Skip to content

feat(security): add Snyk scope baseline to generated projects#106

Open
williaby wants to merge 1 commit into
mainfrom
feat/snyk-scope-baseline
Open

feat(security): add Snyk scope baseline to generated projects#106
williaby wants to merge 1 commit into
mainfrom
feat/snyk-scope-baseline

Conversation

@williaby

Copy link
Copy Markdown
Collaborator

Summary

  • Adds .snyk, .dcignore, and .vscode/settings.json to the generated project directory ({{cookiecutter.project_slug}}/) so every scaffolded repo scopes Snyk to project-owned code from day one.
  • Snyk scans the on-disk working tree, not git or manifests, so it walks into .venv/, .worktrees/, node_modules/, and vendored site-packages/ and reports third-party vulnerabilities as if they belong to the project. .gitignore does not constrain Snyk's scan. A real team hit ~192 noise findings this way.
  • Updates {{cookiecutter.project_slug}}/.gitignore with negation patterns so .vscode/settings.json is tracked despite the .vscode/ ignore rule.
  • Updates CHANGELOG.md under [Unreleased].

Files changed

File Purpose
.snyk exclude: paths scope Snyk SCA scan
.dcignore Same path set scopes Snyk Code scan
.vscode/settings.json snyk.advanced.additionalParameters scopes VS Code extension
.gitignore Negation patterns to track settings.json
CHANGELOG.md Documents the addition

Test plan

  • pre-commit run --all-files passes (confirmed locally: all 25 hooks pass)
  • cookiecutter.json is untouched (verified: no diff)
  • New files contain no unescaped {{ }} cookiecutter markers (verified)
  • Generated .snyk exclude: block covers .venv, .worktrees, node_modules, site, htmlcov, out, **/site-packages/**
  • Generated .dcignore uses gitignore-style path syntax
  • .vscode/settings.json appears in git after generation (negation in .gitignore confirmed)

Generated with Claude Code

Add .snyk, .dcignore, and .vscode/settings.json to the generated project
directory so every project scaffolded from this template scopes Snyk to
project-owned code only.

Snyk scans the on-disk working tree, not git or manifests, so without these
files it walks into .venv/, .worktrees/, node_modules/, and site-packages/
and reports third-party dependency vulnerabilities as if they belong to the
project (observed: ~192 noise findings from vendored packages). .gitignore
does not constrain Snyk's filesystem scan.

Changes:
- {{cookiecutter.project_slug}}/.snyk: exclude paths for .venv, .worktrees,
  node_modules, site, htmlcov, out, and **/site-packages/**
- {{cookiecutter.project_slug}}/.dcignore: same exclusion set for Snyk Code
- {{cookiecutter.project_slug}}/.vscode/settings.json: snyk.advanced.additionalParameters
  for the VS Code Snyk extension
- {{cookiecutter.project_slug}}/.gitignore: negation patterns to track
  .vscode/settings.json despite the .vscode/ ignore rule
- CHANGELOG.md: document the addition under [Unreleased]

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@williaby, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 3 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 52562e1c-68d2-45aa-bed9-5679108895dd

📥 Commits

Reviewing files that changed from the base of the PR and between efcf21f and e5d340e.

📒 Files selected for processing (5)
  • CHANGELOG.md
  • {{cookiecutter.project_slug}}/.dcignore
  • {{cookiecutter.project_slug}}/.gitignore
  • {{cookiecutter.project_slug}}/.snyk
  • {{cookiecutter.project_slug}}/.vscode/settings.json
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/snyk-scope-baseline

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@williaby williaby added this pull request to the merge queue Jun 29, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to no response for status checks Jun 29, 2026
@williaby williaby added this pull request to the merge queue Jun 30, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to no response for status checks Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant