From e5d340ef4cd0921d5fbba80992160f00c5c0bb89 Mon Sep 17 00:00:00 2001 From: williaby <67131297+williaby@users.noreply.github.com> Date: Mon, 29 Jun 2026 11:39:57 -0700 Subject: [PATCH] feat(security): add Snyk scope baseline to generated projects Add .snyk, .dcignore, and .vscode/settings.json to the generated project directory so every project scaffolded from this template scopes Snyk to project-owned code only. Snyk scans the on-disk working tree, not git or manifests, so without these files it walks into .venv/, .worktrees/, node_modules/, and site-packages/ and reports third-party dependency vulnerabilities as if they belong to the project (observed: ~192 noise findings from vendored packages). .gitignore does not constrain Snyk's filesystem scan. Changes: - {{cookiecutter.project_slug}}/.snyk: exclude paths for .venv, .worktrees, node_modules, site, htmlcov, out, and **/site-packages/** - {{cookiecutter.project_slug}}/.dcignore: same exclusion set for Snyk Code - {{cookiecutter.project_slug}}/.vscode/settings.json: snyk.advanced.additionalParameters for the VS Code Snyk extension - {{cookiecutter.project_slug}}/.gitignore: negation patterns to track .vscode/settings.json despite the .vscode/ ignore rule - CHANGELOG.md: document the addition under [Unreleased] Co-Authored-By: Claude Sonnet 4.6 --- CHANGELOG.md | 8 ++++++++ {{cookiecutter.project_slug}}/.dcignore | 10 ++++++++++ {{cookiecutter.project_slug}}/.gitignore | 4 ++++ {{cookiecutter.project_slug}}/.snyk | 19 +++++++++++++++++++ .../.vscode/settings.json | 3 +++ 5 files changed, 44 insertions(+) create mode 100644 {{cookiecutter.project_slug}}/.dcignore create mode 100644 {{cookiecutter.project_slug}}/.snyk create mode 100644 {{cookiecutter.project_slug}}/.vscode/settings.json diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e88169..43f9bfa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added +- Snyk scope baseline in generated projects: `.snyk` (exclude paths for + `.venv/`, `.worktrees/`, `node_modules/`, `site/`, `htmlcov/`, `out/`, + and `**/site-packages/**`) prevents Snyk's filesystem scan from walking + into virtual environments and vendored packages; `.dcignore` applies the + same exclusions to Snyk Code; `.vscode/settings.json` adds + `snyk.advanced.additionalParameters` for the VS Code extension. Note: + `.gitignore` does not constrain Snyk's scan; these files are required to + scope it to project-owned code - `qlty.yml` reusable-workflow caller in generated projects' `.github/workflows/` (satisfies CI-013 manifest gap); pins upstream `python-qlty-coverage.yml` at SHA `1b2d33c4`; runs on CI workflow_run diff --git a/{{cookiecutter.project_slug}}/.dcignore b/{{cookiecutter.project_slug}}/.dcignore new file mode 100644 index 0000000..5493c01 --- /dev/null +++ b/{{cookiecutter.project_slug}}/.dcignore @@ -0,0 +1,10 @@ +# Snyk Code scope configuration (gitignore-style). +# .dcignore scopes Snyk Code's filesystem scan to project-owned code. +# Paths listed here are excluded from Snyk Code analysis. +.venv/ +.worktrees/ +node_modules/ +site/ +htmlcov/ +out/ +**/site-packages/** diff --git a/{{cookiecutter.project_slug}}/.gitignore b/{{cookiecutter.project_slug}}/.gitignore index 8ac6ccc..63ab2dd 100644 --- a/{{cookiecutter.project_slug}}/.gitignore +++ b/{{cookiecutter.project_slug}}/.gitignore @@ -148,6 +148,8 @@ dmypy.json # IDE specific files .vscode/ +# Track Snyk VS Code extension settings (project-scoped, not personal IDE settings) +!.vscode/settings.json .idea/ *.swp *.swo @@ -219,6 +221,8 @@ ENV/ # IDE and Editor files .vscode +# Track Snyk VS Code extension settings (project-scoped, not personal IDE settings) +!.vscode/settings.json .idea .sublime-project .sublime-workspace diff --git a/{{cookiecutter.project_slug}}/.snyk b/{{cookiecutter.project_slug}}/.snyk new file mode 100644 index 0000000..dda8e3b --- /dev/null +++ b/{{cookiecutter.project_slug}}/.snyk @@ -0,0 +1,19 @@ +# Snyk scope configuration. +# Snyk scans the on-disk working tree, not git or the project manifests, so +# it walks into virtual environments, worktrees, and vendored packages and +# reports their dependencies as if they belong to this project. +# .gitignore does NOT constrain Snyk's filesystem scan. +# The paths below scope Snyk to project-owned code only. +version: v1.25.0 +exclude: + global: + - .venv/** + - "**/.venv/**" + - .worktrees/** + - "**/.worktrees/**" + - node_modules/** + - "**/node_modules/**" + - site/** + - htmlcov/** + - out/** + - "**/site-packages/**" diff --git a/{{cookiecutter.project_slug}}/.vscode/settings.json b/{{cookiecutter.project_slug}}/.vscode/settings.json new file mode 100644 index 0000000..8aae378 --- /dev/null +++ b/{{cookiecutter.project_slug}}/.vscode/settings.json @@ -0,0 +1,3 @@ +{ + "snyk.advanced.additionalParameters": "--exclude=.venv,.worktrees,node_modules,site,htmlcov,out" +}