fix(security): exclude example requirements from security scan

These example files intentionally don't include versions, but that causes the OSV scanner to treat it as the lowest possible version which is often insecure.
canonical · Jan 14, 2025 · 9735821 · 9735821
1 parent ec10da2
commit 9735821
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/.github/workflows/policy.yaml b/.github/workflows/policy.yaml
@@ -18,6 +18,7 @@ jobs:
       # 1. requirements-noble.txt can't build on jammy
       # 2. Ignore requirements files in spread tests, as some of these intentionally
       #    contain vulnerable versions.
-      requirements-find-args: '! -name requirements-noble.txt ! -path "./tests/spread/*"'
+      # 3. How-tos contain requirements.txt files that don't specify versions.
+      requirements-find-args: '! -name requirements-noble.txt ! -path "./tests/spread/*" ! -path "./docs/howto/*"'
       osv-extra-args: '--config=source/osv-scanner.toml'
       uv-export: false