Appearance
Environment Variables
VaultGuard reads environment variables as one layer in the configuration priority chain. Environment variables override config file values but are overridden by CLI flags.
Best for CI/CD
Environment variables are the preferred way to configure VaultGuard in CI pipelines. Set them at the job or workflow level to avoid hardcoding flags in every scan command.
Scan Variables
| Variable | Type | Default | Description |
|---|---|---|---|
VAULTGUARD_VERBOSE | u8 | 0 | Verbosity level. 1 = info, 2 = debug, 3 = trace. Equivalent to -v, -vv, -vvv. |
VAULTGUARD_FORMAT | human|json|sarif | human | Output format for scan results. |
VAULTGUARD_NO_SECRETS | bool | false | Disable secret detection. Set to true, 1, or yes to disable. |
VAULTGUARD_NO_CVE | bool | false | Disable CVE detection. |
VAULTGUARD_NO_MISCONFIG | bool | false | Disable misconfiguration detection. |
VAULTGUARD_QUALITY | bool | false | Enable code quality checks. |
VAULTGUARD_INTEGRITY | bool | false | Enable integrity verification (lockfile vs installed packages). |
VAULTGUARD_TYPOSQUAT | bool | false | Enable typosquatting detection for dependencies. |
VAULTGUARD_ENTROPY_THRESHOLD | f64 | 5.5 | Entropy threshold for secret detection. Lower values catch more potential secrets but increase false positives. |
VAULTGUARD_BASELINE | path | none | Path to a baseline file for differential scanning. Only findings not in the baseline are reported. |
VAULTGUARD_MIN_SEVERITY | critical|high|medium|low|info | none | Minimum severity threshold. Findings below this level are dropped. |
VAULTGUARD_MIN_CONFIDENCE | f64 (0.0-1.0) | none | Minimum confidence threshold. Findings with a confidence score below this value are dropped. |
VAULTGUARD_DISABLE_PROVIDER | comma-separated | none | Disable specific detection providers. Example: aws,github,entropy. See supported providers. |
Display Variables
| Variable | Type | Default | Description |
|---|---|---|---|
NO_COLOR | any | unset | Disable colored terminal output. Any non-empty value activates this. Follows the NO_COLOR convention. |
Usage Examples
Shell export
bash
export VAULTGUARD_MIN_SEVERITY=high
export VAULTGUARD_NO_CVE=true
vaultguard scanInline per-command
bash
VAULTGUARD_FORMAT=json vaultguard scan ./srcCI/CD environment
yaml
# GitHub Actions
env:
VAULTGUARD_MIN_SEVERITY: high
VAULTGUARD_DISABLE_PROVIDER: entropy,generic
VAULTGUARD_FORMAT: sarif
steps:
- run: vaultguard scan -o results.sarifDocker
bash
docker run --rm \
-e VAULTGUARD_MIN_SEVERITY=medium \
-e NO_COLOR=1 \
-v $(pwd):/workspace \
vaultguard scan /workspaceBoolean Parsing
Boolean environment variables accept the following truthy values (case-insensitive):
true,1,yes
All other values (including empty strings) are treated as false.
Empty strings are falsy
Setting VAULTGUARD_NO_SECRETS="" does not disable secret detection. Use true, 1, or yes as the value.
Precedence
Environment variables sit in the middle of the configuration priority chain:
- CLI flags (highest)
- Environment variables
- Project config (
.vaultguard.toml) - User config (
~/.vaultguard/config.toml) - Built-in defaults (lowest)
A CLI flag always wins. If you set VAULTGUARD_MIN_SEVERITY=high but pass --min-severity medium on the command line, medium is used.