Configuring GuardRails

At GuardRails, we focus on security that doesn't get in your way. That means supporting a quick and easy installation, without any additional configuration.

Nonetheless, we understand that one size doesn't fit all. A great developer experience requires flexibility to configure GuardRails to your needs.

Config file

Location: .guardrails/config.yml

You can override the default configuration for your account/organization in the Settings tab of the dashboard.
By default, the config is:

enabled: true
bundles: "auto"
    findings: "onChangedLinesOnly"
    comment: true


You can use this property to temporarily disable GuardRails, without having to uninstall the GitHub app.


Bundles are set of tools we use to detect security issues in repositories.
Currently, we have 6 bundles: javascript, ruby, solidity, go, php, python and general.

By default, we run the general bundle, along with the bundle(s) matching the language(s) we detect in your repository. It can happen that we don't detect (all) the language(s) of your repository properly, so you can override the bundles attribute to serve your needs:

  - javascript
  - solidity
  - general

You can even go further by overriding the tools that run within a bundle:

  - javascript
  - solidity:
      - mythril
  - general

This will run the full JavaScript and General bundle, along with just the Mythril tool from the Solidity bundle (which by default run both Mythril and Solhint). To know more about the tools of a bundle, please refer to the Tools section.

Here are all the possibilities:

  - javascript:
      - eslint
      - npm-audit
      - retirejs
  - ruby:
      - brakeman
      - bundler-audit
      - rubocop
      - dawnscanner
  - python:
      - bandit
      - safety
  - go:
      - gosec
  - php:
      - phpcs-security-audit
      - security-checker
  - solidity:
      - mythril
      - solhint
  - general:
      - detect-secrets


Possible values: onAllFiles, onChangedFilesOnly, or onChangedLinesOnly (default).

This attribute enables you to control the behavior of GuardRails in your pull requests. Per default, we only notify you of security issues detected in the lines that changed in your pull requests (onChangedLinesOnly).


Possible values: true (default) or false.

By default, we post a comment in your pull requests if we find any security issues. If you prefer to review the reports via our dashboard and want to disable the comments, set this attribute to false.

Ignore file

Location: .guardrails/ignore

The ignore file can come handy if you notice GuardRails is alerting you on some code you deliberately know is vulnerable, or causes false positives. The ignore file follows the gitignore file pattern. Refer to the gitignore docs for more details. One example file is:


Ignore line

If you want to disable one line in particular, you need to add guardrails-disable-line on the concerned line, usually as a comment.

const mySecret = "e32kdjksw'(&dej+"; // guardrails-disable-line