Codestin Search App

glaubinix · 2026-04-16T14:55:40Z

Introducing a new policy config that covers what is currently known as audit and filter while keeping support for the existing audit config.

Changes in this PR

drops filter config and uses new policy config instead
unifies how ignore works across advisories, abandoned and malware
ignore-unreachable can now be configured separately for audit|update|install
drops default-lists as part of the Composer repository schema
drops unfiltered-packages as part of the repository config

Pending items that will be added via follow up PR

New ENV variables FilterList: introduce new env vars and make sure all env vars are covered by tests #12806
ignore-source for the malware list FilterList: add ignore-source for malware list #12807
option to automatically migrate the old audit config to the new policy config (likely only happening in 2.11)
support for the policy config in the ConfigCommand FilterLists: add support for the policy config to the ConfigCommand #12809
implement block on install for malware FilterList: block malware packages during composer install #12826
get rid of the existing AuditConfig object FilterLists: adjust auditor and audit config to adapt for new filter lists #12831
adjusted composer repository schema that includes api-url/summary-url for malware
- summary-url: FilterLists: introduce a summary-url ComposerRepositories can implement to skip fetching all metadata files for all packages #12833
- api-url:

The new config format

Take a look at the changes to the composer-schema.json to see all possible values.

{
    "config": {
        "policy": {
            "advisories": {
                "block": true,
                "audit": "fail",
                "ignore": {
                    "vendor/package": "all advisories for this package ignored"
                },
                "ignore-id": {
                    "CVE-2024-1234": "not reachable in our app",
                    "GHSA-xxxx-yyyy": {"on-block": false, "reason": "mitigated by WAF"}
                },
                "ignore-severity": {
                    "low": "we accept low-severity risk"
                }
            },
            "malware": {
                "block": true,
                "block-scope": "all",
                "audit": "fail",
                "ignore": {
                    "vendor/false-positive": "verified safe, flagged by mistake"
                },
                "ignore-source": ["untrusted-repo-name"]
            },
            "abandoned": {
                "block": false,
                "audit": "fail",
                "ignore": {
                    "vendor/old-pkg": "replacement not ready yet",
                    "vendor/legacy-*": {"on-audit": false, "reason": "allow install but keep reporting"},
                    "vendor/pinned": {"constraint": "^2.0", "reason": "only v2 still in use"}
                }
            },
            "company-policy": {
                "sources": [
                    {"type": "url", "url": "https://example.com/policy-filter.json"},
                    {"type": "url", "url": "https://security-team.example.com/extra-rules.json"}
                ],
                "block": true,
                "audit": "fail",
                "ignore": {
                    "vendor/internal-fork": "maintained internally"
                }
            },
            "ignore-unreachable": ["install", "update"]
        }
    }
}

github-actions · 2026-04-27T15:46:03Z

API Surface Changes

If any of the additions below are not intended as public API, mark them with @internal in the docblock.

Modified API Surface

Properties

Composer\Config::defaultConfig

@@ -7,3 +7,3 @@
     'audit' => ['ignore' => [], 'abandoned' => Auditor::ABANDONED_FAIL],
-    'filter' => true,
+    'policy' => true,
     'notify-on-install' => true,

…or policy to config

…r custom-list blocking

…ly for audit

…ray entries

…kage-name reasons

…keys

…g sources

… not matching the expected format

…and alias for --no-blocking instead of the other way around

…Y_BLOCKING

Seldaek · 2026-05-06T08:51:11Z

Thanks!

glaubinix force-pushed the push-ymskopooqxzt branch 2 times, most recently from 381997b to 0071bfc Compare April 16, 2026 16:02

glaubinix marked this pull request as ready for review April 16, 2026 16:02

glaubinix force-pushed the push-ymskopooqxzt branch 2 times, most recently from 970b769 to 74e9362 Compare April 17, 2026 08:27

This was referenced Apr 17, 2026

FilterList: introduce new env vars and make sure all env vars are covered by tests #12806

Merged

FilterList: add ignore-source for malware list #12807

Merged

FilterLists: add support for the policy config to the ConfigCommand #12809

Merged

glaubinix force-pushed the push-ymskopooqxzt branch from 9c7d1f6 to ac72255 Compare April 27, 2026 15:45

glaubinix force-pushed the push-ymskopooqxzt branch 4 times, most recently from e502860 to d0dae2c Compare April 29, 2026 10:24

glaubinix added 9 commits April 29, 2026 14:37

Policy: introduce new config objects

7c4ea6d

Replace filter config with new policy config

fad0051

Update audit/policy docs

58e207f

FilterList: update schema for new unified policy config

b87b085

Config: remove filter from config and command and add basic support f…

87c6ec2

…or policy to config

FilterList: clean up config classes and add missing tests

e962f46

FilterList: fix problem message

8c0891d

Fix: source URL check

b1c50ba

Adjust filter repository for new policy config structure

2259c45

glaubinix force-pushed the push-ymskopooqxzt branch from d0dae2c to 2259c45 Compare April 29, 2026 13:37