analysis.agenticTriageAnalyzerStrategy |
Agentic triage analyzer strategy: decision-tree, react, react-holistic, claude-agent, anthropic-agent |
No |
decision-tree |
analysis.aiCodegenStrategy |
AI code generation strategy (agentic-fast, agentic-native) |
No |
agentic-fast |
analysis.backpressureEnabled |
Enable backpressure algorithm to proactively cancel analyses that cannot complete within timeout limits |
No |
true |
analysis.llmConcurrencyEnabled |
Enable AIMD adaptive concurrency limiter for LLM requests. When false, Retry-After backoff still works. |
No |
false |
analysis.enableProjectContext |
Enable project-level contextual analysis to inform triage and fix results |
No |
true |
analysis.enableTransitiveDependencyAnalysis |
Enable analysis of transitive dependencies during SCA for deeper vulnerability detection |
No |
false |
analysis.enableScaChainResolution |
Experimental. Enable the SCA chain resolution prefilter as a pre-step in the SCA orchestrator (direct and transitive flows) |
No |
false |
analysis.guardrailDetectionEnabled |
Master switch for heuristic guardrail-rewrite detection on LLM responses. When false, the detector is skipped entirely (no metrics, breadcrumbs, or abort) |
No |
true |
analysis.guardrailShortCircuitEnabled |
When true, fix retry loops abort on a guardrail detection. When false, detection still runs (metrics and breadcrumbs preserved) but retries do not abort. No effect when guardrailDetectionEnabled is false |
No |
true |
analysis.useAgenticTriageForAllRules |
Route all triage rules through the agentic analyzer (always enabled, retained for backward compatibility) |
No |
true |
analysis.useScaExploitabilityToShortcircuitFix |
Skip fix generation for findings that SCA determines are not exploitable |
No |
false |
analysis.enableVendoredFileTriage |
Use a specialized triage strategy for vendored files |
No |
true |
analysis.cache.enabled |
Enable URL-based analysis input caching |
No |
true |
analysis.cache.defaultTtlSeconds |
Default TTL in seconds for cached analysis inputs |
No |
86400 |
analysis.cache.maxSizeBytes |
Maximum cache size in bytes |
No |
10737418240 (10GB) |
analysis.cache.honorCacheControl |
Honor cache-control headers from source |
No |
true |
analysis.cache.directory |
Override cache directory path |
No |
"" (service default) |
analysis.scaMaxRequestsToAnalyze |
Maximum number of requests to analyze during SCA |
No |
5 |
analysis.scaQueueNumWorkers |
Number of workers in the dedicated SCA analysis queue |
No |
2 |
analysis.scaQueueMaxSize |
Maximum size of the SCA task queue (0 = unbounded) |
No |
0 |
analysis.scaBackpressureEnabled |
Enable backpressure for the SCA analysis queue |
No |
false |
analysis.database.name |
Logical database name for analysis-service episodic memory |
No |
analysis_service |
analysis.database.username |
Database user for analysis-service |
No |
analysis |
analysis.database.password |
Database password (ignored when existingSecret is set) |
Yes (if using analysis DB without existingSecret) |
"" |
analysis.database.host |
Database hostname for external database deployments |
Yes (if platform.database.embedded: false) |
"" |
analysis.database.port |
Database port |
No |
5432 |
analysis.database.existingSecret |
Name of existing secret with username and password keys |
No |
"" |
platform.database.embedded |
Use embedded database instead of external |
No |
true |
platform.database.host |
External database hostname |
Yes (if embedded: false) |
None |
platform.database.port |
External database port |
No |
5432 |
platform.database.name |
External database name |
No |
pixee_platform |
platform.database.username |
External database username |
Yes (if embedded: false) |
None |
platform.database.password |
External database password |
Yes (if embedded: false) |
None |
platform.database.existingSecret |
Name of existing secret containing a password key |
No |
"" |
platform.gitCloneStrategy |
Git clone strategy for VCS operations (partial or full) |
No |
partial |
