refactor: replacing-check-with-scan

check-vulnerabilities/action.yml

@@ -328,21 +328,24 @@ runs:
     - name: "Download the list of ignored safety vulnerabilities"
       shell: bash
       run: |
-        wget https://raw.githubusercontent.com/ansys/actions/main/check-vulnerabilities/ignored-safety.txt
+        FILE='.safety-policy.yml'
+        if [ -f $FILE ]; then
+          echo "File $FILE exists."
+        else
+          URL_FILE='https://raw.githubusercontent.com/ansys/actions/main/check-vulnerabilities/default_safety_policy.yaml'
+          echo "File $FILE does not exist."
+          echo "Using a default policy file from $URL_FILE"
+          wget $URL_FILE
+          mv default_safety_policy.yaml  $FILE
+        fi
 
     - name: "Run safety and bandit"
       shell: bash
       run: |
         ${{ env.ACTIVATE_VENV }}
-        # Load accepted safety vulnerabilities
-        mapfile ignored_safety_vulnerabilities < ignored-safety.txt
-        ignored_vulnerabilities=''
-        for pckg in ${ignored_safety_vulnerabilities[*]}; do ignored_vulnerabilities+="-i $pckg "; done
-          ignored_safety_vulnerabilities=${ignored_safety_vulnerabilities::-1}
-        echo "Ignored safety vulnerabilities: $ignored_vulnerabilities"
 
         # Run security tools
-        safety check -o bare --save-json info_safety.json --continue-on-error $ignored_vulnerabilities
+        safety scan --output screen --save-as json info_safety.json || echo "Running 'safety' failed."
         bandit -r ${{ inputs.source-directory }} -o info_bandit.json -f json --exit-zero
 
     - name: "Run safety advisory checks"

check-vulnerabilities/default_safety_policy.yaml

@@ -0,0 +1,41 @@
+version: '3.0'
+
+scanning-settings:
+  max-depth: 6
+  exclude:
+    - "node_modules"
+    - "lib/other/**"
+    - "**/*.js"
+
+report:
+  dependency-vulnerabilities:
+    enabled: true
+    auto-ignore-in-report:
+      python:
+        environment-results: true
+        unpinned-requirements: true
+      cvss-severity: []
+      vulnerabilities:
+        52495:
+          reason: We are not considering this vulnerability for the moment.
+          expires: '2026-02-01'
+        62044:
+          reason: We are not considering this vulnerability for the moment.
+          expires: '2026-02-01'
+        67599:
+          reason: We are not considering this vulnerability for the moment.
+          expires: '2026-02-01'
+
+fail-scan-with-exit-code:
+  dependency-vulnerabilities:
+    enabled: true
+    fail-on-any-of:
+      cvss-severity:
+        - critical
+        - high
+        - medium
+
+security-updates:
+  dependency-vulnerabilities:
+    auto-security-updates-limit:
+      - patch