forked from RaminNietzsche/CVE-Radar
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
98 lines (83 loc) · 3.46 KB
/
Copy path.env.example
File metadata and controls
98 lines (83 loc) · 3.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
PORT=3001
SCAN_DAYS=60
# NEVER commit real keys. Use Docker/K8s secrets in production — see docs/self-hosted/SECRETS.md
# Alternative: point *_FILE at mounted secret paths (e.g. /run/secrets/nvd_api_key)
# Optional API key — when set, all /api/* routes require X-Api-Key or Authorization: Bearer (except GET /health)
# API_SECRET=
# API_SECRET_FILE=/run/secrets/api_secret
# Role for authenticated clients when RBAC is active (default admin): admin | scanner | viewer | auditor
# API_ROLE=admin
# Client build (same value, single-tenant internal tool): VITE_API_KEY=
# Server limits (public deployments)
# RATE_LIMIT_SCAN_PER_MIN=12
# RATE_LIMIT_WATCH_PER_MIN=120
# RATE_LIMIT_API_PER_MIN=240
# TRUST_PROXY_HOPS=1
# Client watch interval is UI-only (default 2 min). See docs/WATCH.md
# SCAN_TIMEOUT_MS=120000
# Structured audit logging (stdout JSON) — see docs/self-hosted/AUDIT.md
# AUDIT_HEALTH=true
# Optional alerting (watch mode new CVEs) — see server/services/notifications/
# Legacy Slack webhook (still supported):
# ALERT_WEBHOOK_URL=https://hooks.slack.com/services/...
# ALERT_WEBHOOK_URL_FILE=/run/secrets/alert_webhook_url
# ALERT_MIN_SEVERITY=HIGH
# ALERT_WEBHOOK_FORMAT=slack
# NOTIFICATION_MIN_SEVERITY=HIGH
# NOTIFICATION_DEDUP_MS=900000
# NOTIFICATION_SLACK_WEBHOOK_URL=
# NOTIFICATION_DISCORD_WEBHOOK_URL=
# NOTIFICATION_TELEGRAM_BOT_TOKEN=
# NOTIFICATION_TELEGRAM_CHAT_ID=
# NOTIFICATION_WEBHOOK_URL=
# NOTIFICATION_SMTP_HOST=
# NOTIFICATION_SMTP_PORT=587
# NOTIFICATION_SMTP_USER=
# NOTIFICATION_SMTP_PASS=
# NOTIFICATION_SMTP_FROM=
# NOTIFICATION_SMTP_TO=
NVD_RESULTS_PER_PAGE=30
# NVD_MAX_PAGES=10
# NVD_API_KEY=
# NVD_API_KEY_FILE=/run/secrets/nvd_api_key
# GITHUB_TOKEN=
# GITHUB_TOKEN_FILE=/run/secrets/github_token
GITHUB_MAX_PAGES=3
# Translation (Google GTX unofficial — dev/personal only; optional DeepL / LibreTranslate / MyMemory / Ollama)
# See docs/TRANSLATION.md for provider priority and limits.
TRANSLATE_ENABLED=true
TRANSLATE_MAX_ITEMS=50
TRANSLATE_BATCH_MAX=40
TRANSLATE_CONCURRENCY=3
# DEEPL_API_KEY=your-deepl-key:fx
# DEEPL_API_KEY_FILE=/run/secrets/deepl_api_key
# MYMEMORY_EMAIL=you@example.com
# LIBRETRANSLATE_URL=https://your-libretranslate-host
# LIBRETRANSLATE_API_KEY=
# OLLAMA_URL=http://127.0.0.1:11434
# OLLAMA_MODEL=llama3.2
# Shared cache for multi-instance deployments (optional — in-memory when unset)
# REDIS_URL=redis://127.0.0.1:6379
# CACHE_MAX_ENTRIES=2000
# Optional PostgreSQL scan history (metadata only; skip when unset)
# DATABASE_URL=postgres://cve_radar:cve_radar@127.0.0.1:5432/cve_radar
# Multi-tenant v1 API: X-Tenant-Id: <slug> (default tenant when omitted) — docs/self-hosted/TENANTS.md
# Server data directory (Docker Compose mounts /app/data by default)
# DATA_DIR=./data
# Air-gapped deployment (local mirrors only — see docs/self-hosted/AIRGAP.md)
# AIRGAPPED=true
# NVD_MIRROR_URL=http://internal-mirror/nvd
# OSV_MIRROR_URL=http://internal-mirror/osv
# KEV_MIRROR_URL=http://internal-mirror/kev/catalog.json
# Kubernetes stack discovery (opt-in — see docs/self-hosted/K8S.md)
# K8S_DISCOVERY_ENABLED=true
# K8S_DISCOVERY_NAMESPACES=production,staging
# K8S_KUBECONFIG=/path/to/kubeconfig
# Prometheus metrics at GET /metrics (see docs/self-hosted/METRICS.md)
# METRICS_ENABLED=true
# METRICS_PROTECT=false
# EPSS enrichment (FIRST.org) — set false to disable riskScore fields
# EPSS_ENABLED=true
# EPSS_BATCH_SIZE=100
# CWE → NIST / PCI-DSS compliance mapping (static map in shared/compliance/)
# COMPLIANCE_ENABLED=true