# Trivy configuration file
# This controls how Trivy scans the repository

# Scan configuration
scan:
  # Skip scanning test files and documentation
  skip-files:
    - "test_*.py"
    - "*_test.py"
    - "docs/**"
    - "**/*.md"
    - ".github/**"
    - "scripts/**"

  # Skip directories that don't contain production code
  skip-dirs:
    - ".git"
    - "node_modules"
    - "venv"
    - ".venv"
    - "__pycache__"
    - "workflows_backup*"
    - "database"

# Vulnerability configuration
vulnerability:
  # Only report HIGH and CRITICAL vulnerabilities
  severity:
    - CRITICAL
    - HIGH

  # Ignore unfixed vulnerabilities (no patch available)
  ignore-unfixed: true

# Secret scanning configuration
secret:
  # Disable secret scanning as we handle this separately
  disable: false

# License scanning
license:
  # Skip license scanning
  disable: true

# Misconfiguration scanning
misconfiguration:
  # Skip misconfiguration scanning for Python projects
  skip-policy-update: true