Configuration

Configure Redactyl for your project with .redactyl.yml

Redactyl uses a .redactyl.yml file for project-level configuration. Place it in your repository root.

Basic Configuration

# .redactyl.yml
version: 1

# Scan settings
scan:
  # Paths to include (default: current directory)
  paths:
    - .

  # Paths to exclude
  exclude:
    - node_modules
    - vendor
    - "*.min.js"

  # Enable deep scanning
  archives: true
  containers: true
  helm: true
  k8s: true

# Output settings
output:
  format: text  # text, json, sarif
  verbose: false

Baseline Configuration

Baseline known secrets to reduce noise:

# .redactyl.yml
baseline:
  # Path to baseline file
  file: .redactyl-baseline.json

  # Auto-update baseline on scan
  auto_update: false

Create a baseline interactively:

redactyl scan
# Press 'b' on a finding to baseline it

Or via CLI:

redactyl baseline add --fingerprint <hash>

Gitleaks Configuration

Redactyl uses Gitleaks for detection. You can customize rules:

# .redactyl.yml
gitleaks:
  # Path to custom gitleaks config
  config: .gitleaks.toml

  # Additional rules to enable
  enable_rules:
    - custom-api-key

  # Rules to disable
  disable_rules:
    - generic-api-key

Custom Gitleaks rules in .gitleaks.toml:

[[rules]]
id = "custom-api-key"
description = "Custom API Key"
regex = '''MYAPP_[A-Z0-9]{32}'''
tags = ["key", "custom"]

Guardrails

Protect sensitive operations:

# .redactyl.yml
guardrails:
  # Require confirmation for destructive operations
  confirm_destructive: true

  # Create backups before history rewriting
  backup_refs: true

  # Block operations on protected branches
  protected_branches:
    - main
    - master
    - release/*

CI/CD Configuration

Settings for non-interactive mode:

# .redactyl.yml
ci:
  # Exit code on findings
  fail_on_findings: true

  # Minimum severity to fail
  fail_severity: high  # low, medium, high, critical

  # SARIF output path
  sarif_output: redactyl.sarif.json

Environment Variables

All config options can be set via environment variables:

# Prefix with REDACTYL_
export REDACTYL_SCAN_ARCHIVES=true
export REDACTYL_OUTPUT_FORMAT=json
export REDACTYL_CI_FAIL_ON_FINDINGS=true

Configuration Precedence

  1. CLI flags (highest priority)
  2. Environment variables
  3. .redactyl.yml in current directory
  4. .redactyl.yml in home directory
  5. Built-in defaults (lowest priority)

Full Example

# .redactyl.yml
version: 1

scan:
  paths:
    - .
  exclude:
    - node_modules
    - vendor
    - dist
    - "*.test.js"
  archives: true
  containers: true
  helm: true
  k8s: true

baseline:
  file: .redactyl-baseline.json
  auto_update: false

gitleaks:
  config: .gitleaks.toml
  disable_rules:
    - generic-api-key

guardrails:
  confirm_destructive: true
  backup_refs: true
  protected_branches:
    - main
    - production

ci:
  fail_on_findings: true
  fail_severity: high
  sarif_output: redactyl.sarif.json

output:
  format: text
  verbose: false

Getting Started

Install Redactyl and run your first secret scan in under a minute

Interactive TUI

Navigate findings with vim-style keyboard shortcuts

On this page

Basic ConfigurationBaseline ConfigurationGitleaks ConfigurationGuardrailsCI/CD ConfigurationEnvironment VariablesConfiguration PrecedenceFull Example