Configuration
scd keeps all configuration outside your repository — no files are ever written to your project.
Global config (~/.scd/config)
Global settings live in ~/.scd/config (plain text, key=value format). Managed via scd configure:
scd configure --central-url http://your-server:3000
scd configure --token <api-token>
scd configure --server-timeout 30s
scd configure --deep-timeout 20m
| Setting | Default | Description |
|---|---|---|
central_url | — | scd-server URL |
token | — | API token for scd-server |
server_timeout | 30s | Timeout for regular API calls |
deep_timeout | 20m | Timeout for deep analysis (intentionally long) |
Per-repo config (~/.scd/repos/{repoId}/config.yml)
Each registered project has its own config.yml. View and edit with scd repo configure:
scd repo configure # show current config with sources
scd repo configure --scan-mode fast # change scan mode
scd repo configure --trust-level balanced # change trust level
scd repo configure --block-on-high true # block pushes on HIGH findings
Or edit the file directly:
trust_level: balanced # maximum_privacy | balanced | maximum_analysis
scan_mode: full # full (with taint analysis) | fast (regex only)
block_on_critical: true
block_on_high: true
Scan mode
| Value | Description |
|---|---|
full | Full scan including taint analysis. Catches injection via variable assignment. Default. |
fast | Regex-only scan. Faster but misses taint-based findings such as SQL injection via variable assignment. |
Trust level
Controls which external connections scd is permitted to make:
| Value | Behaviour |
|---|---|
maximum_privacy | No external API calls. Local model only. Strongest privacy guarantee. |
balanced | Default. Local model preferred; cloud available as explicit opt-in. |
maximum_analysis | Cloud provider (Claude API). Maximum analysis depth. |
Blocking behaviour
By default, block_on_critical and block_on_high are both true — git pushes are blocked when CRITICAL or HIGH findings are found. Adjust per repo:
scd repo configure --block-on-high false
Exceptions config
Exceptions are appended to config.yml automatically when you run scd accept or scd ignore. They are stored by finding ID and include a hash of the relevant code line — if the code changes, the exception requires re-approval.
You should not edit the exceptions section manually. Use scd accept, scd ignore, and scd resolve instead.
.scdignore
You can exclude specific files, directories, or patterns from all scans by creating a .scdignore file in your project root. It follows the same syntax as .gitignore:
# Exclude generated files
dist/
build/
# Exclude specific files
src/test-fixtures/evil-patterns.js
# Exclude by pattern
**/*.min.js
.gitignored files are already excluded by default. .scdignore is for additional exclusions that are scd-specific.
Verify your setup
scd doctor
scd doctor checks:
- Git hooks installed and active
- Project registered with
scd init - scd-server connection (if configured)
- License status and expiry (if connected)
- Push queue health
- CLI version vs minimum required version