Configuration

scd keeps all configuration outside your repository — no files are ever written to your project.

Global config (`~/.scd/config`)

Global settings live in ~/.scd/config (plain text, key=value format). Managed via scd configure:

scd configure --central-url http://your-server:3000
scd configure --token <your-personal-token>
scd configure --server-timeout 30s
scd configure --deep-timeout 20m

Setting	Default	Description
`central_url`	—	scd-server URL
`token`	—	Personal CLI token for scd-server authentication
`server_timeout`	`30s`	Timeout for regular API calls
`deep_timeout`	`20m`	Timeout for deep analysis (intentionally long)

Per-repo config (`~/.scd/repos/{repoId}/config.yml`)

Each registered project has its own config.yml. View and edit with scd repo configure:

scd repo configure                          # show current config with sources
scd repo configure --scan-mode fast         # change scan mode
scd repo configure --trust-level balanced   # change trust level
scd repo configure --block-on-high true     # block pushes on HIGH findings

Or edit the file directly:

trust_level: balanced        # maximum_privacy | balanced | maximum_analysis
scan_mode: full              # full (with taint analysis) | fast (regex only)
block_on_critical: true
block_on_high: true

Scan mode

Value	Description
`full`	Full scan including taint analysis. Catches injection via variable assignment. Default.
`fast`	Regex-only scan. Faster but misses taint-based findings such as SQL injection via variable assignment.

Trust level

Controls which external connections scd is permitted to make:

Value	Behaviour
`maximum_privacy`	No external API calls. Local model only. Strongest privacy guarantee.
`balanced`	Default. Local model preferred; cloud available as explicit opt-in.
`maximum_analysis`	Cloud provider (Claude API). Maximum analysis depth.

Blocking behaviour

By default, block_on_critical and block_on_high are both true — git pushes are blocked when CRITICAL or HIGH findings are found. Adjust per repo:

scd repo configure --block-on-high false

Exceptions config

Exceptions are appended to config.yml automatically when you run scd accept or scd ignore. They are stored by finding ID and include a hash of the relevant code line — if the code changes, the exception requires re-approval.

You should not edit the exceptions section manually. Use scd accept, scd ignore, and scd resolve instead.

Snippet storage

scd stores the triggering line of code as part of each finding — in last-scan.json, individual scan files under scans/, and reports. Snippets are stored as-is, without redaction.

This is consistent with scd's architecture: everything stays on the same machine as the source file it came from. scd-server runs in your own infrastructure, so snippets never leave your network.

Scope exclusions (`scope.yml`)

You can permanently exclude files, directories, or rules from all scans using scd repo scope. Every exclusion requires a documented reason and is visible in scan output and the audit trail.

# Exclude a test fixtures directory for this repo
scd repo scope --add-file "tests/fixtures/" --reason "Intentional vulnerability examples"

# Exclude a rule for this repo
scd repo scope --add-rule INFRA-001 --reason "Cloud-managed infrastructure"

# Show current exclusions (global + repo + server-managed)
scd repo scope --show

# Remove an exclusion
scd repo scope --remove-file "tests/fixtures/" --reason "No longer needed"

Global exclusions (all repos on this machine) are managed with scd scope instead of scd repo scope.

Exclusions are stored in ~/.scd/repos/{repoId}/scope.yml (per-repo) or ~/.scd/scope.yml (global) — outside your repository, never committed to source control.

.gitignored files are excluded from scans by default. Scope exclusions are for additional security-specific exclusions that go beyond what git ignores.

Verify your setup

scd doctor

scd doctor checks:

Git hooks installed and active
Project registered with scd init
scd-server connection (if configured)
License status and expiry (if connected)
AI provider status on scd-server (if connected)
Push queue health
CLI version vs minimum required version

Configuration file locations

All scd data is stored outside your repositories in ~/.scd/ (macOS/Linux) or %USERPROFILE%\.scd\ (Windows):

~/.scd/
  config                     ← central URL, token, timeouts, global repo defaults
  scope.yml                  ← global scope exclusions (all repos)
  repos/
    {repoId}/
      meta.json              ← repo identity, last scan, timestamps
      config.yml             ← per-repo settings, exceptions, rule overrides
      scope.yml              ← per-repo scope exclusions
      scope-server.yml       ← server-managed scope (read-only)
      audit.log              ← full scan history (append-only)
      last-scan.json         ← latest scan cache
      scans/                 ← one JSON per scan (never overwritten)
      reports/               ← generated HTML/MD/JSON reports
      exports/               ← exported JSON from scd export-findings

Global config (~/.scd/config)​

Per-repo config (~/.scd/repos/{repoId}/config.yml)​

Scan mode​

Trust level​

Blocking behaviour​

Exceptions config​

Snippet storage​

Scope exclusions (scope.yml)​

Verify your setup​

Configuration file locations​