Skip to content

Environment Variables

AbrahamOO edited this page Jun 18, 2026 · 1 revision

Environment Variables

A complete, grouped reference for every environment variable security-mcp reads. Defaults are noted where they exist.

Gate and scope

Variable Default Purpose
SECURITY_GATE_POLICY .mcp/policies/security-policy.json Path to the active policy file
SECURITY_GATE_MODE recent_changes Scope mode: recent changes, full, or targets
SECURITY_GATE_TARGETS (none) Explicit files or paths to scan
SECURITY_GATE_BASE_REF origin/main Base ref for diff scoping
SECURITY_GATE_HEAD_REF HEAD Head ref for diff scoping
SECURITY_GATE_EXCEPTIONS (none) Path to the exceptions file
SECURITY_GATE_SCANNERS (none) Override which external scanners run
SECURITY_GATE_EVIDENCE_MAP (none) Path to the evidence map
SECURITY_GATE_CONTROL_CATALOG (none) Path to the control catalog

Integrity and signing

Variable Default Purpose
SECURITY_POLICY_HMAC_KEY (none) HMAC key for signing policy/exceptions/baseline; minimum 32 bytes
SECURITY_REQUIRE_SIGNED_EXCEPTIONS (none) Require exceptions to be signed to suppress findings
SECURITY_ALLOW_UNSIGNED_HIGH_SUPPRESSION (none) Break-glass: let unsigned exceptions suppress HIGH-and-above
SECURITY_ATTEST_ALLOW_INCOMPLETE (none) Break-glass: allow attestation over an incomplete result
SECURITY_ATTEST_KEY (none) Key used to sign attestations
SECURITY_AUDIT_HMAC_KEY (none) HMAC key for the audit/attestation chain

Privacy

Variable Default Purpose
SECURITY_OFFLINE (none) Disable all network egress (air-gapped mode)

MCP channel

Variable Default Purpose
SECURITY_MCP_SHARED_SECRET (none) Shared secret for caller auth; minimum 32 bytes
SECURITY_SESSION_TTL_MS 28800000 (8h) Session lifetime; maximum 86400000 (24h)

Remediation

Variable Default Purpose
SECURITY_AGENTIC_QUARANTINE (none) Repo-output handling: strip, sanitize, quarantine, or off

Integrations

Variable Default Purpose
SECURITY_SLACK_WEBHOOK (none) Slack webhook for notifications
SECURITY_JIRA_URL (none) Jira base URL
SECURITY_JIRA_TOKEN (none) Jira API token
SECURITY_JIRA_PROJECT SECURITY Jira project key for created tickets
SECURITY_PAGERDUTY_KEY (none) PagerDuty integration key
SECURITY_WEBHOOK_URL (none) Generic webhook endpoint

Live scanning

Variable Default Purpose
SECURITY_STAGING_URL (none) Target URL for runtime and Nuclei DAST checks
SECURITY_AI_ENDPOINT (none) AI endpoint for the AI red-team checks
SECURITY_AUTO_SBOM (none) Enable automatic SBOM generation

See Configuration and Policy and Security and Hardening for how the integrity and privacy variables change gate behavior.

Clone this wiki locally