Skip to content

Commit 10496ed

Browse files
committed
docs(api): regenerate OpenAPI for security.deep_scan config surface
Regenerate oas/swagger.yaml + oas/docs.go for the new config.DeepScanConfig schema and the removed auto_scan_quarantined key. make swagger-verify passes. Related: Spec 077 (specs/077-scanner-simplification)
1 parent b6032e9 commit 10496ed

2 files changed

Lines changed: 49 additions & 3 deletions

File tree

oas/docs.go

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

oas/swagger.yaml

Lines changed: 48 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -254,6 +254,42 @@ components:
254254
description: 'Risk level: critical, high, medium, low'
255255
type: string
256256
type: object
257+
config.DeepScanConfig:
258+
description: |-
259+
DeepScan is the opt-in "deep scan" layer (Spec 077 US3). It subsumes the
260+
deprecated top-level scanner_fetch_package_source / scanner_disable_no_new_privileges
261+
keys (migrated on load) and gates the heavy Docker-based scanners + source
262+
extraction. Disabled by default (FR-006): only the deterministic in-process
263+
baseline scanner runs. A deep-scan failure NEVER changes the baseline verdict
264+
(FR-007/FR-008).
265+
properties:
266+
disable_no_new_privileges:
267+
description: |-
268+
DisableNoNewPrivileges, when true, omits the `--security-opt
269+
no-new-privileges` flag from scanner container runs (snap-docker/AppArmor
270+
escape hatch). Absorbs the deprecated top-level
271+
scanner_disable_no_new_privileges. Default false.
272+
type: boolean
273+
enabled:
274+
description: Enabled is the master opt-in for the heavy layer (FR-006).
275+
Default false.
276+
type: boolean
277+
fetch_package_source:
278+
description: |-
279+
FetchPackageSource controls whether the scanner fetches the PUBLISHED
280+
source of package-runner servers (npx/uvx) — without executing it — when
281+
no local source is available. Absorbs the deprecated top-level
282+
scanner_fetch_package_source. Default (nil) is ENABLED within deep scan.
283+
type: boolean
284+
scanners:
285+
description: |-
286+
Scanners optionally restricts which deep scanners may run under the
287+
umbrella (by scanner id). Empty ⇒ all enabled deep scanners are eligible.
288+
items:
289+
type: string
290+
type: array
291+
uniqueItems: false
292+
type: object
257293
config.DockerIsolationConfig:
258294
description: Docker isolation settings
259295
properties:
@@ -601,8 +637,8 @@ components:
601637
config.SecurityConfig:
602638
description: Security scanner settings (Spec 039)
603639
properties:
604-
auto_scan_quarantined:
605-
type: boolean
640+
deep_scan:
641+
$ref: '#/components/schemas/config.DeepScanConfig'
606642
integrity_check_interval:
607643
type: string
608644
integrity_check_on_restart:
@@ -615,6 +651,11 @@ components:
615651
type: string
616652
scanner_disable_no_new_privileges:
617653
description: |-
654+
Deprecated (Spec 077 US3): migrated on load into DeepScan.DisableNoNewPrivileges
655+
(see migrateDeepScanConfig). Retained only so existing configs that still carry
656+
the top-level key parse; consumers MUST read the effective value via
657+
SecurityConfig.IsDisableNoNewPrivileges. Cleared after migration.
658+
618659
ScannerDisableNoNewPrivileges, when true, omits the
619660
`--security-opt no-new-privileges` flag from scanner container runs.
620661
@@ -633,6 +674,11 @@ components:
633674
type: boolean
634675
scanner_fetch_package_source:
635676
description: |-
677+
Deprecated (Spec 077 US3): migrated on load into DeepScan.FetchPackageSource
678+
(see migrateDeepScanConfig). Retained only so existing configs that still carry
679+
the top-level key parse; consumers MUST read the effective value via
680+
SecurityConfig.EffectiveFetchPackageSource. Cleared after migration.
681+
636682
ScannerFetchPackageSource controls whether the scanner fetches the
637683
PUBLISHED source of package-runner servers (npx/uvx) — without executing
638684
it — when no local source is available (no Docker container, no local

0 commit comments

Comments
 (0)