ShipSecure

Configuration

Configure Radar per-repository with .radar.yml

Create a .radar.yml in your repository root to customize Radar's behavior per-repo.

Example

ignore:
  - "**/*.test.ts"
  - "migrations/**"
  - "vendor/**"

severity_threshold: low    # low, medium, high, critical

ignore_cwes:
  - CWE-79

trusted_paths:
  - "test/**"
  - "scripts/**"

max_files: 50
enabled: true

Options

enabled

Set to false to disable Radar on this repository. Defaults to true.

ignore

Glob patterns for files to skip during analysis. Useful for generated code, migrations, and vendored dependencies.

severity_threshold

Minimum severity to report. One of low, medium, high, or critical. Defaults to low.

ignore_cwes

List of CWE IDs to suppress. Findings matching these CWEs will not be reported.

trusted_paths

Glob patterns for paths that receive less strict analysis (e.g. test files, scripts).

max_files

Maximum number of files to analyze per PR. Defaults to 50. Files are prioritized by risk.

Dependency scanning

Radar also checks PRs for newly introduced vulnerable dependencies by comparing against the base branch. Only new vulnerabilities are reported — pre-existing ones are ignored.

Supported files: package.json (npm), requirements.txt (PyPI), go.mod (Go), Gemfile.lock (RubyGems), Cargo.lock (crates.io).

Data source: OSV

AI Providers

Choose between Anthropic and OpenAI

Environment Variables

Full reference of Radar environment variables

On this page

ExampleOptionsenabledignoreseverity_thresholdignore_cwestrusted_pathsmax_filesDependency scanning