Skip to main content

cc_audit/config/
template.rs

1//! Configuration template generation.
2
3use super::types::Config;
4
5impl Config {
6    /// Generate a YAML configuration template with comments.
7    pub fn generate_template() -> String {
8        r#"# cc-audit Configuration File
9# Place this file as .cc-audit.yaml in your project root
10
11# =============================================================================
12# RULE SEVERITY CONFIGURATION (v0.5.0)
13# =============================================================================
14# Controls how findings affect CI exit code.
15# - error: Causes CI failure (exit 1) - DEFAULT for all rules
16# - warn: Report only, does not cause CI failure (exit 0)
17# - ignore: Completely skip the rule (no report)
18#
19# Priority: ignore > warn > default
20
21severity:
22  # Default severity for all rules
23  default: error
24
25  # Rules to treat as warnings only (report but don't fail CI)
26  # warn:
27  #   - PI-001    # Prompt injection patterns
28  #   - PI-002
29  #   - OB-001    # Obfuscation patterns
30
31  # Rules to completely ignore (no report)
32  # ignore:
33  #   - OP-001    # Overpermission
34
35# =============================================================================
36# SCAN CONFIGURATION
37# =============================================================================
38scan:
39  # Output format: terminal, json, sarif, html, markdown
40  # format: terminal
41
42  # Strict mode: show medium/low severity findings and treat warnings as errors
43  strict: false
44
45  # Scan type: skill, hook, mcp, command, rules, docker, dependency, subagent, plugin
46  # scan_type: skill
47
48  # Recursive scan
49  recursive: false
50
51  # CI mode: non-interactive output
52  ci: false
53
54  # Verbose output
55  verbose: false
56
57  # Minimum confidence level: tentative, firm, certain
58  # min_confidence: tentative
59
60  # Skip comment lines when scanning
61  skip_comments: false
62
63  # Show fix hints in terminal output
64  fix_hint: false
65
66  # Disable malware signature scanning
67  no_malware_scan: false
68
69  # Watch mode: continuously monitor files for changes
70  watch: false
71
72  # Path to a custom malware signatures database (JSON)
73  # malware_db: ./custom-malware.json
74
75  # Path to a custom rules file (YAML format)
76  # custom_rules: ./custom-rules.yaml
77
78  # Output file path (for HTML/JSON/SARIF output)
79  # output: ./report.html
80
81  # Enable deep scan with deobfuscation
82  deep_scan: false
83
84  # Auto-fix issues (where possible)
85  fix: false
86
87  # Preview auto-fix changes without applying them
88  fix_dry_run: false
89
90  # ---------------------------------------------------------------------------
91  # Remote Scanning Options (v1.1.0)
92  # ---------------------------------------------------------------------------
93  # Remote repository URL to scan
94  # remote: https://github.com/user/repo
95
96  # Git reference to checkout (branch, tag, commit)
97  # git_ref: main
98
99  # GitHub authentication token (also reads from GITHUB_TOKEN env var)
100  # remote_auth: ghp_xxxxxxxxxxxx
101
102  # Number of parallel clones for batch scanning
103  # parallel_clones: 4
104
105  # ---------------------------------------------------------------------------
106  # Badge Options (v1.1.0)
107  # ---------------------------------------------------------------------------
108  # Generate a badge for the scan result
109  badge: false
110
111  # Badge format: markdown, html, json
112  # badge_format: markdown
113
114  # Show summary only (useful for batch scanning)
115  summary: false
116
117  # ---------------------------------------------------------------------------
118  # Client Scan Options (v1.1.0)
119  # ---------------------------------------------------------------------------
120  # Scan all installed AI coding clients (Claude Code, Cursor, etc.)
121  all_clients: false
122
123  # Specific client to scan: claude, cursor, windsurf, vscode
124  # client: claude
125
126# =============================================================================
127# BASELINE CONFIGURATION (Drift Detection / Rug Pull Prevention)
128# =============================================================================
129baseline:
130  # Create a baseline snapshot when scanning
131  enabled: false
132
133  # Check for drift against saved baseline
134  check_drift: false
135
136  # Path to save baseline to
137  # save_to: ./.cc-audit-baseline.json
138
139  # Path to baseline file to compare against
140  # compare_with: ./.cc-audit-baseline.json
141
142# =============================================================================
143# WATCH MODE CONFIGURATION
144# =============================================================================
145watch:
146  # Debounce duration in milliseconds
147  debounce_ms: 300
148
149  # Poll interval in milliseconds
150  poll_interval_ms: 500
151
152# =============================================================================
153# IGNORE CONFIGURATION
154# =============================================================================
155ignore:
156  # Directories to ignore (overwrites defaults if specified)
157  # directories:
158  #   - node_modules
159  #   - target
160  #   - .git
161  #   - dist
162  #   - build
163
164  # Glob patterns to ignore
165  # patterns:
166  #   - "*.log"
167  #   - "temp/**"
168
169  # Include test directories in scan
170  include_tests: false
171
172  # Include node_modules in scan
173  include_node_modules: false
174
175  # Include vendor directories in scan
176  include_vendor: false
177
178# =============================================================================
179# RULE CONFIGURATION
180# =============================================================================
181
182# Rule IDs to disable
183# disabled_rules:
184#   - "PE-001"
185#   - "EX-002"
186
187# Text file detection configuration
188# text_files:
189#   # Additional file extensions to treat as text
190#   extensions:
191#     - custom
192#     - special
193#
194#   # Additional special file names
195#   special_names:
196#     - CUSTOMFILE
197
198# Custom rules (YAML format)
199# rules:
200#   - id: "CUSTOM-001"
201#     name: "Custom Rule Name"
202#     severity: "high"  # critical, high, medium, low, info
203#     category: "exfiltration"  # exfiltration, privilege_escalation, persistence, etc.
204#     patterns:
205#       - 'pattern_to_match'
206#     message: "Description of the issue"
207#     confidence: "firm"  # tentative, firm, certain
208#     fix_hint: "How to fix this issue"
209
210# Custom malware signatures
211# malware_signatures:
212#   - id: "MW-CUSTOM-001"
213#     name: "Custom Malware Signature"
214#     description: "Description of what this detects"
215#     pattern: "malware_pattern"
216#     severity: "critical"
217#     category: "exfiltration"
218#     confidence: "firm"
219"#
220        .to_string()
221    }
222}