gatecheck/.custom-gatecheck.yml at main · easy-up/gatecheck · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
version: "1"

metadata:
    tags: []  # Additional metadata tags for the configuration

# Grype scanner configuration (for container/dependency vulnerability scanning)
grype:
    # Maximum allowed vulnerabilities by severity level
    severityLimit:
        critical:
            enabled: false  # Whether to enforce critical severity limits
            limit: 0       # Maximum number of critical vulnerabilities allowed
        high:
            enabled: false
            limit: 7
        medium:
            enabled: false
            limit: 0
        low:
            enabled: false
            limit: 0

    epssLimit:
        enabled: false     # Whether to enforce EPSS (Exploit Prediction Scoring System) limits
        score: 0          # Maximum allowed EPSS score

    kevLimitEnabled: false  # Whether to enforce Known Exploited Vulnerabilities (KEV) limits

    cveLimit:
        enabled: false    # Whether to enforce specific CVE limits
        cves: []         # List of specific CVEs to check against

    epssRiskAcceptance:
        enabled: false    # Whether to accept risks based on EPSS scores
        score: 0.001     # EPSS score threshold for risk acceptance

    cveRiskAcceptance:
        enabled: false    # Whether to accept risks for specific CVEs
        cves: []         # List of accepted CVEs

# CycloneDX configuration (for Software Bill of Materials scanning)
cyclonedx:
    # Similar structure to grype configuration
    # Controls vulnerability limits and risk acceptance for SBOM analysis
    severityLimit:
        critical:
            enabled: false
            limit: 0
        high:
            enabled: false
            limit: 0
        medium:
            enabled: false
            limit: 0
        low:
            enabled: false
            limit: 0
    epssLimit:
        enabled: false
        score: 0
    kevLimitEnabled: false
    cveLimit:
        enabled: false
        cves: []
    epssRiskAcceptance:
        enabled: false
        score: 0
    cveRiskAcceptance:
        enabled: false
        cves: []

# Semgrep configuration (for static code analysis)
semgrep:
    # Maximum allowed findings by severity level
    severityLimit:
        error:
            enabled: false
            limit: 5      # Maximum number of error-level findings allowed
        warning:
            enabled: false
            limit: 0
        info:
            enabled: false
            limit: 0

    # Risk acceptance configuration based on impact levels
    impactRiskAcceptance:
        enabled: true     # Whether to use impact-based risk acceptance
        high: false      # Whether to accept high-impact findings
        medium: false    # Whether to accept medium-impact findings
        low: true       # Whether to accept low-impact findings

# Gitleaks configuration (for secrets scanning)
gitleaks:
    limitEnabled: false   # Whether to enforce limits on secrets findings

# Code coverage requirements
coverage:
    lineThreshold: 0     # Minimum required line coverage percentage
    functionThreshold: 0  # Minimum required function coverage percentage
    branchThreshold: 0   # Minimum required branch coverage percentage