Skip to content

configuration-reference.md

Latest commit

 

History

History
154 lines (120 loc) · 4.8 KB

configuration-reference.md

File metadata and controls

154 lines (120 loc) · 4.8 KB

Configuration Reference

Config Locations

  • default profile: app/configs/default.yaml
  • strict profile: app/configs/strict.yaml

Example usage:

sentilook scan <path> --config configs/default.yaml

Main Sections

  • scan: performance and safety limits
  • ignore: exclusion rules
  • detectors: enabled detectors and options
  • agent_threat_patterns: grouped pattern toggles
  • masking: preview masking presentation rules
  • severity: default and path-based severity promotion
  • report: report behavior
  • suppressions: detector-specific suppression rules

Example Schema

scan:
  follow_symlinks: false
  max_files: 50000
  max_file_size_mb: 5
  timeout_seconds: 90
  include_hidden_files: true

detectors:
  enabled:
    - "dotenv_key_value"
    - "jwt_like"
    - "aws_iam_key"
    - "openai_key"
    - "stripe_key"
    - "npm_token"
    - "docker_pat"
    - "slack_token"
    - "gcp_service_key"
    - "private_key_block"
    - "generic_api_key"
    - "high_entropy_string"
    - "agent_threat_pattern"
  options:
    high_entropy_string:
      min_length: 24
      min_entropy_threshold: 3.5
      max_findings_per_file: 5
    generic_api_key:
      min_length: 20

agent_threat_patterns:
  enabled: true
  match_download_exec: true
  match_obfuscation: true
  match_network: true
  match_init_time: true

suppressions:
  - detector: "high_entropy_string"
    path_pattern: "*.test.js"
  - detector: "generic_api_key"
    value_pattern: "EXAMPLE_*"

Key Notes

Profiles

  • default.yaml: security-first baseline for normal local scans, including hidden dotfiles
  • strict.yaml: broader scan limits and denser detector output for deep review runs

detectors.options.high_entropy_string

  • min_length: minimum token length
  • min_entropy_threshold: Shannon entropy threshold
  • max_findings_per_file: maximum findings per file

The legacy min_entropy key is still accepted for compatibility.

detectors.options.generic_api_key

  • min_length: minimum accepted token length for the GitHub-style token detector bucket
  • this applies to the current generic_api_key detector only, not to provider-specific detectors such as AWS, OpenAI, or Stripe

agent_threat_patterns

  • enabled: default master switch when no per-group toggles are explicitly set
  • match_download_exec: download-and-execute patterns such as curl|bash and iwr|iex
  • match_obfuscation: obfuscated execution patterns such as base64 -d | sh and -EncodedCommand
  • match_network: suspicious public endpoint patterns such as public IP:port, /dev/tcp, and nc -e
  • match_init_time: JavaScript and Python top-level execution patterns

Rules:

  • if no per-group toggles are set, enabled controls the full agent_threat_pattern group
  • if any per-group toggle is set, only explicitly enabled groups run
  • if any per-group toggle is present, enabled: false no longer disables the group globally; the explicit per-group toggles become the only active controls
  • loopback, private-range, unspecified, and link-local IP:port values are intentionally ignored to reduce developer-noise
  • standard Go func init() declarations are intentionally not flagged

Current detector set

  • dotenv_key_value
  • jwt_like
  • aws_iam_key
  • openai_key
  • stripe_key
  • npm_token
  • docker_pat
  • slack_token
  • gcp_service_key
  • private_key_block
  • generic_api_key
  • high_entropy_string
  • agent_threat_pattern

suppressions

  • detector: detector identifier
  • path_pattern: glob path or filename pattern
  • value_pattern: glob pattern against the detected raw value

Suppressed findings do not appear in reports, but they remain in the audit log as finding_suppressed.

report.share_safe_mode

  • true (recommended default): share-safe output mode
    • HTML finding paths are relative or shortened
    • SARIF artifact paths stay relative when possible, with basename fallback if not
    • intended for screenshots, broader review, and safer circulation
  • false: local operator mode
    • HTML report keeps full local file paths for remediation work
    • SARIF may contain local file:///... artifact URIs
    • treat the generated output as local-only and do not distribute it

masking

  • Sentilook always masks secret previews in terminal, audit, HTML, and SARIF output
  • prefix_chars, suffix_chars, and replace_char control the preview format only
  • older custom configs that still include masking.enabled, masking.strategy, or masking.never_print_raw should remove those keys

Safety Requirement

  • scan.include_hidden_files: true is recommended for real repository scans
  • report.share_safe_mode: true is recommended for any output that might be circulated beyond the operator machine
  • all previews are masked by runtime policy
  • raw secret values must not appear in console, audit, or report outputs