platform.gitBranchPrefix |
Optional prefix for Git branch names created by Pixee |
No |
None |
platform.gitCommitMessagePrefix |
Optional prefix for Git commit messages created by Pixee |
No |
None |
platform.gitAuthorEmail |
Email address for Git commit authorship by the Pixee service account |
No |
None |
platform.gitAuthorUsername |
Username for Git commit authorship by the Pixee service account |
No |
None |
platform.proxy.enabled |
Enable proxy configuration |
No |
false |
platform.proxy.address |
Address of proxy server |
No |
None |
platform.proxy.headers.forwarded |
Allow 'Forwarded' header |
No |
false |
platform.proxy.headers.xForwarded |
Allow X-Forwarded-* headers |
No |
false |
platform.inputBucket |
Custom name for analysis input bucket |
No |
pixee-analysis-input |
platform.inputSignatureDuration |
Duration for pre-signed URLs (e.g., "1h", "30m") |
No |
None |
platform.analysisQueueMaxConcurrency |
Maximum number of analyses the platform dispatches concurrently to the analysis service. Leave unset to use the platform default. |
No |
None |
platform.analysisTimeout |
Tier 1 idle timeout — analysis times out if no event (keepalives included) or callback arrives within this window (e.g., "15m", "30m") |
No |
15m |
platform.analysisMaxProgressStall |
Tier 2 progress-stall timeout — analysis times out if no result outcome completes within this window; reset only by completed outcomes, not keepalives. Must be greater than platform.analysisTimeout (e.g., "45m", "1h") |
No |
45m |
platform.sastAnalysisTimeout |
Deprecated — superseded by analysisTimeout/analysisMaxProgressStall; still honored if set. SAST-specific idle timeout (e.g., "20m", "30m") |
No |
None |
platform.scaAnalysisTimeout |
Deprecated — superseded by analysisTimeout/analysisMaxProgressStall; still honored if set. SCA-specific idle timeout (e.g., "45m", "1h") |
No |
None |
platform.github.appName |
GitHub App name |
No |
None |
platform.github.appId |
GitHub App ID |
No |
None |
platform.github.appWebhookSecret |
GitHub App webhook secret |
No |
None |
platform.github.appPrivateKey |
GitHub App private key |
No |
None |
platform.github.url |
GitHub Enterprise URL |
No |
None |
platform.github.existingSecret |
Name of existing secret containing GitHub App webhook and private key (takes precedence over setting appWebhookSecret directly) |
No |
None |
platform.github.secretKeys.appWebhookSecretKey |
Secret key containing the appWebhookSecret |
No |
appWebhookSecret |
platform.github.secretKeys.appPrivateKeySecretKey |
Secret key containing the appPrivateKey |
No |
appPrivateKey |
platform.scm.azure.authType |
Azure DevOps authentication method: PAT (personal access token) or SPN (Entra service principal). SPN is supported only against Azure DevOps Services (dev.azure.com). |
No |
PAT |
platform.scm.azure.organization |
Azure DevOps organization name |
No |
None |
platform.scm.azure.token |
Azure DevOps personal access token (used when authType is PAT) |
No |
None |
platform.scm.azure.spn.tenantId |
Entra tenant (directory) ID (used when authType is SPN) |
No |
None |
platform.scm.azure.spn.clientId |
Entra application (client) ID (used when authType is SPN) |
No |
None |
platform.scm.azure.spn.clientSecret |
Entra service-principal client secret (used when authType is SPN) |
No |
None |
platform.scm.azure.existingSecret |
Name of existing secret containing Azure DevOps token, webhook password, and service-principal client secret (takes precedence over setting them directly) |
No |
None |
platform.scm.azure.secretKeys.tokenKey |
Key within the secret that contains the Azure DevOps token |
Yes |
token |
platform.scm.azure.secretKeys.webhookPasswordKey |
Key within the secret that contains the Azure DevOps webhook password |
Yes |
webhookPassword |
platform.scm.azure.secretKeys.clientSecretKey |
Key within the secret that contains the Entra service-principal client secret |
Yes |
clientSecret |
platform.scm.gitlab.baseUri |
Self-hosted GitLab base URI |
No |
None |
platform.scm.gitlab.token |
