# Recommended Semgrep Configuration
# Save as .semgrepconfig or semgrep.yml in your project root

# Rules to run
rules: p/security-audit

# Alternative: Specify multiple rulesets
# rules:
#   - p/owasp-top-ten
#   - p/cwe-top-25
#   - path/to/custom-rules.yaml

# Paths to exclude from scanning
exclude:
  - "*/node_modules/*"
  - "*/vendor/*"
  - "*/.venv/*"
  - "*/venv/*"
  - "*/dist/*"
  - "*/build/*"
  - "*/.git/*"
  - "*/tests/*"
  - "*/test/*"
  - "*_test.go"
  - "test_*.py"
  - "*.test.js"
  - "*.spec.js"
  - "*.min.js"
  - "*.bundle.js"

# Paths to include (optional - scans all by default)
# include:
#   - "src/"
#   - "app/"
#   - "lib/"

# Maximum file size to scan (in bytes)
max_target_bytes: 1000000  # 1MB

# Timeout for each file (in seconds)
timeout: 30

# Number of jobs for parallel scanning
# jobs: 4

# Metrics and telemetry (disable for privacy)
metrics: off

# Autofix mode (use with caution)
# autofix: false

# Output format
# Can be: text, json, sarif, gitlab-sast, junit-xml, emacs, vim
# Set via CLI: semgrep --config=<this-file> --json
# output_format: text

# Severity thresholds
# Only report findings at or above this severity
# Can be: ERROR, WARNING, INFO
# min_severity: WARNING

# Scan statistics
# Show timing and performance stats
# time: false
# Show stats after scanning
# verbose: false

# CI/CD specific settings
# These are typically set via CLI or CI environment

# Fail on findings
# Set exit code 1 if findings are detected
# error: true

# Baseline commit for diff scanning
# baseline_commit: origin/main

# SARIF output settings (for GitHub Security, etc.)
# sarif:
#   output: semgrep-results.sarif