Configuration Schema Reference Complete reference for all Vulfy configuration files and options.
Scan Configuration (.vulfy.toml) Optional configuration file for customizing scan behavior.
[scan ]
# Default ecosystems to scanecosystems = [" npm" " pypi" " crates.io" " maven" " go" " rubygems" " vcpkg" " packagist" " nuget" # Severity threshold (vulnerabilities below this level are ignored)min_severity = " low" # Options: "critical", "high", "medium", "low"# Skip development dependenciesskip_dev_deps = false
# Custom ignore patterns (glob patterns)ignore_paths = [
" node_modules" " vendor" " .git" " target" " build" output ]
# Default output formatformat = " table" # Options: "table", "json", "csv", "summary", "sarif"# Color outputcolor = " auto" # Options: "auto", "always", "never"api ]
# OSV.dev API settingstimeout = 30 # Timeout in secondsmax_concurrent = 10 # Maximum concurrent API requestsretry_attempts = 3 # Number of retry attempts on failure
Field
Type
Default
Description
ecosystemsArray[String]
All supported
List of ecosystems to scan
min_severityString
"low"Minimum severity level to report
skip_dev_depsBoolean
falseSkip development dependencies
ignore_pathsArray[String]
[]Glob patterns for paths to ignore
Field
Type
Default
Description
formatString
"table"Default output format
colorString
"auto"Color output setting
Field
Type
Default
Description
timeoutInteger
30API request timeout in seconds
max_concurrentInteger
10Maximum concurrent requests
retry_attemptsInteger
3Number of retry attempts
Automation Configuration (vulfy-automation.toml) Complete configuration for automation and monitoring features.
# Repository monitoring configurationrepositories ]]
name = " project-name" url = " https://github.com/user/repo.git" branches = [" main" " develop" # Optional: specific branches to monitorlocal_path = " /path/to/local/repo" # Optional: use existing local repoecosystems = [" npm" " pypi" # Optional: filter ecosystems for this reporepositories .credentials ]
username = " git" # Optional: Git usernametoken = " github_token_here" # Optional: GitHub/GitLab tokenssh_key_path = " /path/to/ssh/key" # Optional: SSH key path# Scheduling configurationschedule ]
frequency = " daily" # Options: "hourly", "daily", "weekly", "custom"time = " 02:00" # Time for daily/weekly scans (24-hour format)timezone = " UTC" # Timezone (default: UTC)# For custom frequency, use cron expression in 'time' field# Notification configurationnotifications ]
enabled = true
[[notifications .webhooks ]]
name = " Discord Security Alerts" url = " https://discord.com/api/webhooks/YOUR_WEBHOOK_URL" webhook_type = " discord" # Options: "discord", "slack", "generic"enabled = true
[notifications .filters ]
min_severity = " medium" # Minimum severity for notificationsonly_new_vulnerabilities = true # Only notify for new vulnerabilitiesrepositories = [" repo1" " repo2" # Optional: specific repos to notify for# Security policy configurationpolicies ]]
name = " Critical Authentication Issues" enabled = true
[policies .conditions ]
title_contains = [" authentication" " auth" " login" # Keywords in titletitle_regex = [" (?i)auth.*bypass" # Regex patterns for titledescription_contains = [" sql injection" # Keywords in descriptiondescription_regex = [" (?i)remote.*execution" # Regex patterns for descriptionseverity = [" high" " critical" # Severity levelsecosystems = [" npm" " pypi" # Target ecosystemscve_pattern = " CVE-2023-.*" # CVE ID regex patternpackages = [" lodash" " express" # Specific package namespackage_regex = [" ^@.*/.+" # Package name regex patternspolicies .actions ]
notify = true # Send notifications for matchespriority = " critical" # Options: "critical", "high", "medium", "low"custom_message = " π¨ Critical auth vulnerability!" # Custom notification messageignore = false # Ignore vulnerabilities matching this policyfilter_only = false # Only show vulnerabilities matching this policy# Storage configurationstorage ]
database_path = " ./vulfy-data.db" # Optional: SQLite database pathretain_days = 30 # Days to retain scan historyexport_format = " json" # Export format for scan resultsexport_path = " ./vulfy-exports" # Directory for exported results[[repositories]] Section (Array)
Field
Type
Required
Description
nameString
Yes
Unique name for the repository
urlString
Yes
Git repository URL
branchesArray[String]
No
Branches to monitor (default: main branch)
local_pathString
No
Path to existing local repository
ecosystemsArray[String]
No
Filter ecosystems for this repository
[repositories.credentials] Section
Field
Type
Required
Description
usernameString
No
Git username for authentication
tokenString
No
GitHub/GitLab personal access token
ssh_key_pathString
No
Path to SSH private key
Field
Type
Required
Description
frequencyString
Yes
Schedule frequency
timeString
No
Time for scheduled scans
timezoneString
No
Timezone for scheduling (default: UTC)
Frequency Options:
