Skip to content

Configuration File

YAML file configuration comes as an alternative to manually setting each CVEScan subcommand options from the cli. Note that option set from the cli will override file configured values

A file path can be passed through the --config option to the CLI. If none is provided, CVEScan will check for the existence of a configuration file config.yml in the current directory. Finally it will try to retrieve it from the platform-specific configuration directory (e.g. on Linux ~/.config/cvescan/config.yml).

Definition

basename: BASENAME # (1)!
inventory_format: INV_FORMAT
annotations: ANNOTATIONS
connectors:
  nvd:
    rate_limit_calls: RATE_LIMIT_CALLS
    rate_limit_period: RATE_LIMIT_PERIOD
    mirror: NVD_PATH
    api_key: API_KEY # (6)!
  osv:
    rate_limit_calls: RATE_LIMIT_CALLS
    rate_limit_period: RATE_LIMIT_PERIOD
    advanced_purl_parsing: true | false
  uct:
    mirror: UCT_PATH
  match:
    - manual_binds
    - nvd
    - osv
  fetch:
    - nvd
    - osv
    - uct
scope:
  project: PROJECT
  component: COMPONENT
  transversal: TRANSVERSAL
scan_inventory:
  kept_packages: KEPT_PACKAGES
  profile: default | applicative # (2)!
api_integration:
  endpoint: ENDPOINT
  token: TOKEN
filter_report:
  cache_dir: FILTER_CACHE
  git_dir: GIT_DIR
  upstream_uri: REF
export_report:
  export_format: EXPORT_FORMAT
  vulnerable_only: true | false
serve-ui:
  port: PORT
runner:
  endpoint: ENDPOINT # (3)!
  token: TOKEN # (4)!
  update_period: UPDATE_PERIOD # (5)!
  1. BASENAME is the prefix to be used for all files handled by CVE Scan. When not specified it will be deduced from the inventory filename (without extension). It is used to name the generated reports when no -o option is provided.
  2. The optional scan_inventory scan_profile configuration, overrides the connectors match and fetch configuration with the following:
    • default: match: ["nvd"], fetch: ["nvd", "uct"]
    • applicative: match: ["osv"], fetch: ["nvd"]
  3. ENDPOINT is the URL of the CVEScan API a runner integrates with. It can also be set from the CVESCAN_RUNNER_ENDPOINT environment variable or from a file whose path is set in CVESCAN_RUNNER_ENDPOINT_FILE environment variable.
  4. TOKEN is the token used by a runner to authenticate with the CVEScan API. It can also be set from the CVESCAN_RUNNER_TOKEN environment variable or from a file whose path is set in CVESCAN_RUNNER_TOKEN_FILE environment variable.
  5. UPDATE_PERIOD is the period as a time expression (e.g. 5s, 1m, 12h30m) or seconds as an integer to enforce between two update jobs. Default: 6h.
  6. API_KEY is the API key to use for NVD API requests. It can also be set from the CVESCAN_NVD_API_KEY environment variable or from a file whose path is set in CVESCAN_NVD_API_KEY_FILE environment variable.