#
Scanner Configurations
Salus will read your salus config
file
The configurations on this page are available for all Salus scanners and these can be used in the salus config file to configure your desired scanners. Each scanner may also have scanner specific configuration available solely for that scanner.
In addition to these configurations, you can also create your custom configurations for salus or add additional scanners to salus
You'll need to specify your scanner and its configuration in a config file to use these configurations. Here the config file used was salus.yml
scanner_configs:
YarnAudit:
pass_on_raise: true
In your salus config file, you can add configurations for multiple salus scanners
scanner_configs:
YarnAudit:
pass_on_raise: true
NPMAudit:
pass_on_raise: true
#
exceptions
Array
When a CVE is present in a dependency, the best course of action is to upgrade the dependency to a patched version. However, if there is currently no patch available or it's a false positive, you can use the following configuration option to ignore a particular CVE. Salus provides an option to ignore these CVEs using the
The advisory_id
, changed_by
and notes
are required fields.
scanner_config:
exceptions:
- advisory_id: CVE-2090-9090
changed_by: John Doe
notes: Currently no patch exists and determined that this vulnerability is not exploitable.
expiration: "2025-04-27"
- advisory_id: CVE-2090-9091
changed_by: John Doe
notes: Currently no patch exists and determined that this vulnerability is not exploitable.
expiration: "2025-05-27"
Support
The following Scanners currently do not support this configuration option
#
failure_message
string
You can define a custom message to be shown to the developer when the given scanner fails. This is useful for pointing developers to internal security resources or teams that can help address the failure.
Example with BundleAudit
configuration:
scanner_configs:
BundleAudit:
failure_message: |
A CVE was found in one of your gems. Please try to upgrade the offending gem.
$ bundle update <gem name>
If this does not resolve the error, seek advice from the security team.
Slack channel: #security
#
pass_on_raise
bool
Some scanners are very resilient and it's rare for them to throw exceptions. Usually, this is for a good reason, like a malformed file is unparsable by the scanner and so this warrants breaking the project's build. By default, if a scanner raises an exception for whatever reason, then the scanner is considered failed as if it found an actual security issue.
However, some scanner fail frequently for reasons out of the developer's control. For example, a CVE registry might be down which means that a CVE scanner cannot update it's local DB and this causes it to raise an error. In that scenario, you might decide that Salus's overall status, and therefore the CI/CD pipeline should not fail. To allow for a scanner to be considered a pass when it raises an exception, you can provide the value true
for the directive pass_on_raise
. For example:
scanner_configs:
YarnAudit:
pass_on_raise: true
When this is set to true, any errors thrown by the scanner will still be recorded in the report.
#
recursion
Hash
optional recusion settings.
scanner_configs:
BundleAudit:
recursion:
directory_exclusions:
- vendor
directories:
- ./
- payments/lhv
- infra/sso/identity_provider
directories_matching:
- filename: "BUILD.bazel"
content: "bundle//:rails"
- filename: "package.json"
static_files:
- Gemfile
- Gemfile.lock
#
scanner_timeout_s
Hash
At times, scanners may perform scans for unacceptable lengths of time. To limit this behavior, you can define scanner_timeout_s
with the number of seconds you wish the scan to last before it times out.
Example with YarnAudit
configuration:
scanner_configs:
YarnAudit:
scanner_timeout_s: 60
This will limit YarnAudit scans to 1 minute (60 seconds) in execution time.