-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathconnectors.yaml
More file actions
513 lines (492 loc) · 24.4 KB
/
connectors.yaml
File metadata and controls
513 lines (492 loc) · 24.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
# Socket Security Basics - Connector Configuration
# This file defines available security scanning connectors and their configuration
connectors:
opengrep:
class: OpenGrepScanner
notification_processor: "notification_rows"
scan_method: scan
process_results_method: _process_results
description: "SAST scanning using OpenGrep/Semgrep"
module_path: "socket_basics.core.connector.opengrep"
enabled_by_default: false
parameters:
- name: all_languages_enabled
option: --all-languages
description: "Enable SAST for all supported languages"
env_variable: INPUT_ALL_LANGUAGES_ENABLED
type: bool
default: false
enables:
- python_sast_enabled
- javascript_sast_enabled
- go_sast_enabled
- golang_sast_enabled
- java_sast_enabled
- php_sast_enabled
- ruby_sast_enabled
- csharp_sast_enabled
- dotnet_sast_enabled
- c_sast_enabled
- cpp_sast_enabled
- kotlin_sast_enabled
- scala_sast_enabled
- swift_sast_enabled
- rust_sast_enabled
- elixir_sast_enabled
- erlang_sast_enabled
- name: all_rules_enabled
option: --all-rules
description: "Run all bundled SAST rules regardless of language filters"
env_variable: INPUT_ALL_RULES_ENABLED
type: bool
default: false
- name: python_sast_enabled
option: --python
description: "Enable Python SAST scanning"
env_variable: INPUT_PYTHON_SAST_ENABLED
type: bool
default: false
group: "SAST Python"
- name: javascript_sast_enabled
option: --javascript
description: "Enable JavaScript/TypeScript SAST scanning"
env_variable: INPUT_JAVASCRIPT_SAST_ENABLED
type: bool
default: false
group: "SAST Javascript"
- name: go_sast_enabled
option: --go
description: "Enable Go SAST scanning"
env_variable: INPUT_GO_SAST_ENABLED
type: bool
default: false
- name: golang_sast_enabled
option: --golang
description: "Enable Golang SAST scanning"
env_variable: INPUT_GOLANG_SAST_ENABLED
type: bool
default: false
- name: java_sast_enabled
option: --java
description: "Enable Java SAST scanning"
env_variable: INPUT_JAVA_SAST_ENABLED
type: bool
default: false
- name: php_sast_enabled
option: --php
description: "Enable PHP SAST scanning"
env_variable: INPUT_PHP_SAST_ENABLED
type: bool
default: false
- name: ruby_sast_enabled
option: --ruby
description: "Enable Ruby SAST scanning"
env_variable: INPUT_RUBY_SAST_ENABLED
type: bool
default: false
- name: csharp_sast_enabled
option: --csharp
description: "Enable C# SAST scanning"
env_variable: INPUT_CSHARP_SAST_ENABLED
type: bool
default: false
- name: dotnet_sast_enabled
option: --dotnet
description: "Enable .NET SAST scanning"
env_variable: INPUT_DOTNET_SAST_ENABLED
type: bool
default: false
- name: c_sast_enabled
option: --c
description: "Enable C SAST scanning"
env_variable: INPUT_C_SAST_ENABLED
type: bool
default: false
- name: cpp_sast_enabled
option: --cpp
description: "Enable C++ SAST scanning"
env_variable: INPUT_CPP_SAST_ENABLED
type: bool
default: false
- name: kotlin_sast_enabled
option: --kotlin
description: "Enable Kotlin SAST scanning"
env_variable: INPUT_KOTLIN_SAST_ENABLED
type: bool
default: false
- name: scala_sast_enabled
option: --scala
description: "Enable Scala SAST scanning"
env_variable: INPUT_SCALA_SAST_ENABLED
type: bool
default: false
- name: swift_sast_enabled
option: --swift
description: "Enable Swift SAST scanning"
env_variable: INPUT_SWIFT_SAST_ENABLED
type: bool
default: false
- name: rust_sast_enabled
option: --rust
description: "Enable Rust SAST scanning"
