Configuration
Dashboard defaults, repo overrides, frozen snapshots. Configure once, override per-repo when needed, and trust that mid-run edits never touch the active scan.
How configuration is resolved
At trigger time, Infiniview merges your dashboard defaults with the repo’s .infiniview.yml, then freezes the result onto the run. Repo config wins for overlapping fields.
- Read the user’s saved dashboard configuration as the base.
- If
.infiniview.ymlexists at repo root, deep-merge it on top. - Persist the merged snapshot on the scan run — that snapshot governs the active scan.
Dashboard configuration
Lives under Security. Controls which scanners and runtime agents run, the severity threshold, exclusion lists, and the time and plan budgets.
| Setting | What it controls |
|---|---|
| Enabled / disabled scanners | Which static, dependency, secret, and IaC scanners run. See Scanners for the full list and which are default-enabled. |
| Severity threshold | Minimum severity persisted to findings. One of critical, high, medium, low, info. |
| Exclude paths | Glob patterns suppressed before scanners process files. |
| Exclude rules | Specific rule IDs ignored across enabled scanners. |
| Runtime agents | Which runtime agents run during sandbox execution. The dashboard lists the agents available to your account. |
| Max plans | Cap on planning iterations per agent. Range 1–100. |
| Wall-clock timeout | Hard time budget for the run. Range 60–3600 seconds. |
| Per-agent timeout | Hard time budget per runtime agent. Range 10–600 seconds. |
| Evidence detail | How much replay context is persisted per finding. summary (default) or full. |
GET /api/scan-config # current saved configuration
PUT /api/scan-config # update dashboard defaults
GET /api/settings # automation preferences (see GitHub & Settings)
PUT /api/settingsValue ranges
The dashboard accepts wall-clock and per-agent timeouts in seconds. .infiniview.yml uses milliseconds. The same numeric ranges apply on both sides:
| Field | API (seconds) | YAML (milliseconds) |
|---|---|---|
wall_clock_timeout | 60–3600 | 60000–3600000 |
per_agent_timeout | 10–600 | 10000–600000 |
Repo configuration (.infiniview.yml)
Add .infiniview.yml at the repo root for scanner, threshold, exclusion, runtime-agent, timeout, plan, and evidence-detail overrides. Repo config wins for overlapping fields. Unknown or retired scanner IDs are auto-reconciled against the current scanner manifest at trigger time.
version: 1
security:
scanners:
enabled:
- semgrep
- trivy
- gitleaks
disabled:
- bandit
semgrep:
custom_rules: "security/rules"
severity_threshold: medium # critical | high | medium | low | info
exclude_paths:
- "test/**"
- "docs/**"
exclude_rules:
- "generic.secrets.security.detected-generic-secret"
runtime:
enabled_agents: [] # see Security configuration in the dashboard
max_plans: 20 # 1–100
wall_clock_timeout: 600000 # ms; equivalent to 600s. API range: 60000–3600000
per_agent_timeout: 300000 # ms; equivalent to 300s. API range: 10000–600000
evidence_detail: summary # summary | full
Repo secrets
Configure encrypted secrets under Settings > Environment Secrets, or persist new env vars from the scan launcher. Values are encrypted at rest with AES-256-GCM and decrypted server-side only when injected into the sandbox at scan time. Listing endpoints return key names and metadata only — values are masked.
GET /api/repo-secrets
POST /api/repo-secrets # { repoFullName, key, value }
DELETE /api/repo-secrets # { id }Validating .infiniview.yml
The validation endpoint is unauthenticated, so you can call it from CI before committing. It returns parse errors, unknown keys, and any threshold or scanner-name violations.
POST /api/validate-infiniview-yml
Content-Type: application/json
{ "yaml": "version: 1\n…" } # → { "valid": true, "errors": [] }