-
Notifications
You must be signed in to change notification settings - Fork 14
Expand file tree
/
Copy pathscrutineer.sample.yaml
More file actions
84 lines (68 loc) · 3.38 KB
/
scrutineer.sample.yaml
File metadata and controls
84 lines (68 loc) · 3.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# Sample scrutineer config. Copy to scrutineer.yaml (in the working
# directory) or point at it with -config to activate.
#
# Every key is optional. Command-line flags always win; only values the
# user did NOT pass on the command line are taken from here.
# Listen address for the web UI + skill API.
# addr: 127.0.0.1:8080
# Where scan workspaces and the sqlite DB live.
# data: ./data
# Claude effort level for model-backed skills.
# effort: high
# Clone strategy. "shallow" (default) clones with --depth 1; "full"
# clones the entire history. Switching from shallow to full unshallows
# existing clones on next scan. Full clones use significantly more disk
# and are slower for large repos — only flip if a skill needs history.
# clone: shallow
# Local directories to load SKILL.md files from. Repeatable via -skills
# on the command line; here you can list them directly.
# skills:
# - ./skills
# Clone a skills repo on startup and load it. Accepts either an https URL or
# an "owner/repo" shorthand expanded to https://github.com/owner/repo. An
# optional "@ref" pins a branch, tag or commit; the resolved SHA is recorded
# on every scan so two runs a week apart can be told apart.
# skills_repo: https://github.com/alpha-omega-security/scrutineer-skills
# skills_repo: alpha-omega-security/scrutineer-skills@v0.3.1
# Disable the docker runner even if docker is available on the host.
# no_docker: false
# Docker image used for per-scan containers.
# runner_image: ghcr.io/alpha-omega-security/scrutineer-runner:latest
# Extra hosts the docker runner's egress proxy will tunnel to, on top of
# the built-in allowlist (Anthropic API, *.ecosyste.ms, major forges,
# package registries, advisory sources, host.docker.internal). Use
# "*.example.com" to allow every subdomain.
# egress_allow:
# - artifactory.internal
# - "*.mycorp.net"
# How many scans run in parallel. Default is 4; raise on bigger hosts,
# lower if you want model calls serialised.
# concurrency: 4
# Wall-clock limit for one scan. Scans that exceed this are killed and
# marked failed. Go duration syntax ("30m", "1h30m", "2h").
# scan_timeout: 1h
# Global --max-turns passed to claude-code. 0 (default) defers to the
# per-skill value (scrutineer.max_turns in SKILL.md metadata, default 30).
# When set, acts as a fallback for skills that don't declare their own cap.
# max_turns: 0
# Fail a scan when its report.json does not validate against the skill's
# schema.json. Default (false) emits the validator output to the scan log
# and the parser still runs. Turn on while iterating on a skill so shape
# mistakes surface as a scan failure rather than a buried log line.
# schema_strict: false
# Custom Anthropic API base URL. When set, the hostname is automatically
# added to the egress allowlist. Falls back to the ANTHROPIC_BASE_URL
# environment variable when empty.
# anthropic_base_url: https://my-proxy.corp.com/v1
# The model picker in the UI. Replacing this list replaces the built-in
# set (Sonnet, Opus). Leave it out to keep the built-in list.
# models:
# - name: Sonnet
# id: claude-sonnet-4-6
# - name: Opus
# id: claude-opus-4-7
# Pin the default model id. When set, this wins over the "first entry
# in models wins" rule. A skill can declare its own preferred model
# (scrutineer.model in SKILL.md metadata); per-skill wins over this
# default, and an explicit per-scan model wins over both.
# default_model: claude-sonnet-4-6