cc_audit/config/
template.rs1use super::types::Config;
4
5impl Config {
6 pub fn generate_template() -> String {
8 r#"# cc-audit Configuration File
9# Place this file as .cc-audit.yaml in your project root
10
11# =============================================================================
12# RULE SEVERITY CONFIGURATION (v3.0.0)
13# =============================================================================
14# Controls how findings affect CI exit code.
15# - error: Causes CI failure (exit 1) - DEFAULT for all rules
16# - warn: Report only, does not cause CI failure (exit 0)
17# - ignore: Completely skip the rule (no report)
18#
19# Priority: ignore > warn > default
20
21severity:
22 # Default severity for all rules
23 default: error
24
25 # Rules to treat as warnings only (report but don't fail CI)
26 # warn:
27 # - PI-001 # Prompt injection patterns
28 # - PI-002
29 # - OB-001 # Obfuscation patterns
30
31 # Rules to completely ignore (no report)
32 # ignore:
33 # - OP-001 # Overpermission
34
35# =============================================================================
36# SCAN CONFIGURATION
37# =============================================================================
38scan:
39 # Output format: terminal, json, sarif, html, markdown
40 # format: terminal
41
42 # Strict mode: show medium/low severity findings and treat warnings as errors
43 strict: false
44
45 # Scan type: skill, hook, mcp, command, rules, docker, dependency, subagent, plugin
46 # scan_type: skill
47
48 # Recursive scan
49 recursive: false
50
51 # CI mode: non-interactive output
52 ci: false
53
54 # Verbose output
55 verbose: false
56
57 # Minimum confidence level: tentative, firm, certain
58 # min_confidence: tentative
59
60 # Skip comment lines when scanning
61 skip_comments: false
62
63 # Show fix hints in terminal output
64 fix_hint: false
65
66 # Disable malware signature scanning
67 no_malware_scan: false
68
69 # Watch mode: continuously monitor files for changes
70 watch: false
71
72 # Path to a custom malware signatures database (JSON)
73 # malware_db: ./custom-malware.json
74
75 # Path to a custom rules file (YAML format)
76 # custom_rules: ./custom-rules.yaml
77
78 # Output file path (for HTML/JSON/SARIF output)
79 # output: ./report.html
80
81 # Enable deep scan with deobfuscation
82 deep_scan: false
83
84 # Auto-fix issues (where possible)
85 fix: false
86
87 # Preview auto-fix changes without applying them
88 fix_dry_run: false
89
90 # Warn-only mode: treat all findings as warnings (always exit 0)
91 warn_only: false
92
93 # Minimum severity level to include: critical, high, medium, low
94 # min_severity: high
95
96 # Minimum rule severity to treat as errors: error, warn
97 # min_rule_severity: error
98
99 # Strict secrets mode: disable dummy key heuristics for test files
100 strict_secrets: false
101
102 # ---------------------------------------------------------------------------
103 # CVE Scan Options (v1.1.0)
104 # ---------------------------------------------------------------------------
105 # Disable CVE vulnerability scanning
106 no_cve_scan: false
107
108 # Path to a custom CVE database (JSON)
109 # cve_db: ./custom-cve.json
110
111 # ---------------------------------------------------------------------------
112 # Remote Scanning Options (v1.1.0)
113 # ---------------------------------------------------------------------------
114 # Remote repository URL to scan
115 # remote: https://github.com/user/repo
116
117 # Git reference to checkout (branch, tag, commit)
118 # git_ref: main
119
120 # GitHub authentication token (also reads from GITHUB_TOKEN env var)
121 # remote_auth: ghp_xxxxxxxxxxxx
122
123 # Number of parallel clones for batch scanning
124 # parallel_clones: 4
125
126 # ---------------------------------------------------------------------------
127 # Badge Options (v1.1.0)
128 # ---------------------------------------------------------------------------
129 # Generate a badge for the scan result
130 badge: false
131
132 # Badge format: markdown, html, json
133 # badge_format: markdown
134
135 # Show summary only (useful for batch scanning)
136 summary: false
137
138 # ---------------------------------------------------------------------------
139 # Client Scan Options (v1.1.0)
140 # ---------------------------------------------------------------------------
141 # Scan all installed AI coding clients (Claude Code, Cursor, etc.)
142 all_clients: false
143
144 # Specific client to scan: claude, cursor, windsurf, vscode
145 # client: claude
146
147 # ---------------------------------------------------------------------------
148 # SBOM Options (v1.2.0)
149 # ---------------------------------------------------------------------------
150 # Generate SBOM (Software Bill of Materials)
151 sbom: false
152
153 # SBOM output format: cyclonedx, spdx
154 # sbom_format: cyclonedx
155
156 # Include npm dependencies in SBOM
157 sbom_npm: false
158
159 # Include Cargo dependencies in SBOM
160 sbom_cargo: false
161
162# =============================================================================
163# BASELINE CONFIGURATION (Drift Detection / Rug Pull Prevention)
164# =============================================================================
165baseline:
166 # Create a baseline snapshot when scanning
167 enabled: false
168
169 # Check for drift against saved baseline
170 check_drift: false
171
172 # Path to save baseline to
173 # save_to: ./.cc-audit-baseline.json
174
175 # Path to baseline file to compare against
176 # compare_with: ./.cc-audit-baseline.json
177
178# =============================================================================
179# WATCH MODE CONFIGURATION
180# =============================================================================
181watch:
182 # Debounce duration in milliseconds
183 debounce_ms: 300
184
185 # Poll interval in milliseconds
186 poll_interval_ms: 500
187
188# =============================================================================
189# IGNORE CONFIGURATION
190# =============================================================================
191ignore:
192 # Directories to ignore (overwrites defaults if specified)
193 # directories:
194 # - node_modules
195 # - target
196 # - .git
197 # - dist
198 # - build
199
200 # Glob patterns to ignore
201 # patterns:
202 # - "*.log"
203 # - "temp/**"
204
205 # Include test directories in scan
206 include_tests: false
207
208 # Include node_modules in scan
209 include_node_modules: false
210
211 # Include vendor directories in scan
212 include_vendor: false
213
214# =============================================================================
215# RULE CONFIGURATION
216# =============================================================================
217
218# Rule IDs to disable
219# disabled_rules:
220# - "PE-001"
221# - "EX-002"
222
223# Text file detection configuration
224# text_files:
225# # Additional file extensions to treat as text
226# extensions:
227# - custom
228# - special
229#
230# # Additional special file names
231# special_names:
232# - CUSTOMFILE
233
234# Custom rules (YAML format)
235# rules:
236# - id: "CUSTOM-001"
237# name: "Custom Rule Name"
238# severity: "high" # critical, high, medium, low, info
239# category: "exfiltration" # exfiltration, privilege_escalation, persistence, etc.
240# patterns:
241# - 'pattern_to_match'
242# message: "Description of the issue"
243# confidence: "firm" # tentative, firm, certain
244# fix_hint: "How to fix this issue"
245
246# Custom malware signatures
247# malware_signatures:
248# - id: "MW-CUSTOM-001"
249# name: "Custom Malware Signature"
250# description: "Description of what this detects"
251# pattern: "malware_pattern"
252# severity: "critical"
253# category: "exfiltration"
254# confidence: "firm"
255"#
256 .to_string()
257 }
258}