velka 1.4.0

The Code Sin Judge - AST-powered secret scanner and security analyzer
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

# Velka Configuration File
# Copy this file to velka.toml and customize as needed

[scan]
# Ignore patterns (glob syntax)
# Default patterns include: target, .git, node_modules, lock files, images, etc.
ignore_paths = [
    "**/*.sample",
    "tests/fixtures/**",
    "vendor/**",
]

# Entropy threshold for detecting high-entropy strings (potential secrets)
# Higher values = fewer false positives, but may miss some secrets
# Default: 4.6, Range: 3.0 - 6.0
entropy_threshold = 4.6

# Advanced allowlist - regex and path-based false positive suppression
# [scan.allowlist]
# regexes = ["(?i)example", "(?i)test.*key"]
# paths = ["**/fixtures/**", "**/*.example.*", "**/testdata/**"]
# file_patterns = ["(?i)test_.*\\.py$", "(?i).*\\.spec\\.ts$"]

# Whitelist patterns - matches containing these strings are ignored
# Useful for reducing false positives on known-safe values
whitelist = [
    "localhost",
    "127.0.0.1",
    "0.0.0.0",
    "example.com",
    "test@example.com",
    "placeholder",
]

# Maximum file size to scan (in MB)
# Files larger than this are skipped
# Default: 50
max_file_size_mb = 50

# Skip lines longer than this threshold (likely minified code)
# Default: 10000
skip_minified_threshold = 10000

[output]
# Redact secrets in output (show AKIA****MPLE instead of full value)
# Default: true (recommended for CI/CD logs)
redact_secrets = true

# Number of visible characters at start/end of redacted secrets
# Default: 4
redact_visible_chars = 4

[cache]
# Enable caching for faster incremental scans
# Default: true
enabled = true

# Cache location: "project" (.velka-cache/), "user" (~/.cache/velka/), or "both"
# Default: "both"
location = "both"

[rules]
# Disable specific rules globally
# Example: disable = ["HARDCODED_IP", "JWT_TOKEN"]
disable = []

# Custom rules - uncomment and customize as needed
# [[rules.custom]]
# id = "MY_INTERNAL_KEY"
# pattern = "MYCOMPANY_[A-Z0-9]{32}"
# severity = "Mortal"  # or "Venial"
# description = "Internal API key detected"
#
# [[rules.custom]]
# id = "INTERNAL_API"
# pattern = "INTERNAL_[A-Z0-9]{24}"
# severity = "Mortal"
# description = "Internal API key detected"

# Profiles - environment-specific overrides
# Use with: velka scan . --profile ci

[profile.ci]
# Disable cache in CI (fresh scan every time)
cache.enabled = false
# Always redact in CI logs
output.redact_secrets = true

[profile.dev]
# Higher entropy threshold for local development (fewer false positives)
scan.entropy_threshold = 5.0
# Show full secrets during development
output.redact_secrets = false

[profile.strict]
# Lower entropy threshold for security audits
scan.entropy_threshold = 4.0
# Scan larger files
scan.max_file_size_mb = 100