-
Notifications
You must be signed in to change notification settings - Fork 0
Configuration
krisk248 edited this page Dec 17, 2025
·
1 revision
SecureForge uses YAML configuration files. By default, it looks for .secureforge.yaml in the current directory.
Generate a default configuration:
secureforge initFor specific project types:
secureforge init --type maven
secureforge init --type nodejs
secureforge init --type angular# Configuration version
version: "1.0"
# Project metadata
project:
name: "my-project" # Project name (used in reports)
type: "auto" # auto, maven, gradle, nodejs, angular, python
# Source code settings
source:
path: "." # Path to scan (relative or absolute)
include: [] # Patterns to include (empty = all)
exclude: # Patterns to exclude
- "**/node_modules/**"
- "**/vendor/**"
- "**/.git/**"
- "**/test/**"
- "**/tests/**"
- "**/__tests__/**"
- "**/target/**"
- "**/build/**"
- "**/dist/**"
# Scanner configuration
scanners:
# Semgrep - SAST (Static Application Security Testing)
semgrep:
enabled: true
config: "auto" # auto, p/security-audit, p/owasp-top-ten, path/to/rules.yaml
timeout: 600 # Timeout in seconds
exclude: [] # Additional patterns to exclude
# Trivy - SCA (Software Composition Analysis)
trivy:
enabled: true
severity: "CRITICAL,HIGH,MEDIUM" # Severities to report
skip_dirs: # Directories to skip
- "test"
- "docs"
skip_files: [] # Files to skip
vuln_type: "os,library" # Vulnerability types
# TruffleHog - Secret Detection
trufflehog:
enabled: true
only_verified: false # Only report verified secrets
exclude_paths: [] # Paths to exclude
# SpotBugs - Java Bytecode Analysis
spotbugs:
enabled: false # Enable for Java projects
effort: "max" # min, default, max
include_findsecbugs: true # Include FindSecBugs rules
skip_if_no_classes: true # Skip if no .class files found
# OWASP Dependency-Check
owasp:
enabled: false
skip_update: true # Skip NVD database update
# Quality gate thresholds
threshold:
max_critical: 0 # Maximum critical findings (0 = fail on any)
max_high: 5 # Maximum high findings
max_medium: 50 # Maximum medium findings
max_low: 999 # Maximum low findings
fail_on_secrets: true # Fail if any secrets found
# Output configuration
output:
dir: "./security-reports" # Output directory
formats: # Report formats to generate
- json # Machine-readable
- html # Human-readable with charts
- pdf # Professional reports
- sarif # GitHub/Forgejo Security tab
pdf_engine: "auto" # auto, wkhtmltopdf, native
archive:
enabled: true
retention_days: 90 # Days to keep old reports| Field | Type | Default | Description |
|---|---|---|---|
name |
string | directory name | Project name for reports |
type |
string | auto |
Project type detection |
Project Types:
-
auto- Auto-detect from files -
maven- Java Maven project -
gradle- Java Gradle project -
nodejs- Node.js project -
angular- Angular project -
python- Python project
| Field | Type | Default | Description |
|---|---|---|---|
path |
string | . |
Root path to scan |
include |
list | [] |
Include patterns (glob) |
exclude |
list | see above | Exclude patterns (glob) |
Each scanner has:
-
enabled- Turn scanner on/off - Scanner-specific options (see below)
| Field | Type | Default | Description |
|---|---|---|---|
max_critical |
int | 0 |
Max critical before fail |
max_high |
int | 5 |
Max high before fail |
max_medium |
int | 50 |
Max medium before fail |
max_low |
int | 999 |
Max low before fail |
fail_on_secrets |
bool | true |
Fail if secrets found |
| Field | Type | Default | Description |
|---|---|---|---|
dir |
string | ./security-reports |
Output directory |
formats |
list | [json] |
Report formats |
pdf_engine |
string | auto |
PDF generator |
Configuration can be overridden via CLI flags:
# Override config file
secureforge scan -c custom-config.yaml
# Override output directory
secureforge scan -o ./reports
# Override formats
secureforge scan -f json,html,sarif
# Skip specific scanners
secureforge scan --skip trufflehog,spotbugs
# Only run specific scanners
secureforge scan --only semgrep,trivy
# Ignore threshold failures
secureforge scan --no-fail
# Dry run (show what would happen)
secureforge scan --dry-run| Variable | Description |
|---|---|
SECUREFORGE_CONFIG |
Default config file path |
SECUREFORGE_OUTPUT |
Default output directory |
SECUREFORGE_NO_COLOR |
Disable colored output |
SECUREFORGE_VERBOSE |
Enable verbose logging |
You can maintain multiple configs for different scenarios:
# Development (quick scan)
secureforge scan -c .secureforge.dev.yaml
# CI/CD (full scan)
secureforge scan -c .secureforge.ci.yaml
# Production release (strict)
secureforge scan -c .secureforge.release.yamlversion: "1.0"
scanners:
semgrep:
enabled: true
trivy:
enabled: trueversion: "1.0"
project:
name: "secure-app"
scanners:
semgrep:
enabled: true
config: "p/security-audit"
trivy:
enabled: true
severity: "CRITICAL,HIGH"
trufflehog:
enabled: true
only_verified: false
threshold:
max_critical: 0
max_high: 0
max_medium: 10
fail_on_secrets: true
output:
formats: ["json", "sarif", "html"]version: "1.0"
project:
name: "java-backend"
type: "maven"
scanners:
semgrep:
enabled: true
config: "p/java"
trivy:
enabled: true
spotbugs:
enabled: true
effort: "max"
include_findsecbugs: true
source:
exclude:
- "**/target/**"
- "**/test/**"Getting Started
Configuration
Integration
Help
Links