Breaking Changes in Safety 3

Command Update

safety check command is replaced by safety scan. The new command is more powerful and configurable, providing recursive search in the target directory, native support for various dependency files, and customizable scan settings.

Configuration File

The .safety-policy.yml file structure has changed. The new format is incompatible with the old one used by safety check. Users need to convert their existing policy files to the new format for compatibility with safety scan.

Policy File Changes

Specific configurations in the old policy file need to be translated to the new format. Notably, security:ignore-vulnerabilities moves to report:auto-ignore-in-report:vulnerabilities, security:ignore-cvss-severity-below and security:ignore-cvss-unknown-severity combine into report:auto-ignore-in-report:cvss-severity, and security:continue-on-vulnerability-error:True is replaced by fail-scan-with-exit-code:dependency-vulnerabilities:enabled:False. The alert section is no longer supported.

Scan Target Settings

The -r flag for specifying requirements.txt files in safety check is no longer needed in safety scan as it finds these files automatically. The scanning-settings:exclude property in the new policy file can be used to exclude specific files or folders from scans.

JSON Output Format

Safety CLI 3 introduces a new JSON output format for safety scan that is substantially different from safety check’s JSON output. If upgrading from Safety CLI 2.x and using JSON output, users may face breaking changes in the JSON structure if upgrading from versions earlier than 2.4.0b.

Using Both Safety Check and Safety Scan Commands

Safety CLI 3 allows running both safety check and safety scan commands, each with their separate policy files. To continue using both, the old policy file must be renamed (e.g., .safety-check-policy.yml) and specified when using safety check.

Validate Command

When using the validate command, Safety CLI 3 will validate a 3.0 policy file by default.