"hourly" - Every hour"daily" - Once per day at specified time"weekly" - Once per week at specified day/time"custom" - Custom cron expression in time field
Field
Type
Default
Description
enabledBoolean
trueEnable/disable notifications
[[notifications.webhooks]] Section (Array)
Field
Type
Required
Description
nameString
Yes
Webhook name for identification
urlString
Yes
Webhook URL
webhook_typeString
Yes
Webhook type
enabledBoolean
Yes
Enable/disable this webhook
Webhook Types:
"discord" - Discord webhook format"slack" - Slack webhook format"generic" - Custom JSON webhook format
[notifications.filters] Section
Field
Type
Default
Description
min_severityString
"low"Minimum severity for notifications
only_new_vulnerabilitiesBoolean
falseOnly notify for new vulnerabilities
repositoriesArray[String]
All
Specific repositories to notify for
[[policies]] Section (Array)
Field
Type
Required
Description
nameString
Yes
Policy name for identification
enabledBoolean
Yes
Enable/disable this policy
[policies.conditions] Section
Field
Type
Default
Description
title_containsArray[String]
[]Keywords that must appear in vulnerability title
title_regexArray[String]
[]Regex patterns for vulnerability title
description_containsArray[String]
[]Keywords in vulnerability description
description_regexArray[String]
[]Regex patterns for vulnerability description
severityArray[String]
All
Severity levels to match
ecosystemsArray[String]
All
Target ecosystems
cve_patternString
None
Regex pattern for CVE IDs
packagesArray[String]
All
Specific package names
package_regexArray[String]
[]Regex patterns for package names
[policies.actions] Section
Field
Type
Default
Description
notifyBoolean
falseSend notifications for matches
priorityString
"medium"Notification priority level
custom_messageString
None
Custom notification message
ignoreBoolean
falseIgnore matching vulnerabilities
filter_onlyBoolean
falseOnly show matching vulnerabilities
Field
Type
Default
Description
database_pathString
None
SQLite database file path
retain_daysInteger
30Days to retain scan history
export_formatString
"json"Format for exported results
export_pathString
"./vulfy-exports"Directory for exports
Variable
Description
Default
VULFY_LOGLog level (error, warn, info, debug, trace)
info
VULFY_CONFIGDefault automation config path
vulfy-automation.toml
VULFY_WORKSPACEDefault workspace directory
vulfy-workspace
VULFY_API_TIMEOUTOSV.dev API timeout in seconds
30
VULFY_MAX_CONCURRENTMaximum concurrent API requests
10
name must be unique across all repositoriesurl must be a valid Git repository URLbranches must be valid Git branch namesecosystems must be from supported list
time format for daily: "HH:MM" (24-hour)time format for custom: valid cron expressiontimezone must be valid timezone identifier
url must be valid HTTPS URLDiscord webhooks must match Discord URL pattern
Slack webhooks must match Slack URL pattern
title_regex and description_regex must be valid regex patternscve_pattern must be valid regex patternseverity values must be: "critical", "high", "medium", "low"priority values must be: "critical", "high", "medium", "low"
[[repositories ]]
name = " my-app" url = " https://github.com/user/my-app.git" schedule ]
frequency = " daily" time = " 02:00" notifications ]
enabled = false [[repositories ]]
name = " frontend" url = " https://github.com/company/frontend.git" branches = [" main" " staging" ecosystems = [" npm" repositories .credentials ]
username = " deploy-bot" token = " ghp_xxxxxxxxxxxx" repositories ]]
name = " backend" url = " https://github.com/company/backend.git" branches = [" main" ecosystems = [" pypi" " go" repositories .credentials ]
username = " deploy-bot" token = " ghp_xxxxxxxxxxxx" schedule ]
frequency = " daily" time = " 06:00" timezone = " America/New_York" notifications ]
enabled = true
[[notifications .webhooks ]]
name = " Security Team Discord" url = " https://discord.com/api/webhooks/xxx/yyy" webhook_type = " discord" enabled = true
[[notifications .webhooks ]]
name = " Dev Team Slack" url = " https://hooks.slack.com/services/xxx/yyy/zzz" webhook_type = " slack" enabled = true
[notifications .filters ]
min_severity = " medium" only_new_vulnerabilities = true
[[policies ]]
name = " Critical Production Issues" enabled = true
[policies .conditions ]
severity = [" critical" " high" ecosystems = [" npm" " pypi" policies .actions ]
notify = true
priority = " critical" custom_message = " π¨ Critical vulnerability in production dependencies!" policies ]]
name = " Authentication Vulnerabilities" enabled = true
[policies .conditions ]
title_contains = [" auth" " authentication" " login" " session" severity = [" high" " critical" policies .actions ]
notify = true
priority = " critical" custom_message = " π Authentication vulnerability detected!" storage ]
database_path = " ./security-data.db" retain_days = 90
export_format = " json" export_path = " ./security-reports" Next : JSON Output Schema - Structure of JSON scan results