From 9735821dfa4dc5e5f8842e7546ff493ba6077e51 Mon Sep 17 00:00:00 2001
From: Alex Lowe <alex.lowe@canonical.com>
Date: Tue, 14 Jan 2025 14:28:14 -0500
Subject: [PATCH] fix(security): exclude example requirements from security
 scan

These example files intentionally don't include versions, but that
causes the OSV scanner to treat it as the lowest possible version which
is often insecure.
---
 .github/workflows/policy.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/policy.yaml b/.github/workflows/policy.yaml
index 891088325..2fb511f20 100644
--- a/.github/workflows/policy.yaml
+++ b/.github/workflows/policy.yaml
@@ -18,6 +18,7 @@ jobs:
       # 1. requirements-noble.txt can't build on jammy
       # 2. Ignore requirements files in spread tests, as some of these intentionally
       #    contain vulnerable versions.
-      requirements-find-args: '! -name requirements-noble.txt ! -path "./tests/spread/*"'
+      # 3. How-tos contain requirements.txt files that don't specify versions.
+      requirements-find-args: '! -name requirements-noble.txt ! -path "./tests/spread/*" ! -path "./docs/howto/*"'
       osv-extra-args: '--config=source/osv-scanner.toml'
       uv-export: false