Scrutari

Configuration via Environment Variables

Scrutari is configured exclusively through environment variables and follows two core principles: The Override Hierarchy and the "WHERE vs. WHAT" model for secrets.

Principle 1: The Override Hierarchy

  1. Tool-Specific (SCRUTARI_*): An environment variable is the most specific and will always be used if present.
  2. Universal (3SC_*): If a SCRUTARI_* variable is not found, the tool looks for a corresponding 3SC_* variable.
  3. Hard-coded Default: If neither is set, the tool falls back to a safe, built-in default.

Principle 2: "WHERE vs. WHAT" for Secrets Management

  • The "WHERE" (The Connection): These variables tell the tool where your secrets vault is and how to authenticate (e.g., 3SC_VAULT_TYPE, SCRUTARI_GIT_VAULT_TYPE).
  • The "WHAT" (The Secret Name): These variables tell the tool what specific secret to retrieve (e.g., SCRUTARI_GIT_PAT_SECRET_NAME).

The Golden Rule: If you define a "WHERE" for a task, the tool will require you to provide the corresponding "WHAT".

Core CI Configuration

Variable (SCRUTARI_*) Fallback (3SC_*) Required? Default Purpose
SCRUTARI_LANGUAGES Yes A comma-separated list of languages to analyze (e.g., CSharp,Java).
SCRUTARI_OUTPUT_DIRECTORY No scrutari The directory relative to the repo root where artifacts will be saved.
SCRUTARI_LICENSE_SERVER_URL 3SC_LICENSE_SERVER_URL Yes The full URL of the 3SC License Server.
SCRUTARI_LICENSE_TIMEOUT_SECONDS 3SC_LICENSE_TIMEOUT_SECONDS No 300 Timeout in seconds for license server requests.
SCRUTARI_LICENSE_RETRY_INTERVAL_SECONDS 3SC_LICENSE_RETRY_INTERVAL_SECONDS No 30 Time in seconds to wait between license retry attempts.

Git & Repository Configuration

Variable (SCRUTARI_*) Fallback (3SC_*) Required? Purpose
SCRUTARI_GIT_REPO_URL 3SC_GIT_REPO_URL Conditional¹ The full HTTPS URL of the Git repository for remote clones.
SCRUTARI_GIT_BRANCH 3SC_GIT_BRANCH No The specific branch to clone.
SCRUTARI_GIT_SUBDIRECTORY 3SC_GIT_SUBDIRECTORY No Path to a specific project within a monorepo to scope the analysis.
SCRUTARI_FORCE_UNSAFE_GIT_PUSH 3SC_FORCE_UNSAFE_GIT_PUSH No Must be true to allow git push from an unsafe CI environment.
SCRUTARI_GIT_PAT 3SC_GIT_PAT Conditional² A Personal Access Token provided directly. (Not Recommended)
SCRUTARI_GIT_PAT_SECRET_NAME Conditional³ The "WHAT": The name of the secret in a vault that contains the Git PAT.
SCRUTARI_GIT_VAULT_TYPE 3SC_VAULT_TYPE No The scoped "WHERE": Overrides the Vault provider for Git operations only.
SCRUTARI_GIT_VAULT_URL 3SC_VAULT_URL Conditional The scoped "WHERE": The endpoint for the vault used for the Git PAT.
SCRUTARI_GIT_AZURE_CLIENT_ID 3SC_AZURE_CLIENT_ID Conditional The scoped "WHERE": Azure SP Client ID for the Git PAT vault.
SCRUTARI_GIT_AZURE_CLIENT_SECRET 3SC_AZURE_CLIENT_SECRET Conditional The scoped "WHERE": Azure SP Client Secret for the Git PAT vault.
SCRUTARI_GIT_AZURE_TENANT_ID 3SC_AZURE_TENANT_ID Conditional The scoped "WHERE": Azure Tenant ID for the Git PAT vault.
SCRUTARI_GIT_AWS_ACCESS_KEY_ID 3SC_AWS_ACCESS_KEY_ID Conditional The scoped "WHERE": AWS Access Key ID for the Git PAT vault.
SCRUTARI_GIT_AWS_SECRET_ACCESS_KEY 3SC_AWS_SECRET_ACCESS_KEY Conditional The scoped "WHERE": AWS Secret Access Key for the Git PAT vault.
SCRUTARI_GIT_GOOGLE_APPLICATION_CREDENTIALS GOOGLE_APPLICATION_CREDENTIALS Conditional The scoped "WHERE": Path to the GCP service account key file for the Git PAT vault.
SCRUTARI_GIT_VAULT_TOKEN 3SC_VAULT_TOKEN Conditional The scoped "WHERE": The HashiCorp Vault token for the Git PAT vault.

¹ Required only if the tool needs to perform a remote git clone. ² Required for private repositories if not using a Vault. ³ Required for private repositories if SCRUTARI_GIT_VAULT_TYPE or 3SC_VAULT_TYPE is set.

