Add various vulnerability scanning configs (#69)

doshitan · web-flow · commit 1f9d6ecfdce7 · 2025-02-04T15:18:28.000-05:00
After recent package updates and other fixes[1][2][3][4], ignore remaining false positives/things of less immediate concern. [1] 37ff3d9 [2] 315596d [3] e2ea148 [4] ef36d7b
diff --git a/template/{{app_name}}/.dockleconfig b/template/{{app_name}}/.dockleconfig
@@ -0,0 +1,4 @@
+# This file is allows you to specify a list of files that is acceptable to Dockle
+# To allow multiple files, use a list of names.
+# https://github.com/goodwithtech/dockle#accept-suspicious-environment-variables--files--file-extensions
+DOCKLE_ACCEPT_FILES=omniauth.rb,rails/config/database.yml
diff --git a/template/{{app_name}}/.hadolint.yaml b/template/{{app_name}}/.hadolint.yaml
@@ -0,0 +1,7 @@
+# List of settings and ignore or safelist findings for the hadolint scanner
+
+# For more information on any settings you can specify, see the actions' documentation here
+# https://github.com/hadolint/hadolint#configure
+failure-threshold: warning
+ignored:
+  - DL3008 # ideally we might just pin the docker image itself
diff --git a/template/{{app_name}}/trivy-secret.yaml b/template/{{app_name}}/trivy-secret.yaml
@@ -0,0 +1,4 @@
+allow-rules:
+  - id: jwt-token
+    description: Skip commented out/example JWT secret embedded in AWS SDK source code
+    path: .*/aws-sdk-ssooidc/client\.rb