env_variable: INPUT_RUST_SAST_ENABLED
type: bool
default: false
- name: elixir_sast_enabled
option: --elixir
description: "Enable Elixir SAST scanning"
env_variable: INPUT_ELIXIR_SAST_ENABLED
type: bool
default: false
- name: erlang_sast_enabled
option: --erlang
description: "Enable Erlang SAST scanning"
env_variable: INPUT_ERLANG_SAST_ENABLED
type: bool
default: false
- name: notification_method
option: --opengrep-notify
description: "Notification method for OpenGrep (e.g., console, slack)"
env_variable: INPUT_OPENGREP_NOTIFICATION_METHOD
type: str
default: ""
- name: use_custom_sast_rules
option: --use-custom-sast-rules
description: "Use custom SAST rules instead of bundled rules (falls back to bundled rules for languages without custom rules)"
env_variable: INPUT_USE_CUSTOM_SAST_RULES
type: bool
default: false
- name: custom_sast_rule_path
option: --custom-sast-rule-path
description: "Relative path to custom SAST rules directory (relative to workspace if set, otherwise cwd)"
env_variable: INPUT_CUSTOM_SAST_RULE_PATH
type: str
default: "custom_rules"
# Python rule configuration
- name: python_enabled_rules
option: --python-enabled-rules
description: "Comma-separated list of Python SAST rules to enable (default: high-confidence rules)"
env_variable: INPUT_PYTHON_ENABLED_RULES
type: str
default: "python-path-traversal-open,python-open-redirect,python-weak-hash-md5,python-weak-hash-sha1,python-weak-cipher-des,python-ssl-verify-disabled,python-insecure-tls-version,python-code-injection-eval,python-sql-injection,python-nosql-injection,python-command-injection,python-ldap-injection,python-xss-template,python-template-injection,python-yaml-load-unsafe,python-debug-mode-enabled,python-weak-session-config,python-insecure-file-permissions,python-jwt-no-verify,python-weak-jwt-algorithm,python-plain-text-password,python-unsafe-deserialization,python-ssrf-vulnerability,python-bare-except,python-dangerous-eval-exec,python-sql-format-string,python-insecure-temp-file"
- name: python_disabled_rules
option: --python-disabled-rules
description: "Comma-separated list of Python SAST rules to disable"
env_variable: INPUT_PYTHON_DISABLED_RULES
type: str
default: ""
# JavaScript/TypeScript rule configuration
- name: javascript_enabled_rules
option: --javascript-enabled-rules
description: "Comma-separated list of JavaScript/TypeScript SAST rules to enable (default: high-confidence rules)"
env_variable: INPUT_JAVASCRIPT_ENABLED_RULES
type: str
default: "js-code-injection-eval,js-sql-injection,js-nosql-injection,js-command-injection,js-ldap-injection,js-prototype-pollution,js-xss-innerhtml,js-dom-xss,js-path-traversal,js-open-redirect,js-cors-allow-all,js-weak-hash-md5,js-weak-hash-sha1,js-hardcoded-secret,js-weak-cipher,js-tls-reject-unauthorized-false,js-insecure-tls-version,js-jwt-no-verify,js-weak-jwt-secret,js-weak-session-cookie,js-default-credentials,js-error-stack-exposed,js-unsafe-deserialization,js-ssrf-vulnerability,js-react-dangerous-html,js-unsafe-buffer,js-unsafe-file-operations,js-unsafe-process-spawn,js-debugger-statement,js-parseint-missing-radix"
- name: javascript_disabled_rules
option: --javascript-disabled-rules
description: "Comma-separated list of JavaScript/TypeScript SAST rules to disable"
env_variable: INPUT_JAVASCRIPT_DISABLED_RULES
type: str
default: ""
- name: sast_ignore_overrides
option: --sast-ignore-overrides
description: "Comma-separated list of SAST ignore overrides in rule_id or rule_id:path format"
env_variable: INPUT_SAST_IGNORE_OVERRIDES
type: str
default: ""
# Go rule configuration
- name: go_enabled_rules
