Breaking Changes in Safety 3
Last updated
Was this helpful?
Last updated
Was this helpful?
As a major version upgrade, Safety 3.x includes several breaking changes over versions 2.x, which are summarized below. For more information on migrating from Safety CLI 2.x to Safety CLI 3.x, please refer to our
Command Update
safety check
command is replaced by safety scan
. The new command is more powerful and configurable, providing recursive search in the target directory, native support for various dependency files, and customizable scan settings.
Configuration File
The .safety-policy.yml
file structure has changed. The new format is incompatible with the old one used by safety check
. Users need to convert their existing policy files to the new format for compatibility with safety scan
.
Policy File Changes
Specific configurations in the old policy file need to be translated to the new format. Notably, security:ignore-vulnerabilities
moves to report:auto-ignore-in-report:vulnerabilities
, security:ignore-cvss-severity-below
and security:ignore-cvss-unknown-severity
combine into report:auto-ignore-in-report:cvss-severity
, and security:continue-on-vulnerability-error:True
is replaced by fail-scan-with-exit-code:dependency-vulnerabilities:enabled:False
. The alert
section is no longer supported.
Scan Target Settings
The -r
flag for specifying requirements.txt
files in safety check
is no longer needed in safety scan
as it finds these files automatically. The scanning-settings:exclude
property in the new policy file can be used to exclude specific files or folders from scans.
JSON Output Format
Safety CLI 3 introduces a new JSON output format for safety scan
that is substantially different from safety check
’s JSON output. If upgrading from Safety CLI 2.x and using JSON output, users may face breaking changes in the JSON structure if upgrading from versions earlier than 2.4.0b.
Using Both Safety Check
and Safety Scan
Commands
Safety CLI 3 allows running both safety check
and safety scan
commands, each with their separate policy files. To continue using both, the old policy file must be renamed (e.g., .safety-check-policy.yml
) and specified when using safety check
.
Validate Command
When using the validate
command, Safety CLI 3 will validate a 3.0 policy file by default.