Configuration
Learn how to configure CXRay for your specific needs.
Configuration File
CXRay uses a configuration file named .cxray.yml in your project root or ~/.cxray/config.yml for global settings.
Basic Configuration
# .cxray.yml
version: "1.0"
# Scan settings
scan:
# Types of scans to perform
types:
- cve
- cce
- sbom
# Severity threshold
severity:
fail_on: critical
report: all
# Directories to exclude
exclude:
- node_modules/
- vendor/
- .git/
- test/
# Output settings
output:
format: json
verbose: false
# Database settings
database:
auto_update: true
update_frequency: daily
Environment Variables
CXRay can be configured using environment variables:
| Variable | Description | Default |
|---|---|---|
CXRAY_CONFIG | Path to configuration file | .cxray.yml |
CXRAY_API_KEY | API key for CXRay services | - |
CXRAY_DB_PATH | Path to vulnerability database | ~/.cxray/db |
CXRAY_CACHE_DIR | Cache directory | ~/.cxray/cache |
CXRAY_LOG_LEVEL | Logging level (debug, info, warn, error) | info |
Example:
export CXRAY_API_KEY="your-api-key-here"
export CXRAY_LOG_LEVEL="debug"
cxray scan .
Scan Configuration
CVE Scanning
cve:
# CVE data sources
sources:
- nvd
- github
- osv
# Ignore specific CVEs
ignore:
- CVE-2021-12345
- CVE-2022-67890
# CVSS score threshold
cvss_threshold: 7.0
CCE Scanning
cce:
# Configuration standards
standards:
- cis
- nist
- pci-dss
# Custom rules directory
custom_rules: ./cce-rules/
SBOM Generation
sbom:
# SBOM format
format: spdx # or cyclonedx
# Include development dependencies
include_dev: false
# License compliance check
license_check:
enabled: true
allowed:
- MIT
- Apache-2.0
- BSD-3-Clause
denied:
- GPL-3.0
Integration Settings
CI/CD Integration
ci:
# Fail build on findings
fail_on_severity: high
# Generate reports
reports:
- type: html
output: cxray-report.html
- type: sarif
output: results.sarif
API Configuration
api:
# API endpoint
endpoint: https://api.cxray.io
# Authentication
api_key: ${CXRAY_API_KEY}
# Timeout settings
timeout: 300
retry: 3
Advanced Configuration
Custom Scan Rules
Create custom scanning rules for your organization:
custom_rules:
- id: CUSTOM-001
name: Check for hardcoded secrets
severity: critical
pattern: "(?i)(password|secret|api[_-]?key)\\s*=\\s*['\"][^'\"]+['\"]"
- id: CUSTOM-002
name: Detect insecure HTTP URLs
severity: medium
pattern: "http://(?!localhost|127\\.0\\.0\\.1)"
Notification Settings
Configure notifications for scan results:
notifications:
# Slack integration
slack:
enabled: true
webhook_url: ${SLACK_WEBHOOK_URL}
severity: critical,high
# Email notifications
email:
enabled: true
smtp_host: smtp.example.com
smtp_port: 587
from: cxray@example.com
to:
- security-team@example.com
severity: critical