# Scanner Configuration with Proof of Exposure (PoE) Settings
# Copy to etc/scanner.yaml and customize for your deployment

scanner:
  # ... other scanner settings ...

reachability:
  # Proof of Exposure configuration
  poe:
    # Enable PoE generation (default: false)
    # Set to true to emit PoE artifacts for reachable vulnerabilities
    enabled: false

    # Maximum depth for subgraph extraction (hops from entry to sink)
    # Range: 5-20, default: 10
    # Higher values find more paths but increase processing time
    maxDepth: 10

    # Maximum number of paths to include in each PoE
    # Range: 1-10, default: 5
    # Multiple paths provide alternative evidence for auditors
    maxPaths: 5

    # Include guard predicates (feature flags, platform conditionals) in edges
    # Default: true
    # Guards help explain conditional reachability
    includeGuards: true

    # Only emit PoE for vulnerabilities with reachability=true
    # Default: true
    # Set to false to emit PoE for all vulnerabilities (including unreachable with empty paths)
    emitOnlyReachable: true

    # Attach PoE artifacts to OCI images as attestations
    # Default: false
    # Requires OCI registry write access
    attachToOci: false

    # Submit PoE DSSE envelopes to Rekor transparency log
    # Default: false
    # Requires network access to Rekor instance
    submitToRekor: false

    # Path pruning strategy
    # Options: ShortestWithConfidence | ShortestOnly | ConfidenceFirst | RuntimeFirst
    # Default: ShortestWithConfidence
    pruneStrategy: ShortestWithConfidence

    # Require runtime confirmation for high-risk findings
    # Default: false
    # When true, only runtime-observed paths are included in PoE
    requireRuntimeConfirmation: false

    # Signing key ID for DSSE envelopes
    # Must match a key in keys directory or KMS
    # Default: "scanner-signing-2025"
    signingKeyId: scanner-signing-2025

    # Include SBOM reference in PoE evidence block
    # Default: true
    includeSbomRef: true

    # Include VEX claim URI in PoE evidence block
    # Default: false
    includeVexClaimUri: false

    # Include runtime facts URI in PoE evidence block
    # Default: false
    includeRuntimeFactsUri: false

    # Prettify PoE JSON (2-space indentation)
    # Default: true
    # Set to false for minimal file size (~20% reduction)
    prettifyJson: true

# Example: Minimal PoE configuration (enabled with defaults)
# reachability:
#   poe:
#     enabled: true

# Example: Strict PoE configuration (high-assurance environments)
# reachability:
#   poe:
#     enabled: true
#     maxDepth: 8
#     maxPaths: 1
#     requireRuntimeConfirmation: true
#     submitToRekor: true
#     attachToOci: true
#     pruneStrategy: ShortestOnly

# Example: Comprehensive PoE configuration (maximum context for auditors)
# reachability:
#   poe:
#     enabled: true
#     maxDepth: 15
#     maxPaths: 10
#     includeSbomRef: true
#     includeVexClaimUri: true
#     includeRuntimeFactsUri: true
#     pruneStrategy: RuntimeFirst