Skip to content

Update environment variable documentation #1546

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 19, 2025
Merged

Update environment variable documentation #1546

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 54 additions & 17 deletions docs/environment-variables.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,39 +4,76 @@ Environment variables are sometimes used to control experimental features or adv

## `DisableGoCliScan`

If the environment variable `DisableGoCliScan` is set to "true", we fall back to parsing `go.mod` and `go.sum` ourselves.
If the environment variable `DisableGoCliScan` is set to "true", we fall back to parsing `go.mod` and `go.sum` ourselves.
Otherwise, the Go detector uses go-cli command: `go list -m all` to discover Go dependencies.

## `DisableRustCliScan`

When set to "true", the Rust detector skips all Cargo CLI execution, including metadata queries.
In SBOM mode, dependencies will be mapped directly to `*.cargo-sbom.json` files.
In fallback mode, the detector processes `Cargo.lock` and `Cargo.toml` files to infer dependencies and relationships.
Disabling the CLI may reduce the precision of component-to-location mapping and can lead to over-reporting.

## `PyPiMaxCacheEntries`

The environment variable `PyPiMaxCacheEntries` is used to control the size of the in-memory LRU cache that caches responses from PyPi.
The default value is 4096.

## `PIP_INDEX_URL`

Determines what package feed should be used for `pip install --report` detection.
The default value will use the PyPi index unless pip defaults have been configured globally.

## `PipReportOverrideBehavior`

Overrides pip report with one of the following detection strategies:
- `Skip`: Will not run pip detection
- `SourceCodeScan`: Scan `setup.py` and `requirements.txt` files, and record components explicitly from the package files without hitting a remote feed. Does not compile a dependency graph.

## `PipReportSkipFallbackOnFailure`

When set to "true", skips the default fallback behavior if pip report fails.
Default behavior scans `setup.py` and `requirements.txt` files, and records components explicitly from the package files without hitting a remote feed.
Does not compile a dependency graph.

## `PipReportFileLevelTimeoutSeconds`

Controls the timeout limit (in seconds) for generating the PipReport for individual files.
This defaults to the overall timeout.

## `PipReportDisableFastDeps`

When set to "true", disables the fast deps feature in PipReport.

## `PipReportIgnoreFileLevelIndexUrl`

When set to "true", ignores the `--index-url` argument that can be provided in the requirements.txt file.
See [pip install documentation](https://pip.pypa.io/en/stable/cli/pip_install/#install-index-url) for more details.

## `PipReportPersistReports`

When set to "true", allows the PipReport detector to persist the reports that it generates, rather than cleaning them up after constructing the dependency graph.

## `CD_DETECTOR_EXPERIMENTS`

When set to any value, enables detector experiments, a feature to compare the results of different detectors for the
same ecosystem. The available experiments are found in the [`Experiments\Config`](../src/Microsoft.ComponentDetection.Orchestrator/Experiments/Configs)
folder.
When set to any value, enables detector experiments, a feature to compare the results of different detectors for the same ecosystem.
The available experiments are found in the [`Experiments\Config`](../src/Microsoft.ComponentDetection.Orchestrator/Experiments/Configs) folder.

## `CD_GRADLE_DEV_LOCKFILES`

Enables dev-dependency categorization for the Gradle
detector. Comma-separated list of Gradle lockfiles which contain only
development dependencies. Dependencies connected to Gradle
configurations matching the given regex are considered development
dependencies. If a lockfile will contain a mix of development and
production dependencies, see `CD_GRADLE_DEV_CONFIGURATIONS` below.
Enables dev-dependency categorization for the Gradle detector.
Comma-separated list of Gradle lockfiles which contain only development dependencies.
Dependencies connected to Gradle configurations matching the given regex are considered development dependencies.
If a lockfile will contain a mix of development and production dependencies, see `CD_GRADLE_DEV_CONFIGURATIONS` below.

## `CD_GRADLE_DEV_CONFIGURATIONS`

Enables dev-dependency categorization for the Gradle
detector. Comma-separated list of Gradle configurations which refer to development dependencies.
Dependencies connected to Gradle configurations matching
the given configurations are considered development dependencies.
Enables dev-dependency categorization for the Gradle detector.
Comma-separated list of Gradle configurations which refer to development dependencies.
Dependencies connected to Gradle configurations matching the given configurations are considered development dependencies.
If an entire lockfile will contain only dev dependencies, see `CD_GRADLE_DEV_LOCKFILES` above.

[1]: https://go.dev/ref/mod#go-mod-graph

## `MvnCLIFileLevelTimeoutSeconds`

When set to any positive integer value, it controls the max execution time Mvn CLI is allowed to take per each `pom.xml` file. Default behavior is unbounded.
When set to any positive integer value, it controls the max execution time Mvn CLI is allowed to take per each `pom.xml` file.
Default behavior is unbounded.