Configuration Examples
Real-world examples demonstrating Codeward's features. All examples use YAML format; JSON equivalents work identically.
Ready-Made Profiles
The Codeward Registry has 30+ ready-to-use policy profiles covering security, infrastructure, language-specific checks, compliance, secrets, and more. Browse profiles, copy into your repo, and customize.
Complete Configuration
global:
dependency_tree: true
mode: diff
logging:
level: info
format: text
summary: standard
ignore:
- name: Ignore test directories
paths: ["test/**", "**/test/**", "**/*_test.go", "**/*.test.js"]
- name: Ignore vendor
paths: ["vendor/**", "**/node_modules/**"]
vulnerability:
- name: block-critical
actions: { new: block, existing: warn }
rules:
- { field: Severity, type: eq, value: CRITICAL }
ignores:
- name: Windows-only CVE
author: security-[email protected]
operator: and
rules:
- { field: VulnerabilityID, type: eq, value: CVE-2024-0001 }
- { field: PkgName, type: eq, value: openssl }
outputs:
- format: markdown
destination: git:pr
fields: [VulnerabilityID, PkgName, Severity, FixedVersion]
changes: [new]
license:
- name: block-copyleft
actions: { new: block }
rules:
- { field: Category, type: eq, value: Copyleft }
outputs:
- format: markdown
destination: git:pr
fields: [Name, Category, PkgName, LicenseSource]
changes: [new]
Ignore Rules
Global: Test & Vendor Directories
global:
ignore:
- name: Non-production code
paths:
- "test/**"
- "**/test/**"
- "**/*_test.*"
- "**/*.spec.*"
- "vendor/**"
- "**/node_modules/**"
Global: CVEs with Expiry
global:
ignore:
- name: Known false positives
targets: [CVE-2023-1234, CVE-2023-5678]
expires: "2026-12-31"
Policy-Level: Specific CVE in Package
vulnerability:
- name: critical-vulns
actions: { new: block }
rules:
- { field: Severity, type: eq, value: CRITICAL }
ignores:
- name: Accepted risk
expires: "2026-06-30"
operator: and
rules:
- { field: VulnerabilityID, type: eq, value: CVE-2024-0001 }
- { field: PkgName, type: eq, value: openssl }
File Validation
Dockerfile Best Practices
file:
# Ensure non-root USER
- name: dockerfile-non-root
path: Dockerfile
type: text
actions: { existing: block }
rules:
- type: last_match
value: root
line_filter: "^USER\\s+"
output_reason: "Last USER instruction runs as root"
# Ensure apt cleanup in same RUN block
- name: dockerfile-apt-cleanup
path: Dockerfile
type: text
scan: lines
operator: implies
actions: { existing: warn }
rules:
- type: regex
value: "apt-get install"
- type: regex
value: "rm -rf /var/lib/apt/lists"
output_reason: "apt-get install without cleanup in same RUN block"
Kubernetes Manifests
file:
- name: no-latest-images
path: "k8s/**/*.yaml,k8s/**/*.yml"
type: yaml
actions: { existing: block }
rules:
- key: spec.containers.*.image
type: contains
value: ":latest"
output_reason: "Container images must use pinned versions"
Cross-File Consistency
file:
- name: version-sync
path: package.json
type: json
actions: { existing: block }
rules:
- type: eq
key: version
ref_path: Chart.yaml
ref_type: yaml
output_reason: "package.json version must match Chart.yaml"
Conditional Validation
file:
# Check content only if file exists
- name: check-engines-if-exists
path: package.json
type: json
operator: implies
actions: { existing: warn }
rules:
- type: exists
- key: engines.node
type: exists
output_reason: "package.json should specify engines.node"
Secret Detection
file:
- name: detect-aws-keys
path: "**/*.py,**/*.js,**/*.ts"
type: text
scan: lines
actions: { existing: block }
rules:
- type: regex
value: "AKIA[0-9A-Z]{16}"
output_reason: "AWS access key detected"
outputs:
- destination: git:pr
fields: [FilePath, LineNumber, MatchedContent, Reason]
PR Validation
PR Size Limits
pr:
- name: pr-size
rules:
- { key: changed_files, type: ge, value: "20", action: warn }
- { key: lines_added, type: ge, value: "500", action: warn }
outputs:
- { format: markdown, destination: git:pr }
Require Docs for Large PRs
pr:
- name: docs-for-large-prs
operator: implies
rules:
- { key: changed_files, type: gt, value: "10" }
- type: exists