GitLab personal access token (required scopes: api, read_user, read_repository, read_api, write_repository, ai_features, read_registry, read_virtual_registry). A service account token is recommended. |
No |
None |
platform.scm.gitlab.webhookSecret |
GitLab webhook secret |
No |
None |
platform.scm.gitlab.memberProjectsOnly |
When false, omits the membership=true filter when listing GitLab projects — for self-hosted GitLab where the service account has broad read access via group or admin permissions rather than explicit project membership |
No |
true |
platform.scm.gitlab.existingSecret |
Name of existing secret containing GitLab token and webhookSecret (takes precedence over setting token directly) |
No |
None |
platform.scm.gitlab.secretKeys.tokenKey |
Key within the secret that contains the GitLab token |
Yes |
token |
platform.scm.gitlab.secretKeys.webhookSecretKey |
Key within the secret that contains the GitLab webhookSecret |
Yes |
webhookSecret |
platform.scm.bitbucket.username |
BitBucket username (used for Git clone/push operations) |
No |
None |
platform.scm.bitbucket.emailAddress |
BitBucket account email (used for REST API authentication with the API token) |
No |
None |
platform.scm.bitbucket.apiToken |
BitBucket API token (replaces the deprecated app password) |
No |
None |
platform.scm.bitbucket.existingSecret |
Name of existing secret containing the BitBucket API token (takes precedence over setting apiToken directly) |
No |
None |
platform.scm.bitbucket.secretKeys.apiTokenKey |
Key within the secret that contains the BitBucket API token |
Yes |
apiToken |
platform.pixeebot.omitPixeeBacklinks |
When true, PRs opened by pixeebot omit backlinks to User Platform |
No |
false |
platform.pixeebot.appscan.apiKeyId |
AppScan key ID |
No |
None |
platform.pixeebot.appscan.apiKeySecret |
AppScan key secret |
No |
None |
platform.pixeebot.appscan.webhook.user |
AppScan webhook username for basic authentication |
No |
None |
platform.pixeebot.appscan.webhook.password |
AppScan webhook password for basic authentication |
No |
None |
platform.pixeebot.appscan.existingSecret |
Name of existing secret containing AppScan API key, webhook user and password (takes precedence over setting apiKeySecret, webhook.user and webhook.password directly) |
No |
None |
platform.pixeebot.appscan.secretKeys.apiKeySecretKey |
Key within the secret that contains the AppScan API key |
Yes |
apiKeySecret |
platform.pixeebot.appscan.secretKeys.webhookUserKey |
Key within the secret that contains the AppScan webhook username |
Yes |
webhookUser |
platform.pixeebot.appscan.secretKeys.webhookPasswordKey |
Key within the secret that contains the AppScan webhook password |
Yes |
webhookPassword |
platform.sonar.token |
SonarQube personal access token |
No |
None |
platform.sonar.webhookSecret |
SonarQube webhook secret |
No |
None |
platform.sonar.baseUri |
SonarQube server base URI |
Yes (if type is server) |
None |
platform.sonar.gitHubAppName |
SonarQube GitHub app name |
No |
None |
platform.sonar.existingSecret |
Name of existing secret containing SonarQube token and webhookSecret (takes precedence over setting token directly) |
No |
None |
platform.sonar.secretKeys.tokenKey |
Key within the secret that contains the SonarQube token |
Yes |
token |
platform.sonar.secretKeys.webhookSecretKey |
Key within the secret that contains the SonarQube webhookSecret |
Yes |
webhookSecret |
platform.sonar.excludeMaintainabilityFindings |
Exclude maintainability findings (code smells) |
No |
false |
platform.sonar.excludeReliabilityFindings |
Exclude reliability findings (bugs) |
No |
false |
platform.sonar.cweIds |
Comma-separated list of CWE IDs to filter findings. When set, overrides filterCweTop25 and additionalCweIds |
No |
None |
platform.sonar.filterCweTop25 |
(Deprecated) Filter to include only CWE Top 25 findings. Use cweIds instead |
No |
false |
platform.sonar.additionalCweIds |
(Deprecated) Comma-separated list of additional CWE IDs to include. Use cweIds instead |
