-
Notifications
You must be signed in to change notification settings - Fork 0
Environment Variables
AbrahamOO edited this page Jun 18, 2026
·
1 revision
A complete, grouped reference for every environment variable security-mcp reads. Defaults are noted where they exist.
| Variable | Default | Purpose |
|---|---|---|
SECURITY_GATE_POLICY |
.mcp/policies/security-policy.json |
Path to the active policy file |
SECURITY_GATE_MODE |
recent_changes |
Scope mode: recent changes, full, or targets |
SECURITY_GATE_TARGETS |
(none) | Explicit files or paths to scan |
SECURITY_GATE_BASE_REF |
origin/main |
Base ref for diff scoping |
SECURITY_GATE_HEAD_REF |
HEAD |
Head ref for diff scoping |
SECURITY_GATE_EXCEPTIONS |
(none) | Path to the exceptions file |
SECURITY_GATE_SCANNERS |
(none) | Override which external scanners run |
SECURITY_GATE_EVIDENCE_MAP |
(none) | Path to the evidence map |
SECURITY_GATE_CONTROL_CATALOG |
(none) | Path to the control catalog |
| Variable | Default | Purpose |
|---|---|---|
SECURITY_POLICY_HMAC_KEY |
(none) | HMAC key for signing policy/exceptions/baseline; minimum 32 bytes |
SECURITY_REQUIRE_SIGNED_EXCEPTIONS |
(none) | Require exceptions to be signed to suppress findings |
SECURITY_ALLOW_UNSIGNED_HIGH_SUPPRESSION |
(none) | Break-glass: let unsigned exceptions suppress HIGH-and-above |
SECURITY_ATTEST_ALLOW_INCOMPLETE |
(none) | Break-glass: allow attestation over an incomplete result |
SECURITY_ATTEST_KEY |
(none) | Key used to sign attestations |
SECURITY_AUDIT_HMAC_KEY |
(none) | HMAC key for the audit/attestation chain |
| Variable | Default | Purpose |
|---|---|---|
SECURITY_OFFLINE |
(none) | Disable all network egress (air-gapped mode) |
| Variable | Default | Purpose |
|---|---|---|
SECURITY_MCP_SHARED_SECRET |
(none) | Shared secret for caller auth; minimum 32 bytes |
SECURITY_SESSION_TTL_MS |
28800000 (8h) |
Session lifetime; maximum 86400000 (24h) |
| Variable | Default | Purpose |
|---|---|---|
SECURITY_AGENTIC_QUARANTINE |
(none) | Repo-output handling: strip, sanitize, quarantine, or off
|
| Variable | Default | Purpose |
|---|---|---|
SECURITY_SLACK_WEBHOOK |
(none) | Slack webhook for notifications |
SECURITY_JIRA_URL |
(none) | Jira base URL |
SECURITY_JIRA_TOKEN |
(none) | Jira API token |
SECURITY_JIRA_PROJECT |
SECURITY |
Jira project key for created tickets |
SECURITY_PAGERDUTY_KEY |
(none) | PagerDuty integration key |
SECURITY_WEBHOOK_URL |
(none) | Generic webhook endpoint |
| Variable | Default | Purpose |
|---|---|---|
SECURITY_STAGING_URL |
(none) | Target URL for runtime and Nuclei DAST checks |
SECURITY_AI_ENDPOINT |
(none) | AI endpoint for the AI red-team checks |
SECURITY_AUTO_SBOM |
(none) | Enable automatic SBOM generation |
See Configuration and Policy and Security and Hardening for how the integrity and privacy variables change gate behavior.
Start here
Engines
Agents
Reference
Operate