diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e88169..43f9bfa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added +- Snyk scope baseline in generated projects: `.snyk` (exclude paths for + `.venv/`, `.worktrees/`, `node_modules/`, `site/`, `htmlcov/`, `out/`, + and `**/site-packages/**`) prevents Snyk's filesystem scan from walking + into virtual environments and vendored packages; `.dcignore` applies the + same exclusions to Snyk Code; `.vscode/settings.json` adds + `snyk.advanced.additionalParameters` for the VS Code extension. Note: + `.gitignore` does not constrain Snyk's scan; these files are required to + scope it to project-owned code - `qlty.yml` reusable-workflow caller in generated projects' `.github/workflows/` (satisfies CI-013 manifest gap); pins upstream `python-qlty-coverage.yml` at SHA `1b2d33c4`; runs on CI workflow_run diff --git a/{{cookiecutter.project_slug}}/.dcignore b/{{cookiecutter.project_slug}}/.dcignore new file mode 100644 index 0000000..5493c01 --- /dev/null +++ b/{{cookiecutter.project_slug}}/.dcignore @@ -0,0 +1,10 @@ +# Snyk Code scope configuration (gitignore-style). +# .dcignore scopes Snyk Code's filesystem scan to project-owned code. +# Paths listed here are excluded from Snyk Code analysis. +.venv/ +.worktrees/ +node_modules/ +site/ +htmlcov/ +out/ +**/site-packages/** diff --git a/{{cookiecutter.project_slug}}/.gitignore b/{{cookiecutter.project_slug}}/.gitignore index 8ac6ccc..63ab2dd 100644 --- a/{{cookiecutter.project_slug}}/.gitignore +++ b/{{cookiecutter.project_slug}}/.gitignore @@ -148,6 +148,8 @@ dmypy.json # IDE specific files .vscode/ +# Track Snyk VS Code extension settings (project-scoped, not personal IDE settings) +!.vscode/settings.json .idea/ *.swp *.swo @@ -219,6 +221,8 @@ ENV/ # IDE and Editor files .vscode +# Track Snyk VS Code extension settings (project-scoped, not personal IDE settings) +!.vscode/settings.json .idea .sublime-project .sublime-workspace diff --git a/{{cookiecutter.project_slug}}/.snyk b/{{cookiecutter.project_slug}}/.snyk new file mode 100644 index 0000000..dda8e3b --- /dev/null +++ b/{{cookiecutter.project_slug}}/.snyk @@ -0,0 +1,19 @@ +# Snyk scope configuration. +# Snyk scans the on-disk working tree, not git or the project manifests, so +# it walks into virtual environments, worktrees, and vendored packages and +# reports their dependencies as if they belong to this project. +# .gitignore does NOT constrain Snyk's filesystem scan. +# The paths below scope Snyk to project-owned code only. +version: v1.25.0 +exclude: + global: + - .venv/** + - "**/.venv/**" + - .worktrees/** + - "**/.worktrees/**" + - node_modules/** + - "**/node_modules/**" + - site/** + - htmlcov/** + - out/** + - "**/site-packages/**" diff --git a/{{cookiecutter.project_slug}}/.vscode/settings.json b/{{cookiecutter.project_slug}}/.vscode/settings.json new file mode 100644 index 0000000..8aae378 --- /dev/null +++ b/{{cookiecutter.project_slug}}/.vscode/settings.json @@ -0,0 +1,3 @@ +{ + "snyk.advanced.additionalParameters": "--exclude=.venv,.worktrees,node_modules,site,htmlcov,out" +}