Skip to content

Helm Values Reference

Common Values

Name Description Required Default
analysis.image.registry Analysis service image registry No images.pixee.ai
analysis.image.repository Analysis service image repository No proxy/pixee/218200003247.dkr.ecr.us-east-1.amazonaws.com/pixee/pixeebot
analysis.image.pullSecrets Analysis image pull secrets (set to {} to disable) No [{name: pixee-registry}]
analysis.image.tag Analysis service image tag No see analysis Chart.yaml app version
analysis.service.type Analysis service tyupe No ClusterIp
analysis.serviceAccount.name Analysis service account name No ""
analysis.replicaCount Number of analysis service replicas No 1
analysis.resources.requests.cpu CPU requests for analysis service No None
analysis.resources.requests.memory Memory requests for analysis service No None
analysis.resources.limits.cpu CPU limits for analysis service No None
analysis.resources.limits.memory Memory limits for analysis service No None
seaweedfs.global.imageName SeaweedFS image name (for embedded object store) No images.pixee.ai/proxy/pixee/index.docker.io/chrislusf/seaweedfs
seaweedfs.global.imagePullSecrets SeaweedFS image pull secrets (for embedded object store) No [{name: image-pull-secret}]
seaweedfs.s3.enabled Enable SeaweedFS S3 compatibility (for embedded object store) No true
seaweedfs.filer.data.type Storage type for filer data (hostPath or persistentVolumeClaim) No persistentVolumeClaim (Helm), hostPath (Embedded Cluster)
seaweedfs.filer.data.size Size of filer persistent volume No 25Gi
seaweedfs.filer.data.storageClass Storage class for filer PVC (empty = cluster default) No "" (uses cluster default)
seaweedfs.filer.data.hostPathPrefix Host path for filer data when using hostPath type No (if using hostPath) /var/lib/seaweedfs (Embedded Cluster default)
seaweedfs.filer.s3.createBuckets SeaweedFS buckets to create on install (for embedded object store) No pixee-analysis-input
global.pixee.objectStore.username Object store username (for embedded SeaweedFS) No pixeebot
global.pixee.objectStore.password Object store password (for embedded SeaweedFS) No pixeebot
global.pixee.objectStore.ttlDays Number of days before objects expire in embedded object store No 7
platform.hostAliases Custom host-to-IP mappings for platform pods (/etc/hosts entries) No []
platform.image.registry Platform service image registry No images.pixee.ai
platform.image.repository Platform service image repository No proxy/pixee/218200003247.dkr.ecr.us-east-1.amazonaws.com/pixee/pixeebot
platform.image.pullSecrets Platform image pull secrets (set to {} to disable) No [{name: pixee-registry}]
platform.image.tag Platform service image tag No see platform Chart.yaml app version
platform.ingress.enabled Enable ingress for the platform service No false
platform.ingress.className Ingress controller class name Yes (if ingress enabled) None
platform.ingress.hosts List of host configurations Yes (if ingress enabled) None
platform.ingress.tls TLS configuration for ingress No None
platform.replicaCount Number of platform service replicas No 1
platform.resources.requests.cpu CPU requests for analysis service No None
platform.resources.requests.memory Memory requests for analysis service No None
platform.resources.limits.cpu CPU limits for analysis service No None
platform.resources.limits.memory Memory limits for analysis service No None
platform.service.type Service type for platform No ClusterIp
platform.serviceAccount.name Platform service account name No ""
replicated.image.registry Replicated SDK image registry (for embedded object store) No images.pixee.ai
replicated.image.repository Replicated SDK image repsitory (for embedded object store) No proxy/pixee/index.docker.io/replicated/replicated-sdk
replicated.imagepullSecrets Replicated SDK image pull secret, (set to {} to disable) No [{name: pixee-registry}]