option: --go-enabled-rules
description: "Comma-separated list of Go SAST rules to enable (default: high-confidence rules)"
env_variable: INPUT_GO_ENABLED_RULES
type: str
default: "go-hardcoded-credentials,go-ssh-insecure-ignore-host-key,go-sql-format-string,go-sql-string-concat,go-command-execution,go-file-path-traversal,go-zip-traversal,go-bad-tls-connection,go-import-des,go-import-rc4,go-empty-password,go-sql-direct-concat"
- name: go_disabled_rules
option: --go-disabled-rules
description: "Comma-separated list of Go SAST rules to disable"
env_variable: INPUT_GO_DISABLED_RULES
type: str
default: ""
# Java rule configuration
- name: java_enabled_rules
option: --java-enabled-rules
description: "Comma-separated list of Java SAST rules to enable (default: high-confidence rules)"
env_variable: INPUT_JAVA_ENABLED_RULES
type: str
default: "java-reflection-injection,java-sql-injection,java-unsafe-deserialization,java-command-injection,java-ldap-injection,java-hardcoded-credentials,java-weak-crypto-md5,java-weak-crypto-sha1,java-insecure-random,java-xxe-vulnerability,java-path-traversal,java-ssl-bypass,java-spring-security-bypass,java-jpa-sql-injection,java-struts-ognl-injection,java-jndi-injection,java-el-injection,java-template-injection,java-file-upload-no-validation"
- name: java_disabled_rules
option: --java-disabled-rules
description: "Comma-separated list of Java SAST rules to disable"
env_variable: INPUT_JAVA_DISABLED_RULES
type: str
default: ""
# PHP rule configuration
- name: php_enabled_rules
option: --php-enabled-rules
description: "Comma-separated list of PHP SAST rules to enable (default: high-confidence rules)"
env_variable: INPUT_PHP_ENABLED_RULES
type: str
default: "php-code-injection,php-sql-injection,php-command-injection,php-unsafe-deserialization,php-ldap-injection,php-file-inclusion,php-xss,php-hardcoded-secrets,php-path-traversal,php-open-redirect,php-xxe-vulnerability,php-laravel-security,php-wordpress-security,php-codeigniter-security,php-file-upload-vulnerability,php-insecure-direct-object-reference,php-prepared-statement-injection"
- name: php_disabled_rules
option: --php-disabled-rules
description: "Comma-separated list of PHP SAST rules to disable"
env_variable: INPUT_PHP_DISABLED_RULES
type: str
default: ""
# Ruby rule configuration
- name: ruby_enabled_rules
option: --ruby-enabled-rules
description: "Comma-separated list of Ruby SAST rules to enable (default: high-confidence rules)"
env_variable: INPUT_RUBY_ENABLED_RULES
type: str
default: "ruby-eval-injection,ruby-command-injection,ruby-sql-injection,ruby-unsafe-deserialization,ruby-dynamic-method-definition,ruby-hardcoded-secrets,ruby-path-traversal,ruby-open-redirect,ruby-xss-raw-output,ruby-ssl-verification-bypass,ruby-weak-crypto,ruby-rails-find-by-sql-injection,ruby-rails-where-injection,ruby-template-injection"
- name: ruby_disabled_rules
option: --ruby-disabled-rules
description: "Comma-separated list of Ruby SAST rules to disable"
env_variable: INPUT_RUBY_DISABLED_RULES
type: str
default: ""
# C# rule configuration
- name: csharp_enabled_rules
option: --csharp-enabled-rules
description: "Comma-separated list of C# SAST rules to enable (default: high-confidence rules)"
env_variable: INPUT_CSHARP_ENABLED_RULES
type: str
default: "dotnet-sql-injection,dotnet-command-injection,dotnet-code-injection,dotnet-unsafe-deserialization,dotnet-ldap-injection,dotnet-hardcoded-credentials,dotnet-weak-crypto-md5,dotnet-weak-crypto-sha1,dotnet-ssl-bypass,dotnet-xss-response-write,dotnet-path-traversal,dotnet-insecure-random,dotnet-xxe-vulnerability,dotnet-aspnet-validaterequest-false,dotnet-aspnet-viewstate-mac-disabled,dotnet-aspnetcore-auth-bypass,dotnet-ef-sql-injection,dotnet-broken-access-control,dotnet-crypto-failures,dotnet-xpath-injection,dotnet-auth-failures,dotnet-integrity-failures,dotnet-ssrf,dotnet-unsafe-code"
