Config reference

# ~/.bomly/config.yaml or .bomly/config.yaml
# target:
#   Filesystem path to scan
#   path: ""
#   Container image to scan (e.g. alpine:latest)
#   container: ""
#   Remote Git URL to clone and scan
#   url: ""
#   Git ref to checkout when scanning a URL
#   ref: ""
#   Treat the selected filesystem target as an SBOM file
#   sbom: false
# pipeline:
#   Enrich packages with external license and vulnerability data
#   enrich: false
#   Evaluate policy and create findings from package vulnerability data
#   audit: false
#   Run code analysis to confirm whether vulnerabilities are reachable from application code
#   analyze: false
#   Run detector-specific dependency installation before resolving graphs
#   install_first: false
#   Additional detector-specific install arguments
#   install_args: []
# components:
#   Ecosystem selectors; supports +name and -name modifiers
#   ecosystems: ""
#   Detector selectors; supports +name and -name modifiers
#   detectors: ""
#   Auditor selectors; supports +name and -name modifiers
#   auditors: ""
#   Matcher selectors; supports +name and -name modifiers
#   matchers: ""
#   Reachability analyzer selectors; supports +name and -name modifiers
#   analyzers: ""
# policy:
#   Constraint(s) for which findings should be created. Repeatable; AND-ed. Severity: any|low|medium|high|critical. Reachability: reachable. Exploitability: exploitable
#   fail_on: []
#   Vulnerability IDs to ignore during policy evaluation
#   allow_vulnerability_ids: []
#   Allowed SPDX license identifiers or expressions
#   allow_licenses: []
#   Denied SPDX license identifiers or expressions
#   deny_licenses: []
#   Package URLs exempt from license policy checks
#   license_exempt_packages: []
#   Package URLs to deny
#   deny_packages: []
#   Package URL namespaces to deny
#   deny_groups: []
#   Canonical package names to protect from typosquatting
#   protected_packages: []
#   Similarity threshold for typosquatting detection
#   typosquat_threshold: 0.90
#   Typosquatting policy mode: warn or fail
#   typosquat_mode: warn
#   Downgrade failing findings to warnings
#   warn_only: false
# output:
#   Primary output format: text, json, markdown, sarif, spdx, or cyclonedx. SBOM formats are scan-only
#   format: ""
#   Additional output target(s) as <format> or <format>=<path>. Repeatable; supports text, json, markdown, sarif, spdx, and cyclonedx
#   outputs: []
#   Enable interactive TUI mode
#   interactive: false
# logging:
#   Suppress all non-error output
#   quiet: false
#   Verbosity level (0=normal, 1=verbose, 2+=debug)
#   verbosity: 0
# network:
#   proxy:
#     Outbound HTTP proxy URL used by Bomly and managed plugins
#     url: ""
#     Comma-separated hosts, domains, or CIDRs that should bypass the outbound HTTP proxy
#     no_proxy: ""
#     Outbound proxy type when using host/port proxy settings: http, https, or socks5
#     type: http
#     Outbound proxy hostname or IP address used when http_proxy is not set
#     host: ""
#     Outbound proxy port used with http_proxy_host
#     port: 0
#     Username for proxy authentication when using host/port proxy settings
#     username: ""
#     Password for proxy authentication when using host/port proxy settings
#     password: ""
#   PEM certificate chain file to trust for outbound HTTPS connections, including TLS-intercepting proxies
#   ca_cert_file: ""
# matchers:
#   osv:
#     Base URL for the OSV vulnerability API
#     api_base: https://api.osv.dev
#     Directory for the OSV response cache
#     cache_dir: ""
#     TTL for cached OSV responses (e.g. 24h)
#     cache_ttl: 24h
#     kev:
#       Directory for the CISA KEV cache
#       cache_dir: ""
#       TTL for cached KEV data (e.g. 24h)
#       cache_ttl: 24h
#   scorecard:
#     Base URL for the OpenSSF Scorecard public API
#     api_base: https://api.scorecard.dev
#     Directory for the Scorecard response cache
#     cache_dir: ""
#     TTL for cached Scorecard responses (e.g. 24h)
#     cache_ttl: 24h
# Per-plugin configuration keyed by managed plugin ID
# plugins: {}