Configuration
Configure CodePhreak using a YAML file in your project root or command-line options.
Configuration File
Create a codephreak.yml file in your project root:
# codephreak.yml - CodePhreak Configuration
version: "1.0"
# Scan settings
scan:
# Include/exclude patterns
include:
- "src/**"
- "lib/**"
exclude:
- "node_modules/**"
- "*.test.js"
- "*.min.js"
- "vendor/**"
- ".git/**"
# Security tools to enable
tools:
semgrep: true # Static analysis
bandit: true # Python security linting
trivy: true # Vulnerability scanning
gitleaks: true # Secret detection
hadolint: true # Dockerfile linting
# Output configuration
output:
format: "json" # json, sarif, html
file: "security-report.json"
# Premium features (requires authentication)
premium:
ai_analysis: true
compliance_check: ["PCI-DSS", "HIPAA"]
priority_scoring: true
# Severity thresholds (fail CI if exceeded)
thresholds:
critical: 0 # Fail on any critical
high: 5 # Fail if more than 5 high
medium: 20 # Fail if more than 20 mediumInclude/Exclude Patterns
Use glob patterns to control which files are scanned:
| Pattern | Description |
|---|---|
| src/** | All files in src directory recursively |
| *.py | All Python files in root |
| **/*.js | All JavaScript files anywhere |
| !node_modules/** | Exclude node_modules |
Tool-Specific Settings
# Tool-specific configuration
tools:
semgrep:
enabled: true
config: "p/security-audit"
severity: ["ERROR", "WARNING"]
bandit:
enabled: true
confidence: "HIGH"
severity: "medium"
trivy:
enabled: true
ignore_unfixed: true
severity: ["CRITICAL", "HIGH"]
gitleaks:
enabled: true
config: ".gitleaks.toml" # Custom config fileEnvironment Variables
Override configuration with environment variables:
| Variable | Description |
|---|---|
| CODEPHREAK_API_KEY | API key for premium features |
| CODEPHREAK_CONFIG | Path to config file |
| CODEPHREAK_OUTPUT | Default output format |
| CODEPHREAK_VERBOSE | Enable verbose logging |
Command-Line Options
Command-line options override config file settings:
# Use specific config file
$ codephreak scan --config ./custom-config.yml
# Override output format
$ codephreak scan --output results.sarif --format sarif
# Set severity filter
$ codephreak scan --severity high,critical
# Enable specific tools only
$ codephreak scan --tools semgrep,trivy
# Verbose output
$ codephreak scan --verboseCI/CD Configuration
GitHub Actions
name: Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run CodePhreak
env:
CODEPHREAK_API_KEY: ${{ secrets.CODEPHREAK_API_KEY }}
run: |
pip install codephreak
codephreak scan . --output results.sarif --format sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifGitLab CI
security-scan:
stage: test
image: python:3.11
script:
- pip install codephreak
- codephreak scan . --output gl-sast-report.json --format json
artifacts:
reports:
sast: gl-sast-report.jsonCI Fail Thresholds
Configure thresholds to fail CI builds when security issues exceed limits:
# codephreak.yml
thresholds:
critical: 0 # Fail on any critical issue
high: 5 # Fail if more than 5 high severity
medium: 20 # Fail if more than 20 medium severity
low: -1 # -1 means unlimited (don't fail)Configuration Priority
Settings are applied in the following order (later overrides earlier):
- Default values
- codephreak.yml in project root
- Config file specified with --config
- Environment variables
- Command-line options