-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path.codacy.yml
More file actions
91 lines (86 loc) · 2.89 KB
/
Copy path.codacy.yml
File metadata and controls
91 lines (86 loc) · 2.89 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
---
# Coverage configuration for Codacy
coverage:
# Coverage report paths
paths:
- coverage/lcov.info
# Coverage thresholds
thresholds:
overall: 70
file: 70
engines:
# --- Enabled engines (well under the 20-run SARIF limit) ---
semgrep:
enabled: true
# eslint-9: authoritative ESLint engine — uses eslint.config.js (flat config, ESLint 9+).
eslint-9:
enabled: true
# eslint (legacy, ESLint 7 + @typescript-eslint v4): disabled to prevent duplicate analysis
# alongside eslint-9. The repo contains .eslintrc.cjs for tools that do not support flat
# config (e.g. Codacy's own legacy runner), but Codacy should only run eslint-9 here.
# Codacy's legacy Docker image bundles its own plugins and does NOT use the project's
# node_modules, so the project's @typescript-eslint v8.x does not create a peer-dep
# conflict — this entry is disabled purely to avoid redundant findings.
eslint:
enabled: false
lizard:
enabled: true
exclude_paths:
- '**/*.test.tsx'
- '**/*.test.ts'
- '**/*.spec.tsx'
- '**/*.spec.ts'
# --- Disabled engines: prevent auto-detection from pushing run count over 20 ---
# CSS/JS linters not needed alongside ESLint
csslint:
enabled: false
stylelint:
enabled: false
jshint:
enabled: false
# Deprecated TypeScript linter
tslint:
enabled: false
# Security scanners – semgrep covers this project's security needs
trivy:
enabled: false
checkov:
enabled: false
# Container/IaC tools not applicable to this web project
hadolint:
enabled: false
# Shell scripts exist (.github/scripts/, scripts/, public/mockups/)
shellcheck:
enabled: true
# Docs linter not required
markdownlint:
enabled: false
# Duplication detector (runs separately but adds a run to the SARIF)
pmd-legacy:
enabled: false
# Exclude specific patterns in test files where they are false positives
# validation-utils.test.ts: RegExp constructor is used with pre-escaped strings
# to validate the escapeRegExp function behavior. These are intentional and safe.
exclude_patterns:
- identifier: "Security/detect-non-literal-regexp"
paths:
- "src/utils/validation-utils.test.ts"
# Exclude paths from code analysis
exclude_paths:
- 'node_modules/**'
- 'dist/**'
- 'coverage/**'
- '**/*.test.ts'
- '**/*.test.tsx'
- '**/*.spec.ts'
- '**/*.spec.tsx'
- 'src/test/**'
- 'scripts/**'
- '**/*.min.js'
- 'docs/**'
# sonarcloud.yml contains a 40-char hex SHA (action pin) that Semgrep falsely
# detects as a SonarQube API key. The file has no JS/TS code or shell scripts.
- '.github/workflows/sonarcloud.yml'
# Note: semgrep may report false positives for non-literal RegExp patterns in tests.
# All RegExp inputs are sanitized via escapeRegExp(); input sources are constants, not user input.
# Remaining false positives in non-test files can be marked "Won't Fix" in the Codacy UI.