- name: csharp_disabled_rules
option: --csharp-disabled-rules
description: "Comma-separated list of C# SAST rules to disable"
env_variable: INPUT_CSHARP_DISABLED_RULES
type: str
default: ""
# .NET rule configuration
- name: dotnet_enabled_rules
option: --dotnet-enabled-rules
description: "Comma-separated list of .NET SAST rules to enable (default: high-confidence rules)"
env_variable: INPUT_DOTNET_ENABLED_RULES
type: str
default: "dotnet-sql-injection,dotnet-command-injection,dotnet-code-injection,dotnet-unsafe-deserialization,dotnet-ldap-injection,dotnet-hardcoded-credentials,dotnet-weak-crypto-md5,dotnet-weak-crypto-sha1,dotnet-ssl-bypass,dotnet-xss-response-write,dotnet-path-traversal,dotnet-insecure-random,dotnet-xxe-vulnerability,dotnet-aspnet-validaterequest-false,dotnet-aspnet-viewstate-mac-disabled,dotnet-aspnetcore-auth-bypass,dotnet-ef-sql-injection,dotnet-broken-access-control,dotnet-crypto-failures,dotnet-xpath-injection,dotnet-auth-failures,dotnet-integrity-failures,dotnet-ssrf,dotnet-unsafe-code"
- name: dotnet_disabled_rules
option: --dotnet-disabled-rules
description: "Comma-separated list of .NET SAST rules to disable"
env_variable: INPUT_DOTNET_DISABLED_RULES
type: str
default: ""
# C rule configuration
- name: c_enabled_rules
option: --c-enabled-rules
description: "Comma-separated list of C SAST rules to enable (default: high-confidence rules)"
env_variable: INPUT_C_ENABLED_RULES
type: str
default: "c-buffer-overflow,c-format-string-vulnerability,c-command-injection,c-sql-injection,c-memory-management,c-use-after-free,c-integer-overflow,c-null-pointer-dereference,c-hardcoded-secrets,c-race-condition,cpp-unsafe-cast,cpp-memory-management,c-weak-crypto,c-ssl-issues,c-input-validation"
- name: c_disabled_rules
option: --c-disabled-rules
description: "Comma-separated list of C SAST rules to disable"
env_variable: INPUT_C_DISABLED_RULES
type: str
default: ""
# C++ rule configuration
- name: cpp_enabled_rules
option: --cpp-enabled-rules
description: "Comma-separated list of C++ SAST rules to enable (default: high-confidence rules)"
env_variable: INPUT_CPP_ENABLED_RULES
type: str
default: "c-buffer-overflow,c-format-string-vulnerability,c-command-injection,c-sql-injection,c-memory-management,c-use-after-free,c-integer-overflow,c-null-pointer-dereference,c-hardcoded-secrets,c-race-condition,cpp-unsafe-cast,cpp-memory-management,c-weak-crypto,c-ssl-issues,c-input-validation"
- name: cpp_disabled_rules
option: --cpp-disabled-rules
description: "Comma-separated list of C++ SAST rules to disable"
env_variable: INPUT_CPP_DISABLED_RULES
type: str
default: ""
# Kotlin rule configuration
- name: kotlin_enabled_rules
option: --kotlin-enabled-rules
description: "Comma-separated list of Kotlin SAST rules to enable (default: high-confidence rules)"
env_variable: INPUT_KOTLIN_ENABLED_RULES
type: str
default: "kotlin-sql-injection,kotlin-command-injection,kotlin-code-injection,kotlin-unsafe-deserialization,kotlin-hardcoded-secrets,kotlin-weak-crypto-md5,kotlin-weak-crypto-sha1,kotlin-ssl-bypass,kotlin-path-traversal,kotlin-xss,kotlin-android-intent-user-input,kotlin-spring-security-bypass,kotlin-jpa-query-injection,kotlin-template-injection,kotlin-ldap-injection,kotlin-file-upload-no-validation,kotlin-xxe-vulnerability"
- name: kotlin_disabled_rules
option: --kotlin-disabled-rules
