Configuration
Configure Code Corgi detection rules, thresholds, and policy enforcement for your organisation.
Configuration
Code Corgi is configured per-organisation via a phantomcorgi.yaml file committed to your repository root, or via the dashboard.
phantomcorgi.yaml
# phantomcorgi.yaml
version: 1
detection:
unicode:
enabled: true
# Flag zero-width characters, directional overrides, invisible separators
zero_width: true
bidi_override: true
# Homoglyph detection: flag Cyrillic/Greek lookalikes substituted for ASCII
homoglyphs: true
# Minimum confidence score to raise a finding (0.0–1.0)
confidence_threshold: 0.8
secrets:
enabled: true
# Built-in patterns: AWS, GCP, GitHub, Stripe, Twilio, generic API keys, etc.
builtin_patterns: true
# Add your own regex patterns
custom_patterns: []
# Never flag these (useful for test fixtures with placeholder values)
allowlist:
- "AKIAIOSFODNN7EXAMPLE"
- "sk_test_*"
semantic:
enabled: true
# Flag base64-encoded payloads in comments or string literals
encoded_payloads: true
# Flag suspicious eval(), exec(), or dynamic import patterns
dynamic_execution: true
policy:
# What happens when a finding is raised
on_finding: block # block | warn | comment
# Minimum severity to trigger on_finding action
min_severity: medium # low | medium | high | critical
notifications:
# Post a comment on the PR with findings summary
pr_comment: true
# Post a summary to a Slack webhook
slack_webhook: ""
Detection settings
Unicode detection
| Key | Default | Description |
|---|---|---|
zero_width | true | Detect zero-width joiners, non-joiners, spaces, and word joiners |
bidi_override | true | Detect bidirectional text override characters (U+202A–U+202E, U+2066–U+2069) |
homoglyphs | true | Detect lookalike characters substituted for ASCII identifiers |
confidence_threshold | 0.8 | Findings below this score are suppressed |
Secret detection
Code Corgi ships with patterns for 50+ credential formats including:
- AWS access keys and secret keys
- GCP service account credentials
- GitHub personal access tokens and OAuth tokens
- Stripe publishable and secret keys
- Twilio API keys
- SendGrid, Postmark, Mailgun API keys
- Private SSH and PGP keys
- JWT secrets
Add custom patterns under custom_patterns as a list of objects:
custom_patterns:
- name: "Internal API token"
pattern: "CORP_[A-Z0-9]{32}"
severity: high
Semantic detection
Semantic analysis looks at the intent of code, not just character encoding:
- Encoded payloads — base64 or hex-encoded strings in comments or literals that decode to executable code
- Dynamic execution —
eval(),exec(),Function(),__import__()calls with non-literal arguments
Policy
on_finding
| Value | Behaviour |
|---|---|
block | Returns a failing check status on the PR; merging is blocked until resolved or dismissed |
warn | Returns a neutral check status; PR can merge but the finding is recorded |
comment | Posts a PR comment only; no check status |
Dismissals
Team members with the Reviewer role can dismiss a finding from the dashboard or by replying to the PR comment with:
/phantomcorgi dismiss <finding-id> reason: <explanation>
Dismissals are recorded in the append-only audit log.
Per-repository overrides
Enterprise customers can manage configuration centrally from the dashboard and push per-repository overrides via the API. See the API Reference for details.
Environment variables
For self-hosted deployments, the following environment variables control runtime behaviour. Note that all credentials are managed via Vault — these variables control non-secret runtime configuration only.
| Variable | Default | Description |
|---|---|---|
PHANTOMCORGI_LOG_LEVEL | info | Log verbosity: debug, info, warn, error |
PHANTOMCORGI_MAX_DIFF_SIZE_MB | 10 | Maximum diff size to process (larger diffs are skipped with a warning) |
PHANTOMCORGI_WORKER_CONCURRENCY | 4 | Number of concurrent scan workers per pod |