Merge pull request #388 from fedejaure/feature-upgrade-security-task

Add safety policy file

.safety-policy.yml

@@ -0,0 +1,12 @@
+version: '2.0'
+
+# Safety Security and License Configuration file
+security: # configuration for the `safety check` command
+    ignore-cvss-severity-below: 0 # A severity number between 0 and 10. Some helpful reference points: 9=ignore all vulnerabilities except CRITICAL severity. 7=ignore all vulnerabilities except CRITICAL
+    ignore-cvss-unknown-severity: False # True or False. We recommend you set this to False.
+    ignore-vulnerabilities: # Here you can list multiple specific vulnerabilities you want to ignore (optionally for a time period)
+        # We recommend making use of the optional `reason` and `expires` keys for each vulnerability that you ignore.
+        70612:
+            reason: we do not use the vulnerable function
+            expires: '2024-10-10'
+    continue-on-vulnerability-error: False # Suppress non-zero exit codes when vulnerabilities are found. Enable this in pipelines and CI/CD processes if you want to pass builds that have vulnerabilities

tasks.py

@@ -24,8 +24,6 @@
 ANSIBLE_TARGETS = [MOLECULE_DIR, ROLES_DIR, PLAYBOOKS_DIR, META_DIR]
 ANSIBLE_TARGETS_STR = " ".join([str(t) for t in ANSIBLE_TARGETS])
 
-SAFETY_IGNORE = [70612]
-
 
 def _run(c: Context, command: str, env: dict[str, Any] | None = None) -> Optional[Result]:
     return c.run(command, pty=platform.system() != "Windows", env=env)
@@ -86,13 +84,10 @@ def ruff(c: Context) -> None:
 @task()
 def security(c: Context) -> None:
     """Run security related checks."""
-    safety_options = ["--stdin", "--full-report"]
-    if SAFETY_IGNORE:
-        safety_options += ["-i", ",".join([str(ignore) for ignore in SAFETY_IGNORE])]
     _run(
         c,
         "poetry export --with dev --format=requirements.txt --without-hashes | "
-        f"poetry run safety check {' '.join(safety_options)}",
+        "poetry run safety check --stdin --full-report",
     )