Observability (Firehose) Configuration

Variable (SCRUTARI_*) Fallback (3SC_*) Required? Purpose
SCRUTARI_LOG_ENDPOINT_URL 3SC_LOG_ENDPOINT_URL No The URL for the Firehose endpoint. Feature disabled if not set.
SCRUTARI_LOG_ENDPOINT_TOKEN 3SC_LOG_ENDPOINT_TOKEN Conditional¹ A direct authentication token for the endpoint.
SCRUTARI_LOG_ENDPOINT_TOKEN_SECRET_NAME Conditional² The "WHAT": The name of the secret in a vault that contains the token.
SCRUTARI_LOG_VAULT_TYPE 3SC_VAULT_TYPE No The scoped "WHERE": Overrides the Vault provider for Logging operations only.
SCRUTARI_LOG_VAULT_URL 3SC_VAULT_URL Conditional The scoped "WHERE": The endpoint for the vault used for the Firehose token.
SCRUTARI_LOG_AZURE_CLIENT_ID 3SC_AZURE_CLIENT_ID Conditional The scoped "WHERE": Azure SP Client ID for the Firehose token vault.
SCRUTARI_LOG_AZURE_CLIENT_SECRET 3SC_AZURE_CLIENT_SECRET Conditional The scoped "WHERE": Azure SP Client Secret for the Firehose token vault.
SCRUTARI_LOG_AZURE_TENANT_ID 3SC_AZURE_TENANT_ID Conditional The scoped "WHERE": Azure Tenant ID for the Firehose token vault.
SCRUTARI_LOG_AWS_ACCESS_KEY_ID 3SC_AWS_ACCESS_KEY_ID Conditional The scoped "WHERE": AWS Access Key ID for the Firehose token vault.
SCRUTARI_LOG_AWS_SECRET_ACCESS_KEY 3SC_AWS_SECRET_ACCESS_KEY Conditional The scoped "WHERE": AWS Secret Access Key for the Firehose token vault.
SCRUTARI_LOG_GOOGLE_APPLICATION_CREDENTIALS GOOGLE_APPLICATION_CREDENTIALS Conditional The scoped "WHERE": Path to the GCP service account key file for the Firehose token vault.
SCRUTARI_LOG_VAULT_TOKEN 3SC_VAULT_TOKEN Conditional The scoped "WHERE": The HashiCorp Vault token for the Firehose token.

¹ Required if URL is set and not using a Vault. ² Required if URL is set and a Vault is configured.

Control Point Configuration

Variable (SCRUTARI_*) Required? Purpose
SCRUTARI_CP_ANALYSIS_AFTER No URL for the webhook invoked after language-specific analysis completes.
SCRUTARI_CP_GRAPHBUILD_BEFORE No URL for the webhook invoked before the Universal Code Graph is built.
SCRUTARI_CP_GRAPHBUILD_AFTER No URL for the webhook invoked after the Universal Code Graph is built.
SCRUTARI_CP_COMPLETION_ONSUCCESS No URL for the webhook invoked when the entire process completes successfully.
SCRUTARI_CP_COMPLETION_ONFAILURE No URL for the webhook invoked if an unrecoverable error occurs.
SCRUTARI_CP_WEBHOOK_TOKEN Conditional¹ A direct authentication token for all Control Point webhooks.
SCRUTARI_CP_WEBHOOK_TOKEN_SECRET_NAME Conditional² The "WHAT": The name of the secret in a vault that contains the token.
SCRUTARI_CP_VAULT_TYPE 3SC_VAULT_TYPE No The scoped "WHERE": Overrides the Vault provider for Control Point operations only.
SCRUTARI_CP_VAULT_URL 3SC_VAULT_URL Conditional The scoped "WHERE": The endpoint for the vault used for the Control Point token.
SCRUTARI_CP_AZURE_CLIENT_ID 3SC_AZURE_CLIENT_ID Conditional The scoped "WHERE": Azure SP Client ID for the Control Point token vault.
SCRUTARI_CP_AZURE_CLIENT_SECRET 3SC_AZURE_CLIENT_SECRET Conditional The scoped "WHERE": Azure SP Client Secret for the Control Point token vault.
SCRUTARI_CP_AZURE_TENANT_ID 3SC_AZURE_TENANT_ID Conditional The scoped "WHERE": Azure Tenant ID for the Control Point token vault.
SCRUTARI_CP_AWS_ACCESS_KEY_ID 3SC_AWS_ACCESS_KEY_ID Conditional The scoped "WHERE": AWS Access Key ID for the Control Point token vault.
SCRUTARI_CP_AWS_SECRET_ACCESS_KEY 3SC_AWS_SECRET_ACCESS_KEY Conditional The scoped "WHERE": AWS Secret Access Key for the Control Point token vault.
SCRUTARI_CP_GOOGLE_APPLICATION_CREDENTIALS GOOGLE_APPLICATION_CREDENTIALS Conditional The scoped "WHERE": Path to the GCP service account key file for the Control Point token vault.
SCRUTARI_CP_VAULT_TOKEN 3SC_VAULT_TOKEN Conditional The scoped "WHERE": The HashiCorp Vault token for the Control Point token.

¹ Required if any URL is set and not using a Vault. ² Required if any URL is set and a Vault is configured.

Licensing & Degraded Mode

  • If a valid license cannot be acquired, Scrutari runs in a Degraded Mode.
  • In this mode, it will not perform any analysis or generate any artifacts.
  • It will log a warning and exit successfully (exit code 0) to ensure that licensing issues do not block your pipeline.