Version: Latest

Frequently Asked Questions

Can I use YAML instead of JSON for configuration?

Yes. Codeward supports .codeward.json, .codeward.yaml, and .codeward.yml. Format is auto-detected from the file extension. The scanner discovers config files in that order (first found wins).

Why only diff findings by default?

Focusing on newly introduced issues means developers see only what they need to fix. Existing backlog doesn't block PRs and is tracked separately.

Can I scan the full codebase?

Yes. Use CODEWARD_MODE=main for single-branch mode, and include existing in your changes filter.

How do I allow-list a specific CVE?

Use a policy-level ignore:

vulnerability:
  - name: block-critical
    actions: { new: block }
    rules:
      - { field: Severity, type: eq, value: CRITICAL }
    ignores:
      - name: Accepted risk
        expires: "2026-06-30"
        rules:
          - { field: VulnerabilityID, type: eq, value: CVE-2024-ACCEPTED }

How do I block only direct dependencies?

Enable dependency tree and filter by relationship:

global:
  dependency_tree: true
vulnerability:
  - name: direct-only
    operator: and
    rules:
      - { field: Severity, type: eq, value: CRITICAL }
      - { field: Relationship, type: eq, value: direct }

How do I post to Slack/JIRA/PagerDuty?

Use custom webhooks on url: destinations. See Outputs > Custom Webhooks for examples.

How does license resolution work?

Codeward resolves licenses from multiple sources in priority order: lockfile metadata → local filesystem → upstream registries (npm, PyPI, RubyGems, crates.io, NuGet, Hex.pm, pub.dev, Go proxy) → GitHub API. Results are cached to disk for 30 days.

Can I run scans offline / air-gapped?

Yes. Set TRIVY_SKIP_DB_UPDATE=true to skip vulnerability database download. Pre-cache the database in a persistent volume mounted at CODEWARD_CACHE_DIR.

Is the JSON output schema stable?

Yes. JSON outputs are always arrays with stable structure. New fields may be added (additive changes only).

What regex engine does Codeward use?

Go's RE2 engine — guarantees linear-time matching but does not support lookahead/lookbehind. Use not_regex instead of (?!...). See RE2 Reference.

How do I generate a SARIF report?

Use format: "sarif" on any file output, or set the CODEWARD_SARIF_OUTPUT environment variable:

outputs:
  - destination: "file:results.sarif"
    format: "sarif"

Or simply: CODEWARD_SARIF_OUTPUT=results.sarif

To upload to GitHub Code Scanning, use destination: "github:code-scanning" or CODEWARD_SARIF_UPLOAD=true. See Outputs > SARIF Output.

How do I generate an SBOM?

Add a top-level sbom key to your config or set CODEWARD_SBOM_OUTPUT:

sbom:
  destination: "file:sbom.cdx.json"
  include_dev: false

Or simply: CODEWARD_SBOM_OUTPUT=sbom.cdx.json

The SBOM is exported as CycloneDX 1.6 JSON with PURL-based component references, license data, and dependency graph. See Outputs > SBOM Export.

Can I use YAML instead of JSON for configuration?​

Why only diff findings by default?​

Can I scan the full codebase?​

How do I allow-list a specific CVE?​

How do I block only direct dependencies?​

How do I post to Slack/JIRA/PagerDuty?​

How does license resolution work?​

Can I run scans offline / air-gapped?​

Is the JSON output schema stable?​

What regex engine does Codeward use?​

How do I generate a SARIF report?​

How do I generate an SBOM?​