Configuration
Customize Inkog’s behavior with configuration files and command-line flags.
Configuration File
Create a .inkog.yaml file in your project root:
.inkog.yaml
# Inkog Configuration
# Severity filter - only report these levels
severity:
- critical
- high
- medium
# Paths to scan (defaults to current directory)
include:
- src/
- lib/
- agents/
# Paths to ignore
ignore:
- "**/test/**"
- "**/tests/**"
- "**/*_test.py"
- "**/node_modules/**"
- "**/vendor/**"
- "**/.venv/**"
# Rule configuration
rules:
# Disable specific rules
disable:
- INKOG-042 # False positive in our codebase
# Adjust rule severity
severity_override:
INKOG-007: low # Chain-of-thought leakage is acceptable for us
# Output settings
output:
format: text # text, json, sarif, markdown
file: null # Write to file (null = stdout)
# Framework-specific settings
frameworks:
langchain:
enabled: true
strict_mode: true
llamaindex:
enabled: true
custom:
# Define custom framework patterns
patterns:
- name: "my_llm_wrapper"
type: "llm_call"
pattern: "MyLLM.generate(*)"Environment Variables
All configuration options can be set via environment variables:
# Prefix with INKOG_
export INKOG_SEVERITY="critical,high"
export INKOG_FORMAT="sarif"
export INKOG_IGNORE="**/test/**,**/vendor/**"Command Line Flags
CLI flags take precedence over config files and environment variables.
Basic Options
| Flag | Description | Default |
|---|---|---|
--config | Path to config file | .inkog.yaml |
--format | Output format | text |
-o, --output | Output file path | stdout |
--severity | Severity filter | all |
Scan Options
| Flag | Description | Default |
|---|---|---|
--include | Paths to include | . |
--ignore | Patterns to ignore | none |
--repo | Remote repository URL | none |
--branch | Branch to scan | main |
Behavior Options
| Flag | Description | Default |
|---|---|---|
--fail-on-findings | Exit 1 if findings | false |
--fail-threshold | Min severity to fail | critical |
--quiet | Suppress non-error output | false |
--verbose | Detailed output | false |
Rule Management
Inline Suppression
Suppress findings in code with comments:
# inkog:ignore INKOG-001 - User input is pre-validated upstream
prompt = f"Process: {user_input}"// inkog:ignore INKOG-001
const prompt = `Process: ${userInput}`;Bulk Suppression
Create a .inkogignore file:
.inkogignore
# Ignore specific files
src/legacy/old_agent.py
# Ignore by rule ID
INKOG-042:src/experimental/**
# Ignore by pattern
**/generated/**:*CI/CD Integration
GitHub Actions
.github/workflows/inkog.yml
name: Inkog Security Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Inkog
uses: inkog-io/inkog-action@v1
with:
severity: critical,high
fail-on-findings: true
- name: Upload Results
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: inkog-results.sarifGitLab CI
.gitlab-ci.yml
inkog-scan:
image: ghcr.io/inkog-io/inkog:latest
stage: test
script:
- inkog scan . --format sarif -o gl-sast-report.json
artifacts:
reports:
sast: gl-sast-report.jsonJenkins
Jenkinsfile
pipeline {
agent {
docker { image 'ghcr.io/inkog-io/inkog:latest' }
}
stages {
stage('Security Scan') {
steps {
sh 'inkog scan . --format json -o results.json'
}
post {
always {
archiveArtifacts artifacts: 'results.json'
}
}
}
}
}Monorepo Configuration
For monorepos, use workspace-level configs:
.inkog.yaml
workspaces:
- path: packages/agent-core
config:
severity: [critical, high]
- path: packages/agent-ui
config:
severity: [critical]
ignore: ["**/*.test.tsx"]
- path: services/api
config:
frameworks:
langchain:
strict_mode: trueUse inkog init to generate a starter configuration file for your project.
Terminal
$inkog init
Creating .inkog.yaml...
Detected frameworks: LangChain, LlamaIndex
Generated configuration with recommended settings.
Edit .inkog.yaml to customize your scan settings.
Last updated on