Configuration
Configuration is stored in config/config.yaml (usually copied from config/config.example.yaml).
This page focuses on the configuration you most commonly adjust in real deployments.
Recommended workflow
app (identity, timezone, language)
app (identity, timezone, language)app.name: Display name (used by CLI messages and some integrations)app.timezone: Used for time-related formatting/logging behaviorapp.language: Controls report labels and LLM output language (examples:en-US,pt-BR,es,fr,de,ja,ko)
input (where the CSVs are)
input (where the CSVs are)input.input_dir: Directory containing Qualys CSV exportsinput.file_glob: Pattern used to select files (for example*.csv)input.encoding: Typicallyutf-8input.delimiter: Typically,
output (where artifacts are written)
output (where artifacts are written)output.output_dir: Root output folder (defaultoutput/)output.report_title_prefix: Prefix used in the report title (the environment/file name is appended)
See also:
selection (Top X and constraints)
selection (Top X and constraints)selection.top_x: Number of vulnerabilities included in the final reportselection.constraints.diversify_by_host: Encourages diversity across assets/hostsselection.constraints.avoid_duplicate_qid: Avoids repeating the same QID when possibleselection.constraints.max_hosts_per_vuln_in_report: Caps evidence size per vulnerability
limits (performance and size controls)
limits (performance and size controls)These controls protect you from extremely large inputs and overly long LLM prompts/outputs:
limits.max_rows_to_scan:0means “no limit” (be careful with huge CSVs)limits.max_candidates_for_llm: Candidate cap before LLM selectionlimits.llm_chunk_size: How many candidates are sent per LLM chunklimits.llm_text_max_chars: Truncation guardrails for evidence sent to the LLMlimits.report_section_max_chars,limits.report_results_max_chars,limits.report_ports_max_items: Output-size guards
openai (LLM settings)
openai (LLM settings)Key fields:
openai.api_key_env_var: Name of the environment variable to read (default:OPENAI_API_KEY)openai.api_key: Optional (not recommended). Prefer env var.openai.base_url: API base URL (default OpenAI). Can be OpenAI-compatible endpoints.openai.model: Model name (example:gpt-4.1-mini)openai.temperature,openai.max_output_tokens: Output behavior and sizeTimeouts/retries:
request_timeout_s,retries
Security recommendation: Avoid committing API keys into Git. Keep openai.api_key empty and set OPENAI_API_KEY in the runtime environment.
rendering (templates, assets, branding)
rendering (templates, assets, branding)rendering.templates_src_dir: Jinja templates directory (default:templates)rendering.assets_src_dir: Static assets directory (default:assets)rendering.theme: Visual theme (currentlylight)rendering.branding.enabled: Whentrue, the report header includes a logologo_filenamemust exist in the assets folder and is copied into each report’sassets/
notifications (what events are emitted)
notifications (what events are emitted)notifications.enabled: Master switch for Slack/Email notificationsnotifications.event_types: Which event types generate notifications (default includesstart,end,error,report_ready)notifications.include_run_metadata: When enabled, writesrun.jsoninto each report directorynotifications.fail_on_integration_error: Whentrue, integration failures can fail the run
integrations (external systems)
integrations (external systems)Integrations are disabled by default; enable only what you need.
Common patterns:
Slack/Email require
notifications.enabled: trueplus the specific integration enabled.OpenSearch “events” publishing uses
integrations.opensearch.enabled: true.OpenSearch “datasets” require
integrations.opensearch.datasets_enabled: true.Metabase requires Postgres connectivity and credentials.
See also:
Secret handling (recommended)
Use environment variables for secrets, for example:
OPENAI_API_KEYSLACK_BOT_TOKENSENDGRID_API_KEYOPENSEARCH_API_KEYSPLUNK_HEC_TOKENMETABASE_PG_PASSWORD
Last updated