Skip to content

Add support for expiring advisory ignores#446

Open
abeljim8am wants to merge 1 commit into
rubysec:masterfrom
abeljim8am:expiring-advisory-ignores
Open

Add support for expiring advisory ignores#446
abeljim8am wants to merge 1 commit into
rubysec:masterfrom
abeljim8am:expiring-advisory-ignores

Conversation

@abeljim8am

@abeljim8am abeljim8am commented Jul 10, 2026

Copy link
Copy Markdown

Allow advisory ignores in .bundler-audit.yml to expire automatically, so temporary vulnerability exceptions do not remain in place indefinitely.

Timed ignores use an advisory ID and an inclusive ISO 8601 until date:

ignore:
  - id: CVE-YYYY-XXXX
    until: 2026-08-31

Existing string entries continue to be ignored indefinitely. Once a timed ignore expires, the advisory is reported normally. Invalid dates, missing fields, and unknown keys are rejected when loading the configuration.

The configuration and scanner specs cover active and expired ignores, backward compatibility, and validation failures.

@abeljim8am abeljim8am changed the title Add expiring advisory ignores Add support for expiring advisory ignores Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant