pipeline:
  enabled: true
  name: amp-security-pipeline-v1.0.0
  serviceAccountName: default
  workingDir: .
  gitRevision: main
  failOnCvss: "7.0"
  workspace:
    storage: 1Gi
  repoName: agentguard-ci
  # Order here matches the scanner fan-out in the workflow DAG.
  scanners:
    - trufflehog
    - semgrep
    - kics
    - socketdev
    - syft-grype
    - pulumi-crossguard
  toolsImage:
    repository: agentguard-tools
    tag: latest
    pullPolicy: IfNotPresent

images:
  git: alpine/git:2.45.2
  trufflehog: trufflesecurity/trufflehog:latest
  semgrep: returntocorp/semgrep:1.85.0
  kics: checkmarx/kics:1.7.14
  socketdev: socketdev/socketcli:latest
  syftGrype: anchore/syft:latest
  pulumiCrossguard: pulumi/pulumi:3.154.0
  awsCli: amazon/aws-cli:2.15.40
  curl: curlimages/curl:8.8.0

storage:
  enabled: false
  reportsBucket: security-reports
  endpoint: ""

pulumi:
  policyPackPath: policy-pack

defectdojo:
  enabled: false
  productTypeName: Homelab Security
  productName: agentguard-ci
  engagementName: Default Pipeline
  minimumSeverity: Info
  active: true
  verified: true
  closeOldFindings: false
  autoCreateContext: true

infisical:
  enabled: false
  workspaceSlug: ""
  projectSlug: ""