⚙️ Options

See Configuration for the complete configuration system (hierarchy, file discovery, merging).

Performance Options

Max Threads

Maximum number of threads to use for parallel scanning. Set to 0 to auto-detect based on CPU cores.

Default: 0 (auto-detect)

scanner:
  max_threads: 8

export GUARDY_SCAN_MAX_THREADS=8

Thread Percentage

Percentage of available CPU cores to use for scanning. Helps prevent resource exhaustion on busy systems.

Default: 70

scanner:
  thread_percentage: 70

export GUARDY_SCAN_THREAD_PCT=70

Max File Size

Maximum file size to scan in megabytes. Files larger than this will be skipped.

Default: 10 MB

scanner:
  max_file_size_mb: 5

export GUARDY_SCAN_MAX_SIZE=5

guardy scan --max-file-size 5

Minimum Files for Parallel

Minimum number of files required to trigger parallel processing. Below this threshold, scanning runs sequentially.

Default: 100

export GUARDY_SCAN_MIN_FILES_PARALLEL=100

scanner:
  min_files_for_parallel: 100

Stack Size

Stack size per thread in megabytes. Increase if scanning very large files causes stack overflow.

Default: 32 MB

export GUARDY_SCAN_STACK_SIZE_MB=32

scanner:
  stack_size_mb: 32

File Processing Options

Include Binary Files

Scan binary files in addition to text files. Binary scanning may produce false positives.

Default: false

guardy scan --include-binary

export GUARDY_SCAN_INCLUDE_BINARY=true

scanner:
  include_binary: true

Follow Symlinks

Follow symbolic links during directory traversal. Be cautious as this can lead to infinite loops with circular symlinks.

Default: false

guardy scan --follow-symlinks

export GUARDY_SCAN_FOLLOW_SYMLINKS=true

scanner:
  follow_symlinks: true

Ignore Test Code

Skip files and directories commonly used for tests (e.g., test/, tests/, __tests__/, *.test.js).

Default: true

export GUARDY_SCAN_IGNORE_TEST_CODE=true

scanner:
  ignore_test_code: true

Entropy Analysis

Enable Entropy Analysis

Use entropy-based detection to identify high-randomness strings that may be secrets. Disabling improves performance but reduces detection accuracy.

Default: true

# Disable entropy analysis
guardy scan --no-entropy

export GUARDY_SCAN_ENTROPY_ENABLED=true

scanner:
  enable_entropy_analysis: true

Entropy Threshold

Sensitivity threshold for entropy analysis. Lower values = more sensitive (more findings, more false positives).

Default: 0.00001

guardy scan --entropy-threshold 0.0001

export GUARDY_SCAN_ENTROPY_THRESHOLD=0.0001

scanner:
  entropy_threshold: 0.0001

File Filtering

Include Patterns

Glob patterns for files to include in scanning. Only files matching these patterns will be scanned.

scanner:
  include:
    - "src/**/*.{js,ts,py,go}"
    - "config/*.{json,yaml}"

Exclude Patterns

Glob patterns for files and directories to exclude from scanning.

guardy scan --ignore-paths node_modules,target,dist

scanner:
  exclude:
    - "node_modules/**"
    - "target/**"
    - "dist/**"
    - "*.min.js"

Allowlisting

Allowlist Strings

Specific strings to ignore during scanning. Use for known safe values that trigger false positives.

scanner:
  allowlist:
    strings:
      - "example_api_key_for_testing"
      - "AKIA_EXAMPLE_KEY"

Allowlist Files

Files to completely exclude from scanning, even if they match include patterns.

scanner:
  allowlist:
    files:
      - "test/fixtures/secrets.txt"
      - "docs/api-examples.md"

Allowlist Patterns

Regex patterns to ignore with optional reason for documentation.

scanner:
  allowlist:
    patterns:
      - regex: 'FAKE_[A-Z_]+'
        reason: "Test constants"
      - regex: 'EXAMPLE_.*_KEY'
        reason: "Documentation examples"

Display Options

Show Findings

Show detailed finding information including file path, line number, and match details.

Default: false

guardy scan --show

export GUARDY_SCAN_SHOW=true

scanner:
  show: true

Show Sensitive Data

Display actual secret values in output. Use with extreme caution - only enable in secure environments.

Default: false

guardy scan --sensitive

export GUARDY_SCAN_SENSITIVE=true

scanner:
  sensitive: true

TTY Progress

Enable terminal progress bars and live updates. Disable when running in CI/CD or non-interactive environments.

Default: true

guardy scan --tty=false

export GUARDY_SCAN_TTY=false

scanner:
  tty: false

Output Formats

Report Generation

Generate scan reports in specified formats. Supports JSON, SARIF, and other formats.

# Single report
guardy scan --report results.json

# Multiple reports
guardy scan --report results.json,report.sarif

scanner:
  report: "results.json"

Output Format

Set output format for terminal display. Available formats: text, json, sarif.

Default: text

guardy scan --format json

Scan Mode

Processing mode that determines how files are scanned.

Options:

auto - Automatically choose based on file count (default)
parallel - Force parallel processing
sequential - Force sequential processing

Default: auto

guardy scan --mode parallel

scanner:
  mode: auto  # auto, parallel, sequential

Complete Example

scanner:
  # Performance
  max_threads: 0  # auto-detect
  thread_percentage: 70
  max_file_size_mb: 10
  min_files_for_parallel: 100
  stack_size_mb: 32

  # File processing
  include_binary: false
  follow_symlinks: false
  ignore_test_code: true

  # Entropy analysis
  enable_entropy_analysis: true
  entropy_threshold: 0.00001

  # File filtering
  include:
    - "src/**/*.{js,ts,py,go}"
    - "config/*.{json,yaml}"

  exclude:
    - "node_modules/**"
    - "target/**"
    - "dist/**"
    - "*.min.js"

  # Allowlisting
  allowlist:
    strings:
      - "example_api_key_for_testing"

    files:
      - "test/fixtures/secrets.txt"

    patterns:
      - regex: 'FAKE_[A-Z_]+'
        reason: "Test constants"

  # Display
  show: false
  sensitive: false
  tty: true

⚙️ Options

On this page