Configuration

Configure Qryon for your project using configuration files, environment variables, or command-line flags.

Configuration Files

Qryon looks for configuration in the following locations (in order of priority):

1. rma.toml (recommended)
2. .rmarc.json
3. .rmarc.yaml
4. package.json (under "rma" key)

Full Configuration Reference

# rma.toml - Complete configuration example

#
# General Settings
#
[general]
# Verbosity level: "quiet", "normal", "verbose", "debug"
verbosity = "normal"

# Enable colored output
color = true

# Number of parallel workers (0 = auto-detect)
jobs = 0

#
# Scan Settings
#
[scan]
# Paths to scan (default: current directory)
paths = ["."]

# Patterns to exclude from scanning
exclude = [
  "node_modules",
  "vendor",
  "dist",
  "build",
  ".git",
  "**/*.min.js",
  "**/*.bundle.js",
  "**/test/**",
  "**/__tests__/**",
  "**/*.test.ts",
  "**/*.spec.ts"
]

# Patterns to include (overrides exclude for matching files)
include = []

# Languages to scan (empty = all supported)
languages = []

# Maximum file size to scan (bytes, 0 = no limit)
max_file_size = 1048576  # 1MB

# Follow symbolic links
follow_symlinks = false

# Scan hidden files/directories
scan_hidden = false

# Analysis depth: "basic", "deep", "full"
depth = "deep"

#
# Cache Settings
#
[cache]
# Enable analysis caching
enabled = true

# Cache directory (default: ~/.cache/rma)
directory = ""

# Maximum cache age in days (0 = never expire)
max_age = 30

# Maximum cache size in MB (0 = no limit)
max_size = 1024

#
# Output Settings
#
[output]
# Output format: "table", "json", "json-pretty", "sarif", "markdown"
format = "table"

# Output file (empty = stdout)
file = ""

# Show source code context
show_context = true

# Lines of context to show
context_lines = 3

# Group findings by file
group_by_file = true

# Sort order: "severity", "file", "rule"
sort_by = "severity"

#
# Rule Settings
#
[rules]
# Disabled rule patterns (supports wildcards)
disabled = [
  "style-*",
  "info-*"
]

# Explicitly enabled rules (if set, only these run)
enabled = []

# Severity threshold: "info", "low", "medium", "high", "critical"
# Findings below this severity are hidden
min_severity = "low"

# Severity overrides for specific rules
[rules.severity_override]
"react-unsafe-html" = "critical"
"console-log" = "info"

# Rule-specific configuration
[rules.config.sql-injection]
# Additional SQL functions to detect
additional_sinks = ["customQuery", "rawSql"]

[rules.config.hardcoded-secret]
# Additional patterns to detect
patterns = ["MY_SECRET_PREFIX_*"]
# Patterns to ignore (e.g., test values)
ignore_patterns = ["test-secret-*", "example-*"]

#
# Taint Analysis Settings
#
[taint]
# Enable cross-file taint analysis
enabled = true

# Enable interprocedural analysis
interprocedural = true

# Maximum call depth for taint tracking
max_depth = 10

# Treat all external input as tainted
taint_external_input = true

# Custom sources
[[taint.sources]]
pattern = "getUntrustedData()"
languages = ["javascript", "typescript"]

# Custom sinks
[[taint.sinks]]
pattern = "dangerous_operation($ARG)"
languages = ["javascript", "typescript", "python"]
sink_arg = "$ARG"
vulnerability_type = "command-injection"

# Custom sanitizers
[[taint.sanitizers]]
pattern = "custom_escape($INPUT)"
languages = ["javascript", "typescript"]
sanitizes = "$INPUT"

#
# Call Graph Settings
#
[callgraph]
# Generate call graph
enabled = true

# Maximum depth for call graph
max_depth = 15

# Include only security-relevant nodes
security_only = false

# Output format: "dot", "json", "none"
format = "none"

#
# Reporting Settings
#
[report]
# Exit with non-zero code if findings >= severity
fail_on = "high"

# Maximum findings to report (0 = no limit)
max_findings = 0

# Include fix suggestions
show_fixes = true

# Include references (OWASP, CWE links)
show_references = true

#
# Integration Settings
#
[integration]
# GitHub integration
[integration.github]
# Create check annotations
annotations = true
# Comment on PRs
pr_comments = false

# GitLab integration
[integration.gitlab]
# Create code quality report
code_quality = true

JSON Configuration

Equivalent configuration in JSON format:

// .rmarc.json
{
  "scan": {
    "exclude": ["node_modules", "dist", "**/*.test.ts"],
    "languages": ["typescript", "javascript"],
    "depth": "deep"
  },
  "rules": {
    "disabled": ["style-*"],
    "min_severity": "medium",
    "severity_override": {
      "sql-injection": "critical"
    }
  },
  "output": {
    "format": "table",
    "show_context": true,
    "context_lines": 3
  },
  "report": {
    "fail_on": "high"
  }
}

Environment Variables

All configuration options can be set via environment variables:

# Format: RMA_<SECTION>_<KEY>=value

# General settings
export RMA_GENERAL_VERBOSITY=verbose
export RMA_GENERAL_JOBS=4

# Scan settings
export RMA_SCAN_DEPTH=full
export RMA_SCAN_MAX_FILE_SIZE=2097152

# Output settings
export RMA_OUTPUT_FORMAT=sarif

# Report settings
export RMA_REPORT_FAIL_ON=critical

# Cache settings
export RMA_CACHE_ENABLED=false

Command-Line Overrides

Command-line flags take highest priority:

# Override config file settings
rma scan . --format json --fail-on critical

# Disable caching for this run
rma scan . --no-cache

# Override exclude patterns
rma scan . --exclude "**/*.generated.ts"

# Override verbosity
rma scan . --verbose
rma scan . --quiet

Configuration Precedence

When the same setting is defined multiple times:

1. Command-line flags (highest priority)
2. Environment variables
3. Project config file (rma.toml)
4. User config (~/.config/rma/config.toml)
5. Default values (lowest priority)

Project-Specific Configs

Monorepo Configuration

# rma.toml at repo root

[scan]
exclude = [
  "node_modules",
  "**/node_modules",
  "packages/*/dist"
]

# Package-specific overrides
[[packages]]
path = "packages/frontend"
[packages.rules]
enabled = ["react-*", "xss-*"]

[[packages]]
path = "packages/backend"
[packages.rules]
enabled = ["sql-*", "auth-*"]
[packages.taint]
interprocedural = true

Language-Specific Configs

# For a TypeScript project
[scan]
languages = ["typescript", "javascript"]
exclude = ["**/*.js"]  # Only scan TS, not compiled JS

[rules.config.typescript]
strict_null_checks = true
no_implicit_any = true

Validating Configuration

# Check configuration is valid
rma config validate

# Show effective configuration
rma config show

# Show configuration for specific section
rma config show --section rules

# Initialize default config file
rma config init
rma config init --format json

Common Configurations

Security-Focused

[rules]
disabled = ["style-*", "info-*", "complexity-*"]
min_severity = "medium"

[taint]
enabled = true
interprocedural = true

[report]
fail_on = "high"

CI Pipeline

[output]
format = "sarif"
file = "security-results.sarif"

[cache]
enabled = true

[report]
fail_on = "high"
max_findings = 100

Development

[general]
verbosity = "verbose"

[scan]
depth = "basic"  # Faster for quick checks

[output]
show_context = true
context_lines = 5

[report]
fail_on = "none"  # Don't fail during development

Next Steps

• Create custom rules
• Set up CI/CD integration
• Learn about scan options