Configuration
codescan looks for codescan.toml in the current working directory (or the directory passed as the scan path). You can also specify a config file explicitly:
bash
codescan --config /path/to/codescan.toml .Full Reference
toml
# codescan.toml
# ── Rules ─────────────────────────────────────────────────────────────────────
[rules]
# Rule IDs to disable entirely.
disabled = ["INFRA004", "UNICODE002"]
# Per-rule severity override. Valid values: "error", "warning", "info".
[rules.severity_overrides]
SECRET001 = "error"
CRYPTO001 = "warning"
ENTROPY001 = "info"
# Additional custom rule files (JSON) to load.
# Same format as --rules-file.
extra_files = ["./rules/internal.json"]
# ── Scanner ───────────────────────────────────────────────────────────────────
[scanner]
# Maximum file size to scan, in bytes (default: 1 MiB).
max_file_size = 1048576
# Skip files that appear to be binary (default: true).
skip_binary = true
# Enable Shannon entropy scanning for high-entropy secrets (default: true).
entropy_scan = true
# Always show suppressed findings (default: false).
# Same as --show-suppressed on the CLI.
show_suppressed = false
# ── Excludes ──────────────────────────────────────────────────────────────────
[exclude]
# Glob patterns for paths to exclude (matched against relative paths).
paths = [
"vendor/**",
"node_modules/**",
"dist/**",
".git/**",
"*.min.js",
]
# File extensions to skip entirely.
extensions = ["lock", "snap", "wasm"]
# ── Suppressions ──────────────────────────────────────────────────────────────
# Each [[suppress]] entry defines a suppression scope.
# See the Suppression page for full documentation.
[[suppress]]
file = "src/tests/fixtures/secrets.py"
rules = ["SECRET001", "SECRET002"]
reason = "Test fixture — not real credentials"
[[suppress]]
glob = "**/*.test.ts"
categories = ["SECRET"]
reason = "Test files may contain dummy secrets"
[[suppress]]
glob = "legacy/**"
max_severity = "warning"
reason = "Legacy code — suppress info and warnings only"CLI Flags Reference
| Flag | Default | Description |
|---|---|---|
PATH... / -i, --input | . | Paths to scan |
-o, --output | stdout | Write findings to file |
-e, --exclude | — | Glob patterns to exclude |
-c, --config | codescan.toml | Config file path |
-f, --format | auto | pretty / json / text |
--interactive | auto | Force color/plain output |
--severity | info | Minimum severity to report |
--only-rules | — | Comma-separated rule IDs to check |
--skip-rules | — | Comma-separated rule IDs to skip |
-j, --threads | CPU count | Parallel scan threads |
--no-gitignore | false | Ignore .gitignore files |
--hidden | false | Scan hidden files/directories |
--max-filesize | 1048576 | Max file size in bytes |
-q, --quiet | false | Suppress summary line |
--fail-on | error | Exit 1 if findings ≥ severity (none to disable) |
--rules-file | — | JSON custom rules file(s) |
--show-suppressed | false | Include suppressed findings in output |
--list-rules | — | Print all rules and exit |
Environment Variables
| Variable | Description |
|---|---|
RUST_LOG | Log level: error, warn, info, debug, trace |
NO_COLOR | Disable ANSI colors when set |
bash
RUST_LOG=debug codescan src/