Skip to main content
Version: 1.4.0

Configuration file for the CI/CD

The SAFE CLI should generate a configuration for SAFE CI/CD, but you can also configure it manually. The configuration file should be named config.json and should be placed in the .safe folder in the target Repository.

Project configuration

Example configuration for a project:

config.json
{
  "output": ["stdio", "file"],
  "version": "1.1",
  "project": {
    "name": "appname",
    "type": "beam",
    "apps": [
      {
        "name": "appname",
        "additional_includes": []
      },
      {
        "name": "appname2",
        "additional_includes": []
      }
    ],
    "paths": [
      "_build/prod/lib"
    ]
  }
}

Advanced: Explicit App File Paths

For projects with complex build configurations or when auto-discovery is slow, you can explicitly specify the .app file location for each application:

config.json with explicit app files
{
  "output": ["stdio"],
  "version": "1.1",
  "project": {
    "name": "my_project",
    "type": "beam",
    "paths": ["_build/prod/lib"],
    "apps": [
      {
        "name": "my_app",
        "app_file": "_build/prod/lib/my_app/ebin/my_app.app"
      },
      {
        "name": "my_dependency",
        "app_file": "_build/prod/lib/my_dependency/ebin/my_dependency.app"
      }
    ]
  }
}

Benefits:

  • Faster cache loading (no filesystem search)
  • Explicit control in monorepo setups
  • Consistent across different build tools

Requirements:

  • Paths must be relative to project root
  • Files must exist and be readable
  • Either specify for all apps or none (mixed mode uses auto-discovery)

  • output: Available options:

    • "stdio": Prints the results directly to standard output (console)
    • "checkmarx" Sends the vulnerabilities to Checkmarx
    • "file" Saves the report file.
    • "sarif" Saves the vulnerabilities into a sarif file format.

  • project: A JSON object.

    • name: The name of the project as string.
    • type: The type of the project, currently "beam" is supported, that can be used for Erlang and Elixir projects as well.
    • apps: A list of JSON objects, each object represents an application in the project. (Note: we are searching for apps recursively as well in the paths)
      • name: The name of the application as string.
      • app_file: (Optional) Relative path from project root to the specific .app file for this application. When specified for all apps, SAFE will use these exact paths instead of searching for .app files. This improves performance and reliability in complex build setups.
        • Must be relative to project root
        • Can be located anywhere in the project (not restricted to paths directories)
        • If any app omits this field, SAFE will search for all .app files automatically
        • Example: "_build/prod/lib/my_app/ebin/my_app.app"
      • additional_includes: A list of strings, each string is a path to a directory that should be included in the analysis, that might not be included by default. These paths are relative to the project root.
    • paths: A list of strings, each string is a path to a directory where the applications are located.

Contents