description: "Comma-separated list of Kotlin SAST rules to disable"
env_variable: INPUT_KOTLIN_DISABLED_RULES
type: str
default: ""
# Scala rule configuration
- name: scala_enabled_rules
option: --scala-enabled-rules
description: "Comma-separated list of Scala SAST rules to enable (default: high-confidence rules)"
env_variable: INPUT_SCALA_ENABLED_RULES
type: str
default: "scala-sql-injection,scala-code-injection,scala-command-injection,scala-unsafe-deserialization,scala-hardcoded-secrets,scala-weak-crypto-md5,scala-weak-crypto-sha1,scala-ssl-bypass,scala-path-traversal,scala-xss-template,scala-slick-sql-injection,scala-json-injection,scala-file-upload-no-validation"
- name: scala_disabled_rules
option: --scala-disabled-rules
description: "Comma-separated list of Scala SAST rules to disable"
env_variable: INPUT_SCALA_DISABLED_RULES
type: str
default: ""
# Swift rule configuration
- name: swift_enabled_rules
option: --swift-enabled-rules
description: "Comma-separated list of Swift SAST rules to enable (default: high-confidence rules)"
env_variable: INPUT_SWIFT_ENABLED_RULES
type: str
default: "swift-sql-injection,swift-command-injection,swift-unsafe-deserialization,swift-hardcoded-secrets,swift-weak-crypto-md5,swift-weak-crypto-sha1,swift-ssl-bypass,swift-path-traversal,swift-webview-xss,swift-ios-insecure-storage,swift-macos-privilege-escalation,swift-macos-code-signing,swift-certificate-pinning-bypass,swift-core-data-injection"
- name: swift_disabled_rules
option: --swift-disabled-rules
description: "Comma-separated list of Swift SAST rules to disable"
env_variable: INPUT_SWIFT_DISABLED_RULES
type: str
default: ""
# Rust rule configuration
- name: rust_enabled_rules
option: --rust-enabled-rules
description: "Comma-separated list of Rust SAST rules to enable (default: high-confidence rules)"
env_variable: INPUT_RUST_ENABLED_RULES
type: str
default: "rust-unsafe-usage,rust-command-injection,rust-unsafe-deserialization,rust-sql-injection,rust-hardcoded-secrets,rust-weak-crypto-md5,rust-weak-crypto-sha1,rust-insecure-tls,rust-path-traversal,rust-buffer-overflow-potential,rust-diesel-injection,rust-serde-security,rust-memory-safety"
- name: rust_disabled_rules
option: --rust-disabled-rules
description: "Comma-separated list of Rust SAST rules to disable"
env_variable: INPUT_RUST_DISABLED_RULES
type: str
default: ""
# Elixir rule configuration
- name: elixir_enabled_rules
option: --elixir-enabled-rules
description: "Comma-separated list of Elixir SAST rules to enable (default: high-confidence rules)"
env_variable: INPUT_ELIXIR_ENABLED_RULES
type: str
default: "elixir-code-injection,elixir-sql-injection,elixir-command-injection,elixir-unsafe-deserialization,elixir-hardcoded-secrets,elixir-weak-crypto,elixir-path-traversal,elixir-xss,elixir-open-redirect,elixir-phoenix-xss,elixir-phoenix-ecto-injection,elixir-phoenix-file-upload"
- name: elixir_disabled_rules
option: --elixir-disabled-rules
description: "Comma-separated list of Elixir SAST rules to disable"
env_variable: INPUT_ELIXIR_DISABLED_RULES
type: str
default: ""
trufflehog:
class: TruffleHogScanner
notification_processor: "notification_rows"
scan_method: scan
process_results_method: _process_results
description: "Secret scanning using TruffleHog"
module_path: "socket_basics.core.connector.trufflehog"
enabled_by_default: false
parameters:
- name: secret_scanning_enabled
option: --secrets
description: "Enable secret scanning"
env_variable: INPUT_SECRET_SCANNING_ENABLED
type: bool
default: false
- name: disable_all_secrets
option: --disable-secrets
description: "Disable all secret scanning features"
