CLI & Environment Variables
Codeward can be configured via CLI arguments, environment variables, and configuration files.
CLI Options
| Option | Argument | Description |
|---|---|---|
-c, --config | PATH | Path to main config file (default: .codeward.json / .codeward.yaml) |
--private-config | PATH | Path to private config file |
-m, --mode | MODE | Scan mode: main or diff |
--log-level | LEVEL | Log verbosity: DEBUG, INFO, WARN, ERROR |
--log-format | FORMAT | Log format: text or json |
--export-diff | PATH | Export full diff results to the specified file as JSON |
-v, --version | - | Show version information |
-h, --help | - | Show help message |
Environment Variables
Core Configuration
| Variable | Description |
|---|---|
CODEWARD_ENV | Environment mode (local, ci) |
CODEWARD_CONFIG_PATH | Path to main config file |
CODEWARD_PRIVATE_CONFIG_PATH | Path to private config file |
CODEWARD_MODE | Execution mode (diff or main) |
CODEWARD_CACHE_DIR | Cache directory for trivy-db and license cache |
Logging
| Variable | Description |
|---|---|
CODEWARD_LOG_LEVEL | Global log level (DEBUG, INFO, WARN, ERROR) |
CODEWARD_LOG_FORMAT | Log output format (text or json) |
CODEWARD_LOG_TIMESTAMP | Include timestamps (true or false) |
CODEWARD_LOG_SUMMARY | Summary verbosity (none, minimal, standard, detailed) |
CODEWARD_LOG_OUTPUT | Log output destination (default: stderr) |
GitHub Integration
Required for git:pr and git:issue outputs.
| Variable | Description |
|---|---|
CODEWARD_GITHUB_TOKEN | GitHub API token (sensitive — env only) |
CODEWARD_GITHUB_REPOSITORY | Repository name (e.g., my-project) |
CODEWARD_GITHUB_OWNER | Repository owner (user or organization) |
CODEWARD_GITHUB_PR_NUMBER | Pull request number (integer) |
CODEWARD_GITHUB_BRANCH | Current branch name |
Scanner
| Variable | Description |
|---|---|
TRIVY_SKIP_DB_UPDATE | Set true to skip vulnerability DB download (air-gapped/offline mode) |
CODEWARD_TEMPLATES_PATH | Path to custom output templates directory |
SARIF Output
| Variable | Description |
|---|---|
CODEWARD_SARIF_OUTPUT | Write all findings as SARIF 2.1.0 to the specified file path |
CODEWARD_SARIF_UPLOAD | Set true to upload SARIF to GitHub Code Scanning (requires CODEWARD_GITHUB_TOKEN) |
SBOM Export
| Variable | Description |
|---|---|
CODEWARD_SBOM_OUTPUT | Export CycloneDX 1.6 SBOM to the specified file path |
API & Tokens
| Variable | Description |
|---|---|
CODEWARD_API | Codeward API endpoint (default: https://api.codeward.io) |
CODEWARD_TOKEN | Codeward API token (sensitive — env only) |
CODEWARD_AI_TOKEN | AI enrichment token (sensitive — env only) |
Webhook Secrets
| Variable | Description |
|---|---|
CODEWARD_WEBHOOK_SECRETS | Multi-line KEY=VALUE pairs exported before scan. Unset after parsing. |
CODEWARD_EXTRA_ENV | Additional KEY=VALUE pairs exported before scan. |
Precedence
Configuration is resolved in this order (highest to lowest priority):
- CLI arguments (e.g.,
--mode diff) - Environment variables (e.g.,
CODEWARD_MODE=diff) - Config files (
.codeward.yaml/.codeward.json) - Default values
Sensitive Variables
Tokens (CODEWARD_GITHUB_TOKEN, CODEWARD_TOKEN, CODEWARD_AI_TOKEN) are never loaded from config files — environment only.