Configuring Scans

Customize PrismSec scan behavior with configuration files and dashboard settings.

PrismSec works out-of-the-box with zero configuration, but you can customize scan behavior to fit your team's workflow. Configuration options include which security pillars to enable, path exclusions, severity thresholds, and branch-specific rules.

Configuration Methods

You can configure PrismSec in two ways:

Dashboard settings — Web-based configuration for repository-level settings
Config file — Version-controlled YAML file for team-wide settings

Both methods can be used together. Dashboard settings override config file settings.

Config File (Recommended)

Add a prismsec.yml file to the root of your repository to configure scan behavior in a version-controlled way.

Example Configuration

# prismsec.yml
version: 1
 
# Enable or disable security pillars
pillars:
  sast: true
  secrets: true
  dependencies: true
  iac: true
 
# Exclude specific paths from scanning
exclude:
  paths:
    - "test/**"
    - "docs/**"
    - "vendor/**"
    - "**/node_modules/**"
  files:
    - "*.test.ts"
    - "*.spec.js"
 
# Severity threshold to fail CI checks
severity_threshold: high  # Options: critical, high, medium, low
 
# Branch-specific rules
branches:
  main:
    # Require all findings to be resolved before merging to main
    severity_threshold: low
    block_on_findings: true
  
  develop:
    # More lenient on develop branch
    severity_threshold: high
    block_on_findings: false
 
# Auto-fix PR settings
auto_fix:
  enabled: true
  # Only auto-fix Critical and High severity issues
  min_severity: high
  # Maximum number of fix PRs to open per scan
  max_prs_per_scan: 3
 
# Dependency scanning configuration
dependencies:
  # Only report vulnerabilities that are reachable in your code
  reachability_analysis: true
  # Ignore vulnerabilities below this CVSS score
  min_cvss_score: 5.0
  # Allowed licenses (all others will be flagged)
  allowed_licenses:
    - MIT
    - Apache-2.0
    - BSD-3-Clause
 
# Secret detection configuration
secrets:
  # Scan commit history for leaked secrets
  scan_history: true
  # Maximum commit depth to scan
  history_depth: 100
  # Entropy threshold for generic secret detection
  entropy_threshold: 4.5

Configuration Options

Pillars

Enable or disable specific security capabilities:

| Option | Default | Description | |--------|---------|-------------| | sast | true | Code-level vulnerability detection | | secrets | true | Hardcoded credential detection | | dependencies | true | Dependency vulnerability scanning | | iac | true | Infrastructure-as-code security checks |

Exclude Paths

Ignore specific files or directories:

exclude:
  paths:
    - "test/**"        # Exclude all test directories
    - "vendor/**"      # Exclude vendored dependencies
    - "docs/**"        # Exclude documentation
  files:
    - "*.test.js"      # Exclude test files by pattern
    - "mock-*.py"      # Exclude mock data files

Be cautious when excluding paths. Test files and documentation can still contain hardcoded secrets or misconfigurations.

Severity Threshold

Set the minimum severity level to fail CI checks:

severity_threshold: high

Options: critical, high, medium, low

critical — Only fail on Critical findings
high — Fail on Critical or High findings
medium — Fail on Critical, High, or Medium findings
low — Fail on any finding

Branch Rules

Apply different thresholds to different branches:

branches:
  main:
    severity_threshold: low
    block_on_findings: true
  staging:
    severity_threshold: medium
    block_on_findings: true
  develop:
    severity_threshold: high
    block_on_findings: false

Auto-Fix Settings

Control when PrismSec opens fix PRs:

auto_fix:
  enabled: true
  min_severity: high          # Only auto-fix High and Critical
  max_prs_per_scan: 3         # Limit PRs to avoid noise

Dashboard Configuration

For repository-level settings that don't need to be version-controlled:

Go to the PrismSec dashboard
Select your repository
Click Settings → Scan Configuration

Available settings:

Enable/disable pillars — Toggle SAST, Secrets, Dependencies, IaC
Severity threshold — Set the minimum severity to fail CI
Auto-fix behavior — Enable/disable automatic fix PRs
Notification preferences — Configure Slack alerts (see Slack integration)

Default Behavior (No Config)

If no configuration file or dashboard settings exist, PrismSec uses these defaults:

All pillars enabled — SAST, Secrets, Dependencies, IaC
No path exclusions — All files are scanned
Severity threshold: high — CI fails on Critical or High findings
Auto-fix enabled — Fix PRs are opened for Critical and High issues
No branch rules — Same threshold for all branches

Validating Configuration

After creating or updating prismsec.yml, validate the syntax:

# Use the PrismSec CLI (optional)
npx prismsec validate prismsec.yml

Or open a pull request — PrismSec will report any configuration errors in the PR comment.

Next Steps

Learn how severity is assigned: Severity & Risk Score
Understand findings: Understanding Findings
Integrate with CI/CD: CI/CD Setup