env_variable: INPUT_DISABLE_ALL_SECRETS
type: bool
default: false
disables:
- secret_scanning_enabled
- trufflehog_show_unverified
- name: trufflehog_exclude_dir
option: --exclude-dir
description: "Comma-separated list of directories to exclude from secret scanning"
env_variable: INPUT_TRUFFLEHOG_EXCLUDE_DIR
type: str
default: ""
- name: notification_method
option: --trufflehog-notify
description: "Notification method for TruffleHog (e.g., console, slack)"
env_variable: INPUT_TRUFFLEHOG_NOTIFICATION_METHOD
type: str
default: ""
- name: trufflehog_show_unverified
option: --show-unverified
description: "Show unverified secrets in TruffleHog results"
env_variable: INPUT_TRUFFLEHOG_SHOW_UNVERIFIED
type: bool
default: false
socket_tier1:
class: SocketTier1Scanner
notification_processor: "notification_rows"
scan_method: scan
process_results_method: _process_results
description: "Optional Socket Security Tier 1 Reachability analysis using the Socket CLI"
module_path: "socket_basics.core.connector.socket_tier1"
enabled_by_default: false
parameters:
- name: socket_tier_1_enabled
option: --socket-tier1
description: "Enable Socket Tier 1 reachability analysis"
env_variable: SOCKET_TIER_1_ENABLED
type: bool
default: false
- name: socket_additional_params
option: --socket-additional-params
description: "Additional CLI params for 'socket scan reach' (comma or space separated). Also reads SOCKET_ADDITIONAL_PARAMS"
env_variable: SOCKET_ADDITIONAL_PARAMS
type: str
default: ""
trivy:
class: TrivyScanner
notification_processor: "notification_rows"
scan_method: scan
process_results_method: _process_results
description: "Container and Dockerfile scanning using Trivy"
module_path: "socket_basics.core.connector.trivy"
enabled_by_default: false
parameters:
- name: container_images
option: --images
description: "Comma-separated list of container images to scan (auto-enables image scanning)"
env_variable: INPUT_CONTAINER_IMAGES_TO_SCAN
type: str
default: ""
group: "Container Image Scanning"
- name: dockerfiles
option: --dockerfiles
description: "Comma-separated list of Dockerfiles to scan (auto-enables Dockerfile scanning)"
env_variable: INPUT_DOCKERFILES
type: str
default: ""
group: "Dockerfile Scanning"
- name: trivy_notification_method
option: --trivy-notify
description: "Notification method for Trivy (e.g., console, slack)"
env_variable: INPUT_TRIVY_NOTIFICATION_METHOD
type: str
default: ""
- name: trivy_disabled_rules
option: --trivy-disabled-rules
description: "Comma-separated list of Trivy rules to disable"
env_variable: INPUT_TRIVY_DISABLED_RULES
type: str
default: ""
- name: trivy_image_scanning_disabled
option: --trivy-image-scanning-disabled
description: "Disable Trivy image scanning"
env_variable: INPUT_TRIVY_IMAGE_SCANNING_DISABLED
type: bool
default: false
- name: trivy_vuln_enabled
option: --trivy-vuln-enabled
description: "Enable Trivy vulnerability scanning for all supported language ecosystems"
env_variable: INPUT_TRIVY_VULN_ENABLED
type: bool
default: false
group: "Trivy Vulnerability Scanning"
# Global connector settings
settings:
# Environment variable to control which connectors are enabled
# Format: "connector1,connector2" or "all" or "none"
enabled_connectors_env: INPUT_ENABLED_CONNECTORS
# Default connectors when no specific configuration is provided
default_enabled:
opengrep:
class: OpenGrepScanner
notification_processor: "notification_rows"
scan_method: scan
process_results_method: _process_results
description: "SAST scanning using OpenGrep/Semgrep"
module_path: "socket_basics.core.connector.opengrep"
enabled_by_default: true
fail_fast: false