Skip to main content

Customization through environment variables

The following environment variables can be used to customize the behavior.

  • VDB_HOME - Directory to use for caching database. For docker-based execution, this directory should get mounted as a volume from the host
  • VDB_DATABASE_URL - Vulnerability DB URL. Defaults to: ghcr.io/appthreat/vdbxz:v6.5.x, which includes both app and OS vulnerabilities. For a smaller app-only database, use ghcr.io/appthreat/vdbxz-app-2y:v6.5.x
  • USE_VDB_10Y - Set to true to use the larger 10-year vulnerability database with both app and OS vulnerabilities. Default download url: ghcr.io/appthreat/vdbxz-10y:v6.5.x. For an app-only 10 year database use ghcr.io/appthreat/vdbxz-app-10y:v6.5.x
  • VDB_AGE_HOURS - Set the age threshold for the vulnerability database before it is re-downloaded. The default is 24 hours.
  • DEPSCAN_TEMP_DIR - Temporary directory to use.
  • DEPSCAN_SOURCE_DIR_IMAGE - Alternative to --src argument to pass the source directory or image name.
  • DEPSCAN_REPORTS_DIR - Alternative to --reports-dir to pass the output reports directory.
  • DEPSCAN_SOURCE_IMAGE - Source image name to use for lifecycle analysis. Same as the key source_image in the configuration file.
  • DEPSCAN_BUILD_DIR - Build directory to use for lifecycle analysis. Blint sbom command will be executed with this directory. Defaults to the source directory (--src). Same as the key build_dir in the configuration file.
  • DEPSCAN_SERVER_API_KEY - API key required for all requests when the dep-scan server is configured with built-in authentication. Accepted via X-API-Key or Authorization: Bearer <key>.
  • DEPSCAN_SERVER_ALLOW_UNAUTHENTICATED_BIND - Set to true only if you intentionally want the dep-scan server to bind to a non-local address without built-in authentication.
  • DEPSCAN_SERVER_ALLOWED_GIT_SCHEMES - Comma-separated list of allowed URL schemes for server-side URL scans. Defaults to http,https,git,git+http,git+https.
  • DEPSCAN_SERVER_ALLOW_PRIVATE_URLS - Set to true to allow the server to scan URLs that resolve to private, loopback, or link-local addresses. Leave unset for the safer default.
  • DEPSCAN_SERVER_MAX_CONTENT_LENGTH - Maximum accepted request body size in bytes for the built-in server, including uploaded BOM files. Defaults to 104857600 (100 MiB).