Baselines: adopt ConfigSentry without breaking CI

Step 1 — Generate a baseline (non-blocking)

npx configsentry ./docker-compose.yml --write-baseline .configsentry-baseline.json

Commit .configsentry-baseline.json to the repo (so changes are reviewed like code).

Step 2 — Use the baseline in CI

npx configsentry ./docker-compose.yml --baseline .configsentry-baseline.json

This suppresses findings that match the baseline, but still reports new findings.

Step 3 — Enforce “no new findings”

When you’re ready to prevent regressions:

• keep the baseline
• set your CI to fail on findings (new ones)

If you use the GitHub Action, this maps to baseline: + fail-on-findings: true.

Links

• Docker Compose linter
• GitHub Code Scanning (SARIF) for Compose
• Baselines docs
• Baseline walkthrough (end-to-end)
• GitHub Action usage