Global Values

Name Description Required Default
global.pixee.domain Domain name where Pixee Enterprise Server will be accessible Yes None
global.pixee.protocol Protocol to use for accessing Pixee Enterprise Server (http or https) Yes https
global.pixee.serviceAccount.create Create a service account for the pixee enterprise server release Yes true
global.pixee.serviceAccount.name Name of service account to create No pixee
global.pixee.access.oidc.client.provider OIDC provider (google, microsoft, embedded) Yes (if using authentication) None
global.pixee.access.oidc.client.id Client ID for OIDC provider Yes (if using authentication) web
global.pixee.access.oidc.client.secret Client secret for OIDC provider Yes (if using authentication) secret
global.pixee.access.oidc.client.existingSecret Name of existing secret containing the client secret No {}
global.pixee.access.oidc.client.secretKeys.secretKey Secret key containing the client secret Yes secret
global.pixee.access.oidc.client.authServerUrl Auth server URL for Microsoft OIDC provider or embedded Yes (if using Microsoft or embedded) None
global.pixee.access.oidc.client.basePath Base path for OIDC endpoints No oidc
global.pixee.access.oidc.embedded.enabled Use embedded OIDC provider No false
global.pixee.access.oidc.embedded.scopes OAuth scopes for embedded OIDC provider Yes (if using embedded OIDC) openid profile email
global.pixee.access.oidc.embedded.issuer OIDC issuer URL for embedded provider Yes (if using embedded OIDC) None
global.pixee.access.oidc.embedded.authenticationRedirectPath Path for authentication redirect Yes (if using embedded OIDC) /api/auth/login
global.pixee.access.oidc.embedded.applicationType OAuth application type Yes (if using embedded OIDC) web-app
global.pixee.access.oidc.embedded.usersJson JSON configuration for embedded OIDC users Yes (if using embedded OIDC) Default alice/bob users
global.pixee.access.oidc.embedded.existingSecret Name of existing secret containing users.json No None
global.pixee.ai.enabled Enable or disable AI functionality No true
global.pixee.ai.default.provider AI provider type. Options: openai, azure, anthropic No None
global.pixee.ai.default.apiKey AI provider API key for AI features Yes (if using OpenAI) None
global.pixee.ai.default.existingSecret Name of existing Kubernetes secret containing AI provider API key (takes precedence over direct key) No (alternative to direct key) None
global.pixee.ai.default.secretKeys.apiKey Key within the secret that contains the AI provider API key Yes key
global.pixee.ai.default.endpoint AI provider base URL No None
global.pixee.ai.scaModelsEnabled Enable Software Composition Analysis (SCA) models for enhanced vulnerability detection No false
global.pixee.ai.scaModelName LLM model name for SCA analysis (only used when scaModelsEnabled=true) No "gpt-4.1"
global.pixee.ai.deepResearchModelName LLM model name for deep research analysis (only used when scaModelsEnabled=true) No "o4-mini-deep-research"
global.pixee.objectStore.embedded Use embedded object store instead of external No true
global.pixee.objectStore.endpoint External object store endpoint URL Yes (if embedded: false) None
global.pixee.objectStore.username External object store access key ID Yes (if embedded: false) None
global.pixee.objectStore.password External object store secret access key Yes (if embedded: false) None
global.pixee.sentry.enabled Enable or disable error reporting via Sentry No true
global.pixee.metrics.enabled Enable or disable metrics reporting No true
global.defaultStorageClass Default storage class to use for PVCs No None
global.pixee.httpProxy HTTP proxy server host/address and port (
:)
 No None
global.pixee.httpsProxy HTTPS proxy server host/address and port (
:) )
 No None
global.pixee.noProxy Comma separates list of hosts to exclude from HTTP/HTTPS proxy No None
global.pixee.privateCACert Name of a ConfigMap containing PEM-encoded CA certificates to add to trust stores No ""
global.pixee.skipSSLVerification (Deprecated) Disable SSL cert verification for platform. Use privateCACert instead No false