file_pattern: "docs/**"
file_status: changed
action: warn
output_reason: "Large PRs should include documentation updates"
outputs:
- destination: git:pr
fields: [RuleRole, Key, Value, Reason]
Custom Webhooks
Slack Notifications
vulnerability:
- name: slack-critical
actions: { new: block }
rules:
- { field: Severity, type: eq, value: CRITICAL }
outputs:
- destination: "url:https://hooks.slack.com/services/xxx"
format: markdown
template: text
webhook:
method: POST
headers:
Authorization: "Bearer ${SLACK_TOKEN}"
body:
text: "${result}"
channel: "#security-alerts"
JIRA Ticket Creation
outputs:
- destination: "url:https://jira.example.com/rest/api/2/issue"
format: markdown
template: text
webhook:
method: POST
headers:
Authorization: "Basic ${JIRA_API_KEY}"
Content-Type: application/json
body:
fields:
project: { key: SEC }
summary: "Security Alert: ${title}"
description: "${result}"
issuetype: { name: Bug }
Combined Patterns
Multi-Severity Policy
vulnerability:
- name: block-critical
actions: { new: block, existing: warn }
rules:
- { field: Severity, type: eq, value: CRITICAL }
outputs:
- format: markdown
destination: git:pr
fields: [VulnerabilityID, PkgName, Severity, FixedVersion]
changes: [new]
collapse: true
- name: warn-high
actions: { new: warn }
rules:
- { field: Severity, type: eq, value: HIGH }
outputs:
- format: markdown
destination: git:pr
fields: [VulnerabilityID, PkgName, Severity]
changes: [new]
collapse: true
Audit Mode (Non-Blocking)
vulnerability:
- name: audit-all
actions: { new: info, existing: info, changed: info, removed: info }
rules: []
outputs:
- format: json
destination: "file:audit-report.json"
changes: [new, existing, changed, removed]
Compliance Mode
global:
dependency_tree: true
vulnerability:
- name: compliance
actions: { new: block, existing: block }
rules:
- { field: Severity, type: eq, value: CRITICAL }
- { field: Severity, type: eq, value: HIGH }
ignores:
- name: Approved exception
author: [email protected]
operator: and
rules:
- { field: VulnerabilityID, type: eq, value: CVE-2024-XXXX }
- { field: PkgName, type: eq, value: approved-package }
outputs:
- format: markdown
destination: git:pr
fields: [VulnerabilityID, PkgName, Severity, FixedVersion, Description]
changes: [new, existing]
- format: json
destination: "file:compliance-report.json"
license:
- name: compliance-copyleft
actions: { new: block }
rules:
- { field: Category, type: eq, value: Copyleft }
outputs:
- format: markdown
destination: git:pr
fields: [Name, Category, PkgName, LicenseSource]
changes: [new]
SARIF Output
Write SARIF to File
vulnerability:
- name: sarif-vulns
actions: { new: block, existing: warn }
rules:
- { field: Severity, type: in, value: "CRITICAL,HIGH" }
outputs:
- destination: "file:results.sarif"
format: "sarif"
Upload to GitHub Code Scanning
vulnerability:
- name: code-scanning
actions: { new: block }
rules:
- { field: Severity, type: eq, value: CRITICAL }
outputs:
- destination: "github:code-scanning"
format: "sarif"
Environment Variable Shortcuts
# Write all findings (vulns + licenses) as SARIF
CODEWARD_SARIF_OUTPUT=results.sarif
# Upload all findings to GitHub Security tab
CODEWARD_SARIF_UPLOAD=true
SBOM Export
Config-Driven SBOM
# .codeward.yaml
sbom:
destination: "file:sbom.cdx.json"
format: "cyclonedx"
version: "1.6"
include_dev: false
Environment Variable Shortcut
CODEWARD_SBOM_OUTPUT=sbom.cdx.json
Compliance: SARIF + SBOM Together
global:
dependency_tree: true
sbom:
destination: "file:sbom.cdx.json"
include_dev: false
vulnerability:
- name: compliance-block
actions: { new: block, existing: block }
rules:
- { field: Severity, type: in, value: "CRITICAL,HIGH" }
outputs:
- destination: "file:compliance.sarif"
format: "sarif"
- destination: "github:code-scanning"
format: "sarif"
- format: markdown
destination: git:pr
fields: [VulnerabilityID, PkgName, Severity, FixedVersion]
changes: [new, existing]
See Also
- Codeward Registry — ready-to-use policy profiles
- Configuration — full config reference
- Policies — policy types and rules
- Outputs — formats, destinations, webhooks