Docsโ€บConfiguration
Integrate

Configuration Schema

Place a nixer.yml file in the root of your repository to customize which detectors run, what severity levels trigger failures, which paths to ignore, and per-finding suppressions.

๐Ÿ’ก
No nixer.yml needed to get started. All defaults are sensible. Add the config file only when you need to customize behavior.

Full example

nixer.yml
version: 1

# Paths to scan (default: all tracked files)
paths:
  include:
    - src/
    - services/
  ignore:
    - node_modules/
    - dist/
    - '**/*.test.js'
    - '**/*.spec.ts'

# Severity gate: fail if any finding at or above this level
fail-on:
  severity: high         # low | medium | high | critical
  count: 1              # fail if >= N findings at threshold

# Enable/disable detector modules
detectors:
  prompt-injection: true
  tool-abuse: true
  rag-poisoning: true
  mcp: true
  secrets: true
  model-supply-chain: true
  cicd: true
  fraud: false          # disabled for this repo

# Per-finding suppression
suppress:
  - rule: nixer/cicd/unpinned-action
    path: .github/workflows/legacy.yml
    reason: 'Legacy workflow, migration tracked in JIRA-1234'
  - rule: nixer/secrets/hardcoded-api-key
    path: tests/fixtures/dummy-key.js
    reason: 'Test fixture โ€” not a real key'

Schema reference

version

Required. Currently only 1 is supported.

paths.include

List of glob patterns or directory paths to scan. Defaults to all tracked files. Useful for monorepos where you only want to scan a specific service subdirectory.

paths.ignore

List of glob patterns to exclude from scanning. Standard gitignore syntax. Common patterns:

fail-on.severity

Minimum severity level to cause a CI failure. Options: low, medium, high (default), critical. Set to critical to only fail on the most severe findings.

fail-on.count

Number of findings at fail-on.severity required before failing CI. Default: 1. Set to a higher number for a more permissive gate (e.g., only fail if 3+ high findings).

detectors

Enable or disable individual scanner modules. All modules are enabled by default. Set to false to disable:

KeyModuleDefault
prompt-injectionPrompt Injection Scannerenabled
tool-abuseTool Abuse Scannerenabled
rag-poisoningRAG Corpus Integrityenabled
mcpMCP Server Probeenabled
secretsSecrets Scannerenabled
model-supply-chainModel Supply Chain Scannerenabled
cicdCI/CD Pipeline Scannerenabled
fraudAuth & Fraud Scannerenabled

suppress

Per-finding suppression list. Each entry requires:

โš ๏ธ
Suppressions are audited. Every suppression entry with a reason is logged to the scan report. Over-suppressing findings defeats the purpose of scanning โ€” use suppressions sparingly and with a valid justification.

Inline suppression comments

You can also suppress individual findings inline in source code using a comment directive:

src/agent.js
// nixer-ignore: nixer/secrets/hardcoded-api-key -- test fixture, not a real key
const TEST_KEY = 'sk-test-1234567890abcdef';
Edit this page on GitHub