: pyup/
# Set a global prefix for PRs
# default: "[PyUp] "
pr-prefix: "[PyUp] "