Custom Values

Name Description Required Default
analysis.aiCodegenStrategy AI code generation strategy (agentic-native, agentic-fast) No agentic-native
analysis.backpressureEnabled Enable backpressure algorithm to proactively cancel analyses that cannot complete within timeout limits No true
analysis.enableTransitiveDependencyAnalysis Enable analysis of transitive dependencies during SCA for deeper vulnerability detection No false
analysis.useAgenticTriageForAllRules Route all triage rules through the ReACT agentic analyzer, bypassing explicit and magic handlers No false
analysis.useScaExploitabilityToShortcircuitFix Skip fix generation for findings that SCA determines are not exploitable No false
analysis.enableVendoredFileTriage Use a specialized triage strategy for vendored files No true
analysis.cache.enabled Enable URL-based analysis input caching No true
analysis.cache.defaultTtlSeconds Default TTL in seconds for cached analysis inputs No 86400
analysis.cache.maxSizeBytes Maximum cache size in bytes No 10737418240 (10GB)
analysis.cache.honorCacheControl Honor cache-control headers from source No true
analysis.cache.directory Override cache directory path No "" (service default)
analysis.scaMaxRequestsToAnalyze Maximum number of requests to analyze during SCA No 5
analysis.scaQueueNumWorkers Number of workers in the dedicated SCA analysis queue No 2
analysis.scaQueueMaxSize Maximum size of the SCA task queue (0 = unbounded) No 0
analysis.scaBackpressureEnabled Enable backpressure for the SCA analysis queue No false
global.pixee.ai.webSearch.model LLM model name for web-search-enabled queries No ""
platform.database.embedded Use embedded database instead of external No true
platform.database.host External database hostname Yes (if embedded: false) None
platform.database.port External database port No 5432
platform.database.name External database name No pixee_platform
platform.database.username External database username Yes (if embedded: false) None
platform.database.password External database password Yes (if embedded: false) None
platform.database.existingSecret Name of existing secret containing a password key No ""
platform.gitCloneStrategy Git clone strategy for VCS operations (partial or full) No partial
platform.gitBranchPrefix Optional prefix for Git branch names created by Pixee No None
platform.gitCommitMessagePrefix Optional prefix for Git commit messages created by Pixee No None
platform.proxy.enabled Enable proxy configuration No false
platform.proxy.address Address of proxy server No None
platform.proxy.headers.forwarded Allow 'Forwarded' header No false
platform.proxy.headers.xForwarded Allow X-Forwarded-* headers No false
platform.inputBucket Custom name for analysis input bucket No pixee-analysis-input
platform.inputSignatureDuration Duration for pre-signed URLs (e.g., "1h", "30m") No None
platform.analysisTimeout General analysis progress timeout (e.g., "15m", "30m") No 15m
platform.sastAnalysisTimeout SAST-specific analysis timeout (e.g., "20m", "30m") No None
platform.scaAnalysisTimeout SCA-specific analysis timeout (e.g., "45m", "1h") No None
platform.github.appName GitHub App name No None
platform.github.appId GitHub App ID No None
platform.github.appWebhookSecret GitHub App webhook secret No None
platform.github.appPrivateKey GitHub App private key No None
platform.github.url GitHub Enterprise URL No None
platform.github.existingSecret Name of existing secret containing GitHub App webhook and private key (takes precedence over setting appWebhookSecret directly) No None
platform.github.secretKeys.appWebhookSecretKey Secret key containing the appWebhookSecret No appWebhookSecret
platform.github.secretKeys.appPrivateKeySecretKey Secret key containing the appPrivateKey No appPrivateKey
platform.scm.azure.organization Azure DevOps organization name No None
platform.scm.azure.token Azure DevOps personal access token No None
platform.scm.azure.existingSecret Name of existing secret containing Azure DevOps token and webhook password (takes precedence over setting token directly) No None
platform.scm.azure.secretKeys.tokenKey Key within the secret that contains the Azure DevOps token Yes token
platform.scm.azure.secretKeys.webhookPasswordKey Key within the secret that contains the Azure DevOps webhook password Yes webhookPassword
platform.scm.gitlab.baseUri Self-hosted GitLab base URI No None
platform.scm.gitlab.token GitLab personal access token (required scopes: api, read_user, read_repository, read_api, write_repository, ai_features, read_registry, read_virtual_registry). A service account token is recommended. No None
platform.scm.gitlab.webhookSecret GitLab webhook secret No None
platform.scm.gitlab.existingSecret Name of existing secret containing GitLab token and webhookSecret (takes precedence over setting token directly) No None
platform.scm.gitlab.secretKeys.tokenKey Key within the secret that contains the GitLab token Yes token
platform.scm.gitlab.secretKeys.webhookSecretKey Key within the secret that contains the GitLab webhookSecret Yes webhookSecret
platform.scm.bitbucket.username BitBucket username No None
platform.scm.bitbucket.password BitBucket app password No None
platform.scm.bitbucket.existingSecret Name of existing secret containing BitBucket password (takes precedence over setting password directly) No None
platform.scm.bitbucket.secretKeys.passwordKey Key within the secret that contains the BitBucket password Yes password
platform.pixeebot.appscan.apiKeyId AppScan key ID No None
platform.pixeebot.appscan.apiKeySecret AppScan key secret No None
platform.pixeebot.appscan.webhook.user AppScan webhook username for basic authentication No None
platform.pixeebot.appscan.webhook.password AppScan webhook password for basic authentication No None
