Skip to content

Commit 8ce0978

Browse files
nullvariantclaude
andauthored
chore(security): add Snyk policy and document Snyk in SECURITY.md (#416)
- Add .snyk policy to exclude test directory from Snyk Code analysis. Test files for sensitiveDataDetector intentionally contain secret-like patterns (CWE-547) as synthetic fixtures, triggering 11 false positives. - Add Snyk Code to CI/CD Security section in SECURITY.md, which was missing despite Snyk being actively used. 🖥️ IDE: [Cursor](https://cursor.sh) 🔌 Extension: [Claude Code](https://claude.ai/download) Model-Raw: claude-opus-4-6-20250414 Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 43834df commit 8ce0978

3 files changed

Lines changed: 10 additions & 1 deletion

File tree

.snyk

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
# Snyk (https://snyk.io) policy file
2+
version: v1.25.0
3+
exclude:
4+
global:
5+
# Test fixtures intentionally contain secret-like patterns
6+
# for testing sensitiveDataDetector and related security utilities.
7+
# These are synthetic values (e.g., 'AbCdEfGh12345678...'), not real secrets.
8+
- extensions/git-id-switcher/src/test

SECURITY.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,7 @@ This repository contains VS Code extensions with the following security measures
6565
- **Static Code Analysis**: [SonarCloud](https://sonarcloud.io/project/overview?id=nullvariant_nullvariant-vscode-extensions) runs on every push and PR (CI-based analysis)
6666
- **Daily Vulnerability Scans**: `npm audit` runs daily via scheduled workflow
6767
- **Fork Protection**: Sensitive workflows skip on fork repositories
68+
- **SAST (Snyk Code)**: [Snyk](https://snyk.io/) runs static analysis; test fixtures are excluded via `.snyk` policy
6869
- **Runtime Security Monitoring**: [StepSecurity Harden-Runner](https://github.com/step-security/harden-runner) monitors all workflow runs for suspicious network egress, file access, and process execution
6970

7071
## Security Testing

extensions/git-id-switcher/src/ui/documentationInternal.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@ export const DOCUMENT_HASHES: Record<string, string> = {
6262
'GOVERNANCE.md': '806cf32ec9fe9fd964a782927f8eaa7696d408c42d31f554eebd6755bd911c71',
6363
'LICENSE': 'e2383295422577622666fa2ff00e5f03abd8f2772d74cca5d5443020ab23d03d',
6464
'README.md': '89a6fc159f160a2b8fb96279deb3c2af558bd61341f4d9c99ff6a5d7b58c4253',
65-
'SECURITY.md': '4dcd8884851a057738d9c6f58e9017f0dc8edc91fd4921a491bf66f3b2fe5e0f',
65+
'SECURITY.md': 'f0a9554c55bbf84187bb0d10afaf2591ebf0ffef70e73d212e9ba0d9a4b2bb6e',
6666
};
6767

6868
/** Supported locales for documentation */

0 commit comments

Comments
 (0)