Update safety to v3

Iain-S · Iain-S · commit bf3baa15cc0b · 2024-04-18T14:55:35.000+01:00
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -46,4 +46,6 @@ jobs:
       - name: Install dependencies
         run: poetry install --all-extras
 
-      - uses: pre-commit/action@v3.0.0
+      - uses: pre-commit/action@v3.0.1
+        env:
+          SAFETY_API_KEY: ${{ secrets.SAFETY_API_KEY }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -30,8 +30,7 @@ repos:
         types: ['python']
       - id: safety
         name: Safety
-        # Ignore sql-alchemy and wheel vulnerabilities
-        entry: poetry run safety check --full-report -i 51668
+        entry: poetry run safety --stage cicd scan --policy-file .safety-policy.yml
         pass_filenames: false
         language: system
       - id: mypy
diff --git a/.safety-policy.yml b/.safety-policy.yml
@@ -0,0 +1,50 @@
+version: '3.0'
+
+scanning-settings:
+  max-depth: 6
+  exclude: []
+  include-files: []
+  system:
+    targets: []
+
+
+report:
+  dependency-vulnerabilities:
+    enabled: true
+    auto-ignore-in-report:
+      python:
+        environment-results: true
+        unpinned-requirements: true
+      cvss-severity: []
+      vulnerabilities:
+        64459:
+          reason: Python wide vulnerability.
+          expires: '2024-12-12'
+        64396:
+          reason: Python wide vulnerability.
+          expires: '2024-12-12'
+        67599:
+          reason: Only applies if using private package repo.
+          expires: '2026-04-17'
+        51668:
+          reason: We cannot currently use SQL Alchemy v2.
+          expires: '2024-12-12'
+
+
+fail-scan-with-exit-code:
+  dependency-vulnerabilities:
+    enabled: true
+    fail-on-any-of:
+      cvss-severity:
+        - medium
+        - critical
+        - high
+      exploitability:
+        - medium
+        - critical
+        - high
+
+security-updates:
+  dependency-vulnerabilities:
+    auto-security-updates-limit:
+      - patch
diff --git a/docs/content/setup.md b/docs/content/setup.md
@@ -48,7 +48,13 @@ Install the Pre-Commit hooks:
 pre-commit install
 ```
 
-and run them with:
+set an environment variable with your [safety API key](https://docs.safetycli.com/safety-docs/support/invalid-api-key-error#how-to-get-a-safety-api-key):
+
+```bash
+export SAFETY_API_KEY=your-api-key
+```
+
+and run the checks with:
 
 ```bash
 pre-commit run --all-files
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml

-Original file line number
+Diff line change
       - name: Install dependencies
         run: poetry install --all-extras
 -      - uses: pre-commit/[email protected]
 +      - uses: pre-commit/[email protected]
 +        env:
 +          SAFETY_API_KEY: ${{ secrets.SAFETY_API_KEY }}