INFINIVIEW/
DocsOperateConfiguration

Configuration

Dashboard defaults, repo overrides, frozen snapshots. Configure once, override per-repo when needed, and trust that mid-run edits never touch the active scan.

How configuration is resolved

At trigger time, Infiniview merges your dashboard defaults with the repo’s .infiniview.yml, then freezes the result for the run. Repo config wins for overlapping fields.

  1. Read the user’s saved dashboard configuration as the base.
  2. If .infiniview.yml exists at repo root, deep-merge it on top.
  3. Persist the merged snapshot on the scan run — that snapshot governs the active scan.
Frozen snapshot
Editing dashboard or repo config mid-run only affects future scans. The active run keeps the snapshot it was launched with.

Dashboard configuration

Lives under Security. Controls which scanners and runtime agents run, the severity threshold, exclusion lists, and the runtime budget.

SettingWhat it controls
Enabled / disabled scannersWhich static, dependency, secret, and IaC scanners run.
Severity thresholdMinimum severity persisted to findings (low / medium / high / critical).
Exclude pathsGlob patterns suppressed before scanners process files.
Exclude rulesSpecific rule IDs ignored across enabled scanners.
Runtime agentsWhich agents run during sandbox execution. See Scanners & agents.
Max plansCap on planning iterations per agent.
Wall-clock / per-agent timeoutHard time budget for the run and for each agent.
Evidence detailHow much replay context is persisted per finding (summary or full).
GET /api/scan-config
PUT /api/scan-config         # update dashboard defaults
GET /api/settings
PUT /api/settings

Repo configuration (.infiniview.yml)

Add .infiniview.yml at the repo root for security scanner, threshold, exclusion, runtime-agent, timeout, plan, and evidence-detail overrides. Repo config wins for overlapping fields.

version: 1

security:
  scanners:
    enabled:
      - semgrep
      - trivy
      - gitleaks
    disabled:
      - bandit
    semgrep:
      custom_rules: "security/rules"

  severity_threshold: medium
  exclude_paths:
    - "test/**"
    - "docs/**"
  exclude_rules:
    - "generic.secrets.security.detected-generic-secret"

  runtime:
    enabled_agents:
      - api-fuzzer
      - injection-tester
      - auth-attacker
    max_plans: 20
    wall_clock_timeout: 600000
    per_agent_timeout: 300000
    evidence_detail: summary

Repo secrets

Configure encrypted secrets under Settings > Environment Secrets (or persist new env vars from the scan launcher). Values are encrypted at rest and decrypted server-side only when injected into the sandbox at scan time.

GET    /api/repo-secrets
POST   /api/repo-secrets
DELETE /api/repo-secrets/{id}

Validating .infiniview.yml

Use the validation endpoint to check a repo config before it’s committed. The endpoint returns parse errors, unknown keys, and any threshold or scanner-name violations.

POST /api/validate-infiniview-yml
PreviousGitHub automationNext Scanners & agents
Edit on GitHub