Configuration

At GuardRails, we focus on security that doesn't get in your way. That means supporting a quick and easy installation, without any additional configuration.

Nonetheless, we understand that one size doesn't fit all. A great developer experience requires flexibility to configure GuardRails to your needs.

Configuration file

Location: .guardrails/config.yml

You can override the default configuration for your account/organization in the Settings tab of the dashboard. By default, the config is:

bundles: "auto"
report:
  pullRequest:
    findings: "onChangedLinesOnly"
    comment: true
notifications:
  slack:
    enabled: false
useGitClone: false

Bundles

Bundles are set of tools we use to detect security issues in repositories, typically grouped by programming language. Currently, we support the following bundles: javascript, ruby, solidity, go, php, python, java, c, elixir, terraform and general.

By default, we run the general bundle, along with the bundle(s) matching the language(s) we detect in your repository. It may happen that we don't detect (all) the language(s) of your repository. In that case you can override the bundles attribute to serve your needs:

bundles:
  - javascript
  - solidity
  - general

You can even go further by overriding the tools that run within a bundle:

bundles:
  - javascript
  - solidity:
      - mythx
  - general

This will run the full JavaScript and General bundle, along with just the Mythx tool from the Solidity bundle (which by default runs both Mythx and Solhint).

You can also exclude engines from being run. The below configuration would allow you to run all detected engines, but not run the Java engines dependency-check and spotbugs (it would still run semgrep), and completely avoid any PHP engines (including future engines that may be added).

bundles: "auto"
excludeBundles:
  - java:
    - dependency-check
    - spotbugs
  - php

To know more about the tools of a bundle, please refer to the Tools section.

Here are all the possibilities:

bundles:
  - apex:
      - pmd
  - c:
      - flawfinder
  - elixir:
      - sobelow
  - general:
      - detect-secrets
      - detect-gr-secrets
      - oss-index
  - go:
      - gosec
      - nancy
  - java:
      - spotbugs
      - dependency-check
  - javascript:
      - eslint
      - npm-audit
      - retirejs
      - NodeJsScan
  - kubernetes:
      - kubesec
  - mobile:
      - mobsf
  - php:
      - phpcs-security-audit
      - security-checker
  - python:
      - bandit
      - safety
  - ruby:
      - brakeman
      - bundler-audit
      - rubocop
  - rust:
      - cargo-audit
  - solidity:
      - mythx
      - solhint
  - terraform:
      - tfsec
  - typescript:
      - tslint-config-security

Reports

Pull Request

report.pullRequest.findings

Possible values: onAllFiles, onChangedFilesOnly, or onChangedLinesOnly (default).

This attribute enables you to control the behavior of GuardRails in your pull requests. Per default, we only notify you of security issues detected in the lines that changed in your pull requests (onChangedLinesOnly).

report.pullRequest.comment

Possible values: true (default) or false.

By default, we post a comment in your pull requests if we find any security issues. If you prefer to review the reports via our dashboard and want to disable the comments, set this attribute to false.

Notifications

Slack

In order to enable Slack notifications for GuardRails, you first have to set up incoming Webhooks for Slack. There are 6 steps to follow:

Create a (Slack app)[https://api.slack.com/apps/new] (if you don't already have one).
Enable Incoming Webhooks from the settings page.
After the settings page refreshes, click Add New Webhook to Workspace.
Pick a channel that the app will post to, then click Authorize.
Copy the value of the Incoming Webhook URL
Configure GuardRails:

notifications:
  slack:
    notify: whenScanHasFindingsOnly
    enabled: true
    webhookUrl: >-
      https://hooks.slack.com/services/XXXXXXXXX/YYYYYYYYY/xyxyxyxyxyxyxyxyxyxyxyxy

Configuration Values

notifications.slack.enabled

Possible values: true or false (default).

notifications.slack.notify

Possible values: onAllScans or whenScanHasFindingsOnly (default).

notifications.slack.webhookURL

A valid URL corresponding to a Slack Incoming Webhook.

Scanning with .git directory

By default scans are done on contents of a git repository without including .git directory itself. You can override this behavior with useGitClone.

Possible values: true or false (default).

Ignoring code

Ignoring files and folders

Location: .guardrails/ignore

The ignore file can come handy if you notice GuardRails is alerting you on some code you deliberately know is vulnerable, or causes false positives. The ignore file follows the gitignore file pattern. Refer to the gitignore docs for more details. One example file is:

tests/**/*

Ignore lines

If you want to disable one line in particular, you need to add guardrails-disable-line on the concerned line, usually as a comment.

const highEntropyStringThatIsNotASecret = "e32kdjksw'(&dej+"; // guardrails-disable-line

GuardRails

General

Apex

C/C++

Elixir

Go

Java

Javascript/TypeScript

Kubernetes

PHP

Python

Ruby

Rust

Solidity

Terraform