Configuration: .bedefended.yml¶
The .bedefended.yml file configures SAST scanning, AI analysis, quality gates, and PR integration. Place it in the root of your repository.
If no config file is found, sensible defaults are used.
Full Configuration Reference¶
version: 1
# Languages to analyze (auto-detect if omitted)
languages:
- python
- javascript
- go
# Files/directories to exclude from scanning
exclude:
- "vendor/**"
- "node_modules/**"
- "**/*.test.*"
- "**/*.spec.*"
- "migrations/**"
- "docs/**"
- ".git/**"
# SAST tool configuration
sast:
semgrep:
config: "p/owasp-top-ten" # Ruleset (default: auto)
severity: ["ERROR", "WARNING"] # Semgrep severity levels to include
gitleaks:
enabled: true # Enable/disable secret scanning
config: ".gitleaks.toml" # Custom gitleaks rules (optional)
trivy:
severity: "CRITICAL,HIGH" # CVE severity filter
ignore-unfixed: true # Skip vulnerabilities without a fix
# AI analysis (requires Professional tier or above)
ai:
enabled: true
focus: # Vulnerability categories to prioritize
- injection
- auth
- secrets
- crypto
max-files-per-review: 100 # Limit files sent to AI per review
# Quality gate — determines pass/fail
quality-gate:
preset: "standard" # strict | standard | permissive | custom
max-critical: 0 # Max allowed (override preset)
max-high: 0
max-medium: 5
max-low: -1 # -1 = unlimited
min-confidence: "likely" # confirmed | likely | possible
new-findings-only: true # Only fail on new findings (not pre-existing)
ignore-paths: # Exclude findings in these paths
- "tests/**"
- "vendor/**"
- "*.test.js"
# PR integration
pr:
comments: true # Post inline PR comments
summary: true # Post summary comment
sarif-upload: true # Upload to GitHub Security tab
collapse-details: true # Use <details> for verbose findings
# Cross-reference with pentest (optional)
pentest:
engagement-ref: "acme-webapp-2026" # Engagement name on dashboard
auto-crossref: true # Automatically link findings
Quality Gate Presets¶
Three built-in presets determine when a build should fail:
| Preset | Fail On | Min Confidence | Use Case |
|---|---|---|---|
| strict | Any Medium or above | confirmed only | Production branches, compliance-critical repos |
| standard | Any High or above | confirmed + likely | Default for most teams |
| permissive | Any Critical | confirmed only | Legacy repos, gradual adoption |
Custom Thresholds¶
Override preset values with specific limits:
quality-gate:
preset: "custom"
max-critical: 0 # Zero tolerance for critical
max-high: 2 # Allow up to 2 high findings
max-medium: -1 # Unlimited medium
max-low: -1 # Unlimited low
min-confidence: "likely"
Ignore Paths¶
Exclude findings from test files, vendored code, or generated files:
Semgrep Rulesets¶
Common rulesets for the sast.semgrep.config field:
| Ruleset | Coverage |
|---|---|
p/owasp-top-ten |
OWASP Top 10 across all languages (default) |
p/ci |
CI-optimized rules (fewer false positives) |
p/security-audit |
Comprehensive security audit |
p/python |
Python-specific rules |
p/javascript |
JavaScript/TypeScript rules |
p/golang |
Go-specific rules |
auto |
Auto-detect language and apply best rules |
Multiple rulesets can be specified in semgrep config syntax (comma-separated).
Per-Provider Overrides¶
GitHub Actions¶
# Override via action inputs
- uses: bedefended/code-review-action@v1
with:
api-key: ${{ secrets.BD_API_KEY }}
fail-on: high # Overrides quality-gate preset
config-file: .bedefended.yml
GitLab CI¶
# Override via CI/CD variables
variables:
BD_FAIL_ON: "medium" # Override --fail-on
BD_MODE: "full" # Override scan mode
Azure DevOps¶
Minimal Configuration¶
For most projects, no config file is needed at all. The defaults are:
- SAST: all tools enabled, OWASP Top 10 rules
- Quality gate: standard (fail on High+)
- PR comments: enabled
- SARIF upload: enabled
- Exclude: vendor, node_modules, test files