@@ -254,6 +254,42 @@ components:
254254 description : ' Risk level: critical, high, medium, low'
255255 type : string
256256 type : object
257+ config.DeepScanConfig :
258+ description : |-
259+ DeepScan is the opt-in "deep scan" layer (Spec 077 US3). It subsumes the
260+ deprecated top-level scanner_fetch_package_source / scanner_disable_no_new_privileges
261+ keys (migrated on load) and gates the heavy Docker-based scanners + source
262+ extraction. Disabled by default (FR-006): only the deterministic in-process
263+ baseline scanner runs. A deep-scan failure NEVER changes the baseline verdict
264+ (FR-007/FR-008).
265+ properties :
266+ disable_no_new_privileges :
267+ description : |-
268+ DisableNoNewPrivileges, when true, omits the `--security-opt
269+ no-new-privileges` flag from scanner container runs (snap-docker/AppArmor
270+ escape hatch). Absorbs the deprecated top-level
271+ scanner_disable_no_new_privileges. Default false.
272+ type : boolean
273+ enabled :
274+ description : Enabled is the master opt-in for the heavy layer (FR-006).
275+ Default false.
276+ type : boolean
277+ fetch_package_source :
278+ description : |-
279+ FetchPackageSource controls whether the scanner fetches the PUBLISHED
280+ source of package-runner servers (npx/uvx) — without executing it — when
281+ no local source is available. Absorbs the deprecated top-level
282+ scanner_fetch_package_source. Default (nil) is ENABLED within deep scan.
283+ type : boolean
284+ scanners :
285+ description : |-
286+ Scanners optionally restricts which deep scanners may run under the
287+ umbrella (by scanner id). Empty ⇒ all enabled deep scanners are eligible.
288+ items :
289+ type : string
290+ type : array
291+ uniqueItems : false
292+ type : object
257293 config.DockerIsolationConfig :
258294 description : Docker isolation settings
259295 properties :
@@ -601,8 +637,8 @@ components:
601637 config.SecurityConfig :
602638 description : Security scanner settings (Spec 039)
603639 properties :
604- auto_scan_quarantined :
605- type : boolean
640+ deep_scan :
641+ $ref : ' #/components/schemas/config.DeepScanConfig '
606642 integrity_check_interval :
607643 type : string
608644 integrity_check_on_restart :
@@ -615,6 +651,11 @@ components:
615651 type : string
616652 scanner_disable_no_new_privileges :
617653 description : |-
654+ Deprecated (Spec 077 US3): migrated on load into DeepScan.DisableNoNewPrivileges
655+ (see migrateDeepScanConfig). Retained only so existing configs that still carry
656+ the top-level key parse; consumers MUST read the effective value via
657+ SecurityConfig.IsDisableNoNewPrivileges. Cleared after migration.
658+
618659 ScannerDisableNoNewPrivileges, when true, omits the
619660 `--security-opt no-new-privileges` flag from scanner container runs.
620661
@@ -633,6 +674,11 @@ components:
633674 type : boolean
634675 scanner_fetch_package_source :
635676 description : |-
677+ Deprecated (Spec 077 US3): migrated on load into DeepScan.FetchPackageSource
678+ (see migrateDeepScanConfig). Retained only so existing configs that still carry
679+ the top-level key parse; consumers MUST read the effective value via
680+ SecurityConfig.EffectiveFetchPackageSource. Cleared after migration.
681+
636682 ScannerFetchPackageSource controls whether the scanner fetches the
637683 PUBLISHED source of package-runner servers (npx/uvx) — without executing
638684 it — when no local source is available (no Docker container, no local
0 commit comments