Introduction
About 327 wordsAbout 1 min
CNB Code Security Scanning checks repositories for secrets and open source component risks. No extra configuration is required by default. If you need to adjust the scan scope, split configuration, or handle findings with rules, add .cnb/security/code_scan_config.yml to the repository.
Core concepts
| Concept | Description |
|---|---|
code_scan_config.yml | Optional configuration file for code security scanning. It declares scan scope, capability configuration, and include subfiles. |
.scanignore | Optional gitignore-style ignore file used to exclude paths that do not need to be scanned. |
| Security capability | The currently public capabilities are secrets and software-composition-analysis. Undeclared capabilities use platform defaults. |
Core capabilities
| Capability | Description |
|---|---|
| Specify scan scope | Use .scanignore or paths to exclude paths that do not need to be scanned. Use ! rules to include specific paths again. |
| Disable a capability | Point the capability's ignoreFrom to a file whose content is ** to skip scanning for that capability. |
| Split configuration | Use include to split configuration into multiple subfiles and maintain them by module. |
| Ignore findings with rules (Beta) | Ignore matching scan results by rule, based on conditions such as path and severity. |
Usage recommendations
- The platform hides differences between scan engines' ignore syntaxes and uses gitignore-style path rules uniformly.
- If
code_scan_config.ymlis not provided, the platform uses the built-in default configuration and scanning continues. - Before submitting changes, use the
validateplugin to check for incorrect include paths, field structures, or ignore files.
For usage, see Configuration file · Self-check with the validate plugin.
File location
code_scan_config.yml is placed in the repository's .cnb/security/ directory by default:
<repo-root>/
├── .cnb/
│ └── security/
│ └── code_scan_config.yml
└── .scanignore # optional, gitignore syntaxNext steps
- Quick start — enable code security scanning
- Configuration file — learn about include, merge rules, and validation
- Syntax reference — see the complete field-level reference