Configuration
Redactyl uses a .redactyl.yml file for project-level configuration. Place it in your repository root.
Basic Configuration
Section titled “Basic Configuration”version: 1
# Scan settingsscan: # Paths to include (default: current directory) paths: - .
# Paths to exclude exclude: - node_modules - vendor - "*.min.js"
# Enable deep scanning archives: true containers: true helm: true k8s: true
# Output settingsoutput: format: text # text, json, sarif verbose: falseBaseline Configuration
Section titled “Baseline Configuration”Baseline known secrets to reduce noise:
baseline: # Path to baseline file file: .redactyl-baseline.json
# Auto-update baseline on scan auto_update: falseCreate a baseline interactively:
redactyl scan# Press 'b' on a finding to baseline itOr via CLI:
redactyl baseline add --fingerprint <hash>Gitleaks Configuration
Section titled “Gitleaks Configuration”Redactyl uses Gitleaks for detection. You can customize rules:
gitleaks: # Path to custom gitleaks config config: .gitleaks.toml
# Additional rules to enable enable_rules: - custom-api-key
# Rules to disable disable_rules: - generic-api-keyCustom Gitleaks rules in .gitleaks.toml:
[[rules]]id = "custom-api-key"description = "Custom API Key"regex = '''MYAPP_[A-Z0-9]{32}'''tags = ["key", "custom"]Guardrails
Section titled “Guardrails”Protect sensitive operations:
guardrails: # Require confirmation for destructive operations confirm_destructive: true
# Create backups before history rewriting backup_refs: true
# Block operations on protected branches protected_branches: - main - master - release/*CI/CD Configuration
Section titled “CI/CD Configuration”Settings for non-interactive mode:
ci: # Exit code on findings fail_on_findings: true
# Minimum severity to fail fail_severity: high # low, medium, high, critical
# SARIF output path sarif_output: redactyl.sarif.jsonEnvironment Variables
Section titled “Environment Variables”All config options can be set via environment variables:
# Prefix with REDACTYL_export REDACTYL_SCAN_ARCHIVES=trueexport REDACTYL_OUTPUT_FORMAT=jsonexport REDACTYL_CI_FAIL_ON_FINDINGS=trueConfiguration Precedence
Section titled “Configuration Precedence”- CLI flags (highest priority)
- Environment variables
.redactyl.ymlin current directory.redactyl.ymlin home directory- Built-in defaults (lowest priority)
Full Example
Section titled “Full Example”version: 1
scan: paths: - . exclude: - node_modules - vendor - dist - "*.test.js" archives: true containers: true helm: true k8s: true
baseline: file: .redactyl-baseline.json auto_update: false
gitleaks: config: .gitleaks.toml disable_rules: - generic-api-key
guardrails: confirm_destructive: true backup_refs: true protected_branches: - main - production
ci: fail_on_findings: true fail_severity: high sarif_output: redactyl.sarif.json
output: format: text verbose: false