platform.pixeebot.appscan.existingSecret Name of existing secret containing AppScan API key, webhook user and password (takes precedence over setting apiKeySecret, webhook.user and webhook.password directly) No None
platform.pixeebot.appscan.secretKeys.apiKeySecretKey Key within the secret that contains the AppScan API key Yes apiKeySecret
platform.pixeebot.appscan.secretKeys.webhookUserKey Key within the secret that contains the AppScan webhook username Yes webhookUser
platform.pixeebot.appscan.secretKeys.webhookPasswordKey Key within the secret that contains the AppScan webhook password Yes webhookPassword
platform.sonar.token SonarQube personal access token No None
platform.sonar.webhookSecret SonarQube webhook secret No None
platform.sonar.baseUri SonarQube server base URI Yes (if type is server) None
platform.sonar.gitHubAppName SonarQube GitHub app name No None
platform.sonar.existingSecret Name of existing secret containing SonarQube token and webhookSecret (takes precedence over setting token directly) No None
platform.sonar.secretKeys.tokenKey Key within the secret that contains the SonarQube token Yes token
platform.sonar.secretKeys.webhookSecretKey Key within the secret that contains the SonarQube webhookSecret Yes webhookSecret
platform.sonar.excludeMaintainabilityFindings Exclude maintainability findings (code smells) No false
platform.sonar.excludeReliabilityFindings Exclude reliability findings (bugs) No false
platform.sonar.cweIds Comma-separated list of CWE IDs to filter findings. When set, overrides filterCweTop25 and additionalCweIds No None
platform.sonar.filterCweTop25 (Deprecated) Filter to include only CWE Top 25 findings. Use cweIds instead No false
platform.sonar.additionalCweIds (Deprecated) Comma-separated list of additional CWE IDs to include. Use cweIds instead No None
platform.sonar.maxFindingsPerScan Maximum number of findings to retrieve per scan No 10000
platform.veracode.apiKeyId Veracode key ID No None
platform.veracode.apiKeySecret Veracode key secret No None
platform.veracode.existingSecret Name of existing secret containing Veracode apiKeySecret (takes precedence over setting accessToken directly) No None
platform.veracode.secretKeys.apiKeySecretKey Key within the secret that contains the Veracode apiKeySecret Yes apiKeySecret
platform.arnica.apiKey Arnica API key No None
platform.arnica.existingSecret Name of existing secret containing Arnica API key (takes precedence over setting apiKey directly) No None
platform.arnica.secretKeys.apiKeyKey Key within the secret that contains the Arnica API key Yes apiKey
platform.blackduck.accessToken Black Duck access token No None
platform.blackduck.existingSecret Name of existing secret containing Black Duck access token (takes precedence over setting accessToken directly) No None
platform.blackduck.secretKeys.accessTokenKey Key within the secret that contains the Black Duck access token Yes accessToken
platform.checkmarx.region Checkmarx AST region (US, US2, EU, EU2, DEU, ANZ, IND, SNG, MEA) No US
platform.checkmarx.tenantAccountName Checkmarx tenant account name No None
platform.checkmarx.apiKey Checkmarx API key No None
platform.checkmarx.existingSecret Name of existing secret containing Checkmarx API key (takes precedence over setting apiKey directly) No None
platform.checkmarx.secretKeys.apiKeyKey Key within the secret that contains the Checkmarx API key Yes apiKey
oidc.ingress.enabled Enable ingress for OIDC service No false
oidc.ingress.className Ingress controller class name for OIDC No None
oidc.ingress.hosts Host configurations for OIDC ingress No None
oidc.ingress.tls TLS configuration for OIDC ingress No None
oidc.ingress.annotations Annotations for OIDC ingress No None
oidc.service.type Service type for OIDC service No ClusterIP
oidc.image.registry Container registry for OIDC service image No images.pixee.ai
oidc.image.repository Repository path for OIDC service image No proxy/pixee/218200003247.dkr.ecr.us-east-1.amazonaws.com/pixee/zitadel-oidc-service
oidc.image.tag Image tag for OIDC service No 3.38.1-52fc585@sha256:2d0fd908e81f4e8fff4141ca2cb84271dfd5edf2f8a0fe5968edf7e56cba5343
oidc.image.pullPolicy Image pull policy for OIDC service No IfNotPresent
oidc.image.pullSecrets Image pull secrets for OIDC service (set to '{}' to disable) No [{name: pixee-registry}]
superset.database.existingSecret Name of existing secret containing Superset PostgreSQL credentials (kubernetes.io/basic-auth with username and password keys) No ""
authentik.database.existingSecret Name of existing secret containing Authentik PostgreSQL credentials (kubernetes.io/basic-auth with username and password keys) No ""
cloudnative-pg.postgresql.parameters.maxConnections Maximum number of PostgreSQL connections No 200
cloudnative-pg.postgresql.parameters.sharedBuffers PostgreSQL shared buffer memory (recommended: 25% of memory limit) No 1GB
cloudnative-pg.postgresql.parameters.effectiveCacheSize Planner hint for available cache memory No 3GB
cloudnative-pg.postgresql.parameters.workMem Per-operation memory for sorts and hashes No 16MB
cloudnative-pg.postgresql.parameters.maintenanceWorkMem Memory for VACUUM and index creation No 256MB
cloudnative-pg.postgresql.parameters.randomPageCost Planner cost for random page access (lower for SSD) No 1.1
cloudnative-pg.postgresql.parameters.checkpointCompletionTarget Checkpoint I/O spread target (0.0-1.0) No 0.9
cloudnative-pg.postgresql.parameters.logLockWaits Log lock wait events for debugging No on
cloudnative-pg.postgresql.resources.requests.memory Memory request for PostgreSQL pod No 1Gi
cloudnative-pg.postgresql.resources.requests.cpu CPU request for PostgreSQL pod No 250m
cloudnative-pg.postgresql.resources.limits.memory Memory limit for PostgreSQL pod No 4Gi
cloudnative-pg.postgresql.resources.limits.cpu CPU limit for PostgreSQL pod No 2000m