@mojaloop/central-services-stream
Version:
Streaming library code for central services.
43 lines (36 loc) • 1.96 kB
YAML
# Grype vulnerability scanning configuration for central-services-stream
# This is a library project without Docker images, so we use source scanning
scan-type: source
# Enable vulnerability scanning
disabled: false
# Vulnerability ignore rules
# Add specific CVEs here if they are false positives or acceptable risks
ignore:
# Example format for ignoring specific vulnerabilities:
# - vulnerability: "CVE-2023-xxxxx"
# reason: "False positive in dev dependency that doesn't affect production"
# - vulnerability: "GHSA-xxxx-xxxx-xxxx"
# package:
# name: "package-name"
# version: "1.0.0"
# reason: "Not exploitable in our usage context"
- vulnerability: "GHSA-p5wg-g6qr-c7cg"
reason: "is incompatible with standard@17.1.2. ESLint 9 removed several options (extensions, useEslintrc, resolvePluginsRelativeTo) that standard-engine relies on. The standard package requires eslint@^8.41.0"
# Output formats for scan results
output:
- "table" # Human-readable table format
- "json" # Machine-readable JSON for further processing
# Grype configuration options
quiet: false # Show progress and status messages
check-for-app-update: false # Don't check for Grype updates during CI
only-fixed: false # Show all vulnerabilities, not just those with fixes
add-cpes-if-none: false # Don't add CPEs if none are found
by-cve: false # Group by vulnerability rather than CVE
# Database settings
db:
auto-update: true # Auto-update the vulnerability database
validate-age: true # Validate the age of the vulnerability database
max-allowed-built-age: 120h # Maximum age of the vulnerability database (5 days)
# Severity thresholds (handled by the orb, but documented here for clarity)
# The build will fail on Critical, High, or Medium severity vulnerabilities
# Low and Negligible severities are reported but won't fail the build