argus/argus.yml at 4e8b0c87d5228258f9fec5da86cb1a31f43b5bb1 · huntridge-labs/argus · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# Argus dogfood configuration — we scan our own production code.
# Test fixtures (tests/fixtures/) are excluded — those contain
# intentionally vulnerable code for scanner validation, not our
# actual security posture.
version: "1.0"

scanners:
  bandit:
    enabled: true
    path: "."
    config_file: "pyproject.toml"
    exclude: ".venv,.git,node_modules,.claude,__pycache__,tests/fixtures"

  gitleaks:
    enabled: true

  opengrep:
    enabled: true
    path: "."
    exclude: "tests/fixtures"

  clamav:
    enabled: true
    path: "."

  osv:
    enabled: true
    exclude: "tests/fixtures"

  supply-chain:
    enabled: true

  # Lint our own Dockerfiles via hadolint as part of the default scan.
  # Catches bad practices (mutable image tags, missing USER directives,
  # apt without --no-install-recommends, etc.) on every run.
  lint-dockerfile:
    enabled: true

  # Not applicable to this repo as part of the default source scan:
  # - trivy-iac / checkov target Terraform / CloudFormation / K8s — none here
  # - container / zap operate on built images / running endpoints, not
  #   source paths. Container targets are configured in the
  #   ``containers:`` block below and run via ``argus scan container``;
  #   ZAP is on-demand: ``argus scan zap --target http://...``
  trivy-iac:
    enabled: false
  checkov:
    enabled: false
  container:
    enabled: false
  zap:
    enabled: false

# Container lifecycle targets — drives ``argus scan container`` without
# needing CLI flags. Each entry is a Dockerfile-built image that the
# scanner builds locally (so the scan reflects exactly the bytes that
# ship from this branch) and then hands to trivy + grype + syft. The
# build-containers workflow can read this same list rather than
# hard-coding a parallel matrix — single source of truth.
containers:
  images:
    - image: ghcr.io/huntridge-labs/argus/scanner-bandit:dev
      dockerfile: docker/Dockerfile.bandit
      context: .
    - image: ghcr.io/huntridge-labs/argus/scanner-opengrep:dev
      dockerfile: docker/Dockerfile.opengrep
      context: .
    - image: ghcr.io/huntridge-labs/argus/scanner-supply-chain:dev
      dockerfile: docker/Dockerfile.supply-chain
      context: .
    - image: ghcr.io/huntridge-labs/argus/cli:dev
      dockerfile: docker/Dockerfile.cli
      context: .
  scanners: [trivy, grype, syft]

reporting:
  formats:
    - terminal
    - markdown
    - sarif
    - json
  severity_threshold: high
  output_dir: "./argus-results"

execution:
  # auto (default): containers for immutable, reproducible scans
  # local: use locally installed tools (faster, user accepts version risk)
  # docker: containers only, fail if unavailable
  backend: auto
  pull_policy: if-not-present