No |
None |
platform.sonar.maxFindingsPerScan |
Maximum number of findings to retrieve per scan |
No |
10000 |
platform.veracode.apiKeyId |
Veracode key ID |
No |
None |
platform.veracode.apiKeySecret |
Veracode key secret |
No |
None |
platform.veracode.existingSecret |
Name of existing secret containing Veracode apiKeySecret (takes precedence over setting accessToken directly) |
No |
None |
platform.veracode.secretKeys.apiKeySecretKey |
Key within the secret that contains the Veracode apiKeySecret |
Yes |
apiKeySecret |
platform.arnica.apiKey |
Arnica API key |
No |
None |
platform.arnica.existingSecret |
Name of existing secret containing Arnica API key (takes precedence over setting apiKey directly) |
No |
None |
platform.arnica.secretKeys.apiKeyKey |
Key within the secret that contains the Arnica API key |
Yes |
apiKey |
platform.blackduck.accessToken |
Black Duck access token |
No |
None |
platform.blackduck.existingSecret |
Name of existing secret containing Black Duck access token (takes precedence over setting accessToken directly) |
No |
None |
platform.blackduck.secretKeys.accessTokenKey |
Key within the secret that contains the Black Duck access token |
Yes |
accessToken |
platform.checkmarx.region |
Checkmarx AST region (US, US2, EU, EU2, DEU, ANZ, IND, SNG, MEA) |
No |
US |
platform.checkmarx.tenantAccountName |
Checkmarx tenant account name |
No |
None |
platform.checkmarx.apiKey |
Checkmarx API key |
No |
None |
platform.checkmarx.existingSecret |
Name of existing secret containing Checkmarx API key (takes precedence over setting apiKey directly) |
No |
None |
platform.checkmarx.secretKeys.apiKeyKey |
Key within the secret that contains the Checkmarx API key |
Yes |
apiKey |
platform.polaris.enabled |
Enable Polaris (Black Duck) integration |
No |
false |
platform.polaris.baseUri |
Polaris instance base URI |
No |
https://polaris.blackduck.com |
platform.polaris.apiToken |
Polaris API token |
No |
None |
platform.polaris.existingSecret |
Name of existing secret containing Polaris API token (takes precedence over setting apiToken directly) |
No |
None |
platform.polaris.secretKeys.apiTokenKey |
Key within the secret that contains the Polaris API token |
Yes |
apiToken |
oidc.ingress.enabled |
Enable ingress for OIDC service |
No |
false |
oidc.ingress.className |
Ingress controller class name for OIDC |
No |
None |
superset.database.existingSecret |
Name of existing secret containing Superset PostgreSQL credentials (kubernetes.io/basic-auth with username and password keys) |
No |
"" |
authentik.database.existingSecret |
Name of existing secret containing Authentik PostgreSQL credentials (kubernetes.io/basic-auth with username and password keys) |
No |
"" |
cloudnative-pg.postgresql.parameters.maxConnections |
Maximum number of PostgreSQL connections |
No |
200 |
cloudnative-pg.postgresql.parameters.sharedBuffers |
PostgreSQL shared buffer memory (recommended: 25% of memory limit) |
No |
1GB |
cloudnative-pg.postgresql.parameters.effectiveCacheSize |
Planner hint for available cache memory |
No |
3GB |
cloudnative-pg.postgresql.parameters.workMem |
Per-operation memory for sorts and hashes |
No |
16MB |
cloudnative-pg.postgresql.parameters.maintenanceWorkMem |
Memory for VACUUM and index creation |
No |
256MB |
cloudnative-pg.postgresql.parameters.randomPageCost |
Planner cost for random page access (lower for SSD) |
No |
1.1 |
cloudnative-pg.postgresql.parameters.checkpointCompletionTarget |
Checkpoint I/O spread target (0.0-1.0) |
No |
0.9 |
cloudnative-pg.postgresql.parameters.logLockWaits |
Log lock wait events for debugging |
No |
on |
cloudnative-pg.postgresql.resources.requests.memory |
Memory request for PostgreSQL pod |
No |
1Gi |
cloudnative-pg.postgresql.resources.requests.cpu |
CPU request for PostgreSQL pod |
No |
250m |
cloudnative-pg.postgresql.resources.limits.memory |
Memory limit for PostgreSQL pod |
No |
4Gi |
cloudnative-pg.postgresql.resources.limits.cpu |
CPU limit for PostgreSQL pod |
No |
2000m |