mcp-context-forge/.snyk at main · ppippi-dev/mcp-context-forge · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
# Snyk (https://snyk.io) policy file, which patches or ignores known vulnerabilities.
version: v1.25.0

# Language settings
language-settings:
  python: "3.12"

# Patches apply the minimum changes required to fix a vulnerability
patches: []

# Ignore specific vulnerabilities
ignore: {}

# Exclude files and directories from scanning
exclude:
  global:
    # Test files
    - "tests/**"
    - "**/test_*.py"
    - "**/*_test.py"

    # Documentation
    - "docs/**"
    - "*.md"

    # Development/build artifacts
    - ".venv/**"
    - "venv/**"
    - "env/**"
    - "dist/**"
    - "build/**"
    - "*.egg-info/**"
    - "__pycache__/**"
    - "*.pyc"

    # CI/CD and config files
    - ".github/**"
    - ".git/**"
    - "Makefile"
    - "docker-compose*.yml"
    - "docker-compose*.yaml"
    - "docker-compose*.yml"
    - "Dockerfile*"
    - "Containerfile*"

    # Security scan results
    - "devskim-results.sarif"
    - ".semgrep/**"
    - ".gitleaks/**"
    - "snyk-*.json"
    - "sbom-*.json"
    - "aibom.json"

    # IDE files
    - ".vscode/**"
    - ".idea/**"

    # Coverage and reports
    - "htmlcov/**"
    - ".coverage"
    - "*.cover"
    - ".pytest_cache/**"

    # Node/JS dependencies (if any)
    - "node_modules/**"

    # Certificates and secrets (should not be in repo anyway)
    - "certs/**"
    - "*.pem"
    - "*.key"
    - "*.crt"

    # Log files
    - "*.log"
    - "logs/**"

# Custom rules for Python
custom-rules:
  - id: "insecure-jwt-secret"
    title: "Hardcoded JWT secret key"
    description: "JWT secret keys should not be hardcoded in source code"
    severity: "high"
    cwe: ["CWE-798"]

  - id: "basic-auth-hardcoded"
    title: "Hardcoded basic authentication credentials"
    description: "Basic auth credentials should be stored securely, not in source code"
    severity: "high"
    cwe: ["CWE-798", "CWE-259"]

# Severity threshold for failing builds
# Options: low, medium, high, critical
fail-on: high

# Enable automatic fix PRs (if using Snyk with GitHub)
enableAutomaticPRs: false

# Python-specific settings
python:
  # Scan for vulnerabilities in installed packages
  enableLicensesScan: true

  # Include dev dependencies in the scan
  includeDevDependencies: true

  # Scan requirements files
  scanRequirements:
    - "requirements.txt"
    - "pyproject.toml"

  # Additional pip arguments
  pipArgs: []

  # Python version for compatibility checks
  pythonVersion: "3.12"

# Container scanning settings (for your Docker images)
container:
  # Exclude base image vulnerabilities that can't be fixed
  exclude-base-image-vulns: false

  # Severity threshold for container scanning
  severity-threshold: medium

# Infrastructure as Code settings
iac:
  # Scan docker-compose, containers and charts
  scan:
    - "docker-compose.yml"
    - "docker-compose.yaml"
    - "docker-compose.*.yml"
    - "docker-compose.*.yaml"
    - "Containerfile"
    - "Containerfile.lite"
    - "Containerfile.*"
    - "charts/mcp-stack/**/*.yaml"
    - "charts/mcp-stack/**/*.yml"
    - "charts/**/values.yaml"
    - "charts/**/templates/*.yaml"

  # Severity threshold for IaC issues
  severity-threshold: medium

# Code quality settings
code:
  # Enable SAST (Static Application Security Testing)
  enableSAST: true

  # Severity threshold for code issues
  severity-threshold: medium

# Integration settings
integrations:
  # Integrate with your existing tools
  webhooks:
    - name: "security-alerts"
      enabled: false

  # JIRA integration (if applicable)
  jira:
    enabled: false
    projectKey: ""
    issueType: "Bug"

  # Slack integration (if applicable)
  slack:
    enabled: false
    webhookUrl: ""
    channel: "#security-alerts"
    severity-threshold: high

# License policies
license-policies:
  # Allow only these licenses
  allow:
    - "MIT"
    - "Apache-2.0"
    - "BSD-3-Clause"
    - "BSD-2-Clause"
    - "ISC"
    - "Python-2.0"
    - "PSF-2.0"
    - "LGPL-3.0"
    - "LGPL-2.1"

  # Explicitly deny these licenses
  deny:
    - "GPL-3.0"
    - "AGPL-3.0"
    - "SSPL"

  # Review required for these licenses
  review:
    - "MPL-2.0"
    - "LGPL-2.0"
    - "CC-BY-SA-4.0"

# Monitoring settings
monitoring:
  # Enable runtime monitoring (Snyk Runtime)
  runtime:
    enabled: false

  # Alert on new vulnerabilities
  newVulnerabilities:
    enabled: false
    severity-threshold: medium

  # Weekly summary reports
  weeklyReport:
    enabled: false
    day: "monday"

# CLI behavior
cli:
  # Fail on issues of this severity or higher
  fail-on-issues: high

  # Show all vulnerability paths
  show-vulnerable-paths: all

  # Output format for CI/CD
  output: json

  # Trust policies from this file
  trust-policies: true