config
AppSec Config -- Preferences Management
Manage persistent security preferences stored in .appsec/config.yaml.
Settings control default behavior for all /appsec:* tools -- scope, depth,
severity filters, scanner paths, enabled hooks, accepted risks, and
excluded paths.
This skill runs entirely in the main agent context. It does NOT dispatch subagents.
Supported Operations
Detect the user's intent from their message:
| Intent | Action |
|---|---|
| "show config", "current settings" | Display current config |
| "set default scope to full" | Update a setting |
| "exclude vendor/ from scans" | Add to excluded paths |
| "accept risk INJ-003" | Add to accepted risks |
| "reset config" | Delete config file |
| "enable hooks" | Enable/disable hook settings |
| No specific intent | Show current config with explanations |
Config Schema
The config file is .appsec/config.yaml. All fields are optional. When a
field is absent, the tool default applies.
# .appsec/config.yaml
# AppSec plugin preferences
# Default scope when no --scope flag is provided
# Values: changed, staged, branch, full
# Default: changed
default_scope: changed
# Default depth when no --depth flag is provided
# Values: quick, standard, deep, expert
# Default: standard
default_depth: standard
# Minimum severity to report
# Values: critical, high, medium, low
# Default: low (report everything)
minimum_severity: low
# Scanner binary paths (override auto-detection)
# Use when scanners are not on PATH
scanner_paths:
# semgrep: /usr/local/bin/semgrep
# gitleaks: /opt/tools/gitleaks
# trivy: /usr/local/bin/trivy
# Paths to exclude from all scans
# Glob patterns relative to repository root
excluded_paths:
- "vendor/**"
- "node_modules/**"
- "dist/**"
- "build/**"
- "*.min.js"
- "*.bundle.js"
- "**/*.test.*"
- "**/*.spec.*"
# Accepted risks (findings to suppress in future scans)
# Each entry: finding ID, reason, who accepted, when
accepted_risks: []
# - id: INJ-003
# reason: "Input is validated upstream by API gateway"
# accepted_by: "developer"
# accepted_on: "2026-02-14"
# Hook configuration
hooks:
# Review implementation plans for security on ExitPlanMode
plan_review: true
# Scan written/edited files for hardcoded secrets
secret_detection: true
# Frameworks to include in full-audit
# Default: all
enabled_frameworks:
- owasp
- stride
- pasta
- linddun
- sans25
# Red team personas to include in expert mode
# Default: all
enabled_personas:
- script-kiddie
- insider
- organized-crime
- hacktivist
- nation-state
- supply-chain
Workflow
Step 1: Load Current Config
Check if .appsec/config.yaml exists using Glob. If it exists, read it.
If not, use all defaults.
If the config file exists but cannot be parsed as valid YAML, warn the user: Warning: .appsec/config.yaml has invalid YAML. Using defaults. Run /appsec:config to fix. If the file contains unknown keys (possible typos), warn: Warning: Unknown config key '<key>'. Did you mean '<closest-match>'?
Step 2: Parse User Intent
Determine what the user wants:
Show config: Display the current config (or defaults if no file exists) with explanations for each setting.
Update a setting:
- Validate the new value against the allowed values for that field.
- If the config file exists, read it and update the field.
- If no config file exists, create one with the single changed field.
- Write the file.
- Confirm the change.
Exclude a path:
Add the path pattern to excluded_paths. Validate it is a valid glob
pattern. Warn if the pattern seems too broad (e.g., **/* would exclude
everything).
Accept a risk:
- Verify the finding ID exists in
.appsec/findings.json. - Ask the user for a reason if not provided.
- Add to
accepted_riskswith timestamp. - Confirm the acceptance.
Reset config:
Delete .appsec/config.yaml. Confirm that all settings return to defaults.
Enable/disable hooks:
Toggle hooks.plan_review or hooks.secret_detection.
Step 3: Output
Show Config (Text Format)
=====================================================
APPSEC CONFIG -- Current Settings
=====================================================
DEFAULTS:
Scope: <value> (default: changed)
Depth: <value> (default: standard)
Severity: <value> (default: low)
SCANNERS:
semgrep: <auto-detected / custom path>
gitleaks: <auto-detected / custom path>
...
EXCLUDED PATHS:
- vendor/**
- node_modules/**
- ...
ACCEPTED RISKS: <N>
- <ID>: <reason> (accepted <date>)
- ...
HOOKS:
Plan review: <enabled/disabled>
Secret detection: <enabled/disabled>
FRAMEWORKS: <list>
RED TEAM: <list>
CONFIG FILE: .appsec/config.yaml <exists / not created>
=====================================================
/appsec:config set <key> <value> Change a setting
/appsec:config exclude <path> Add exclusion
/appsec:config accept <ID> Accept a risk
/appsec:config reset Reset to defaults
=====================================================
Update Confirmation
Updated .appsec/config.yaml:
<key>: <old value> -> <new value>
Validation Rules
| Field | Allowed Values | Error on Invalid |
|---|---|---|
default_scope |
changed, staged, branch, full |
Yes, show allowed values |
default_depth |
quick, standard, deep, expert |
Yes, show allowed values |
minimum_severity |
critical, high, medium, low |
Yes, show allowed values |
scanner_paths.* |
Absolute file path that exists | Warn if path does not exist |
excluded_paths |
Valid glob pattern | Warn if pattern is too broad |
accepted_risks.*.id |
Finding ID present in findings.json | Warn if ID not found |
hooks.* |
true or false |
Yes |
enabled_frameworks |
owasp, stride, pasta, linddun, sans25 |
Yes |
enabled_personas |
script-kiddie, insider, organized-crime, hacktivist, nation-state, supply-chain |
Yes |
How Config Is Consumed
Other skills read .appsec/config.yaml at startup to apply defaults:
- If the user provides a flag (e.g.,
--scope full), the flag wins. - If no flag is provided, the config value is used.
- If no config value exists, the tool default applies.
Accepted risks are filtered out during consolidation in /appsec:run and
/appsec:full-audit. The finding is still detected but marked as
"accepted": true and excluded from severity counts unless --severity low
is explicitly set.