Skip to content

Configuration

Redactyl uses a .redactyl.yml file for project-level configuration. Place it in your repository root.

.redactyl.yml
version: 1
# Scan settings
scan:
# Paths to include (default: current directory)
paths:
- .
# Paths to exclude
exclude:
- node_modules
- vendor
- "*.min.js"
# Enable deep scanning
archives: true
containers: true
helm: true
k8s: true
# Output settings
output:
format: text # text, json, sarif
verbose: false

Baseline known secrets to reduce noise:

.redactyl.yml
baseline:
# Path to baseline file
file: .redactyl-baseline.json
# Auto-update baseline on scan
auto_update: false

Create a baseline interactively:

Terminal window
redactyl scan
# Press 'b' on a finding to baseline it

Or via CLI:

Terminal window
redactyl baseline add --fingerprint <hash>

Redactyl uses Gitleaks for detection. You can customize rules:

.redactyl.yml
gitleaks:
# Path to custom gitleaks config
config: .gitleaks.toml
# Additional rules to enable
enable_rules:
- custom-api-key
# Rules to disable
disable_rules:
- generic-api-key

Custom Gitleaks rules in .gitleaks.toml:

[[rules]]
id = "custom-api-key"
description = "Custom API Key"
regex = '''MYAPP_[A-Z0-9]{32}'''
tags = ["key", "custom"]

Protect sensitive operations:

.redactyl.yml
guardrails:
# Require confirmation for destructive operations
confirm_destructive: true
# Create backups before history rewriting
backup_refs: true
# Block operations on protected branches
protected_branches:
- main
- master
- release/*

Settings for non-interactive mode:

.redactyl.yml
ci:
# Exit code on findings
fail_on_findings: true
# Minimum severity to fail
fail_severity: high # low, medium, high, critical
# SARIF output path
sarif_output: redactyl.sarif.json

All config options can be set via environment variables:

Terminal window
# Prefix with REDACTYL_
export REDACTYL_SCAN_ARCHIVES=true
export REDACTYL_OUTPUT_FORMAT=json
export REDACTYL_CI_FAIL_ON_FINDINGS=true
  1. CLI flags (highest priority)
  2. Environment variables
  3. .redactyl.yml in current directory
  4. .redactyl.yml in home directory
  5. Built-in defaults (lowest priority)
.redactyl.yml
version: 1
scan:
paths:
- .
exclude:
- node_modules
- vendor
- dist
- "*.test.js"
archives: true
containers: true
helm: true
k8s: true
baseline:
file: .redactyl-baseline.json
auto_update: false
gitleaks:
config: .gitleaks.toml
disable_rules:
- generic-api-key
guardrails:
confirm_destructive: true
backup_refs: true
protected_branches:
- main
- production
ci:
fail_on_findings: true
fail_severity: high
sarif_output: redactyl.sarif.json
output:
format: text
verbose: false