Reference

Configuration

Customize scan behavior with environment variables, config files, ignore patterns, scan policies, shell aliases, git hooks, and authentication. Zero config required — sensible defaults work out of the box.

Precedence

Sigil resolves configuration from multiple sources. When the same setting appears in more than one place, the highest-priority source wins:

CLI flags — always win
Environment variables
Config file (~/.sigil/config)
Built-in defaults

Environment variables

Environment variables override config file values. Useful for CI/CD pipelines and per-machine customization.

Variable	Default	Description
SIGIL_QUARANTINE_DIR	~/.sigil/quarantine	Where quarantined code is stored
SIGIL_APPROVED_DIR	~/.sigil/approved	Where approved code is moved
SIGIL_LOG_DIR	~/.sigil/logs	Scan execution logs
SIGIL_REPORT_DIR	~/.sigil/reports	Detailed scan reports
SIGIL_CONFIG	~/.sigil/config	Path to config file
SIGIL_TOKEN	~/.sigil/token	Path to auth token
SIGIL_API_URL	https://api.sigil.nomark.dev	Cloud API base URL

Custom quarantine location

# Store quarantined code on a separate volume
export SIGIL_QUARANTINE_DIR=/mnt/secure/sigil-quarantine

Self-hosted API

# Point Sigil at your own API instance
export SIGIL_API_URL=https://sigil.internal.mycompany.com

Directory structure

After running sigil config --init, Sigil creates the following directory layout:

~/.sigil/

~/.sigil/
├── quarantine/     # Untrusted code awaiting scan
├── approved/       # Code that passed review
├── logs/           # Scan execution logs
├── reports/        # Detailed scan reports
├── config          # User configuration file
├── token           # JWT auth token
└── signatures.json # Cached threat signatures

Config file

The config file at ~/.sigil/config uses a simple KEY=VALUE format.

~/.sigil/config

API_URL=https://api.sigil.nomark.dev
AUTO_APPROVE_THRESHOLD=0
DEFAULT_SEVERITY=medium

View your current configuration:

bash

sigil config

Create a default config file:

bash

sigil config --init

.sigilignore

Place a .sigilignore file at the root of the directory being scanned. It uses glob syntax similar to .gitignore.

.sigilignore

# Directories
node_modules/
.git/
__pycache__/
vendor/
dist/
build/

# File patterns
*.min.js
*.bundle.js
*.map
*.lock

# Specific files
package-lock.json
yarn.lock
poetry.lock

Default exclusions

Even without a .sigilignore file, Sigil automatically excludes:

node_modules/
.git/
Test files
Example files
Docs files

Pattern rules

Pattern	Matches
*.min.js	Any file ending in `.min.js`
vendor/	The `vendor` directory and all its contents
docs/*.md	Markdown files in the `docs/` directory
!important.js	Negation — re-include a previously ignored file

Be careful with ignore rules

Ignoring too many files can hide real threats. Sigil's default ignore list is intentionally minimal. Add patterns sparingly.

Scan policies

Team plan

Team plans support centralized scan policies that are enforced across your organization. Configure policies via the dashboard or API.

Auto-approve threshold

Controls which verdicts are automatically approved without manual review.

Threshold	Behavior
0	Only score 0 results are auto-approved (default)
9	LOW RISK results auto-approved
24	Up to MEDIUM RISK auto-approved (not recommended)
-1	Disable auto-approve — all results require manual review

Required review

Specify which verdicts must always go through manual review:

HIGH / CRITICAL — always require review
MEDIUM — optional (configurable per policy)
All — require review for every result

Package allowlist

Packages on the allowlist are always approved and bypass scanning entirely.

json

{
  "allowlist": [
    "@myorg/shared-utils",
    "@myorg/config"
  ]
}

Package blocklist

Packages on the blocklist are always rejected, regardless of scan results.

json

{
  "blocklist": [
    "malicious-package-name",
    "deprecated-unsafe-lib"
  ]
}

Policy sync

Policies are synced via the cloud. Configure them through the dashboard or directly via the API:

bash

# Fetch current policy
curl -H "Authorization: Bearer $SIGIL_TOKEN" \
  https://api.sigil.nomark.dev/v1/team/policy

# Update policy
curl -X PUT -H "Authorization: Bearer $SIGIL_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"auto_approve_threshold": 0, "required_review": ["high","critical"]}' \
  https://api.sigil.nomark.dev/v1/team/policy

Shell aliases

Sigil can install convenience aliases into your shell configuration.

Installation

Auto-detect your shell and append aliases:

bash

sigil aliases

Or print them to stdout without modifying any files:

bash

sigil aliases --print

Alias definitions

Alias	Command
gclone	sigil clone
safepip	sigil pip install
safenpm	sigil npm install
safefetch	sigil fetch
audit	sigil scan
audithere	sigil scan .
qls	sigil quarantine list
qapprove	sigil quarantine approve
qreject	sigil quarantine reject

Customization

Use --print to output the alias block, then manually add or modify entries in your shell config.

Removing aliases

Delete the block between the # SIGIL ALIASES comments in your shell configuration file.

Git hooks

Sigil can install a pre-commit hook that checks staged files for dangerous patterns before every commit.

Installation

bash

# Install in the current repo
sigil hooks

# Install in a specific repo
sigil hooks /path/to/repo

Patterns checked

The pre-commit hook scans staged files for known dangerous patterns:

eval(
exec(
__import__(
subprocess shell=True
os.system
pickle.loads
child_process

Behavior

When a finding is detected, the hook exits with code 1 and blocks the commit. To bypass the hook for a specific commit:

bash

git commit --no-verify -m "known safe: template engine uses eval"

Hook location

The hook is installed at .git/hooks/pre-commit inside the target repository. Sigil never modifies your global git configuration.

Authentication

Sigil uses JWT tokens for cloud features (Pro and Team plans). The open-source CLI works entirely offline without authentication.

Token storage

Tokens are stored at ~/.sigil/token as a JWT. The token is issued with an expiration, read on each API request, and Sigil falls back to offline mode if the token is expired or missing.

What data is sent

Sigil sends metadata only to the cloud API. Source code never leaves your machine.

Sent

Scan rules triggered
File type distribution
Risk score
Package name, version, hash

Never sent

Source code
Credentials
Environment variable values
File paths

Offline mode

The full CLI works offline. Cloud features (threat intelligence, team policies, dashboard) require authentication, but all eight scan phases run locally without a network connection.

Previous← API Reference NextSkills.sh Skill →

Need help?

Ask a question in GitHub Discussions or check the troubleshooting guide.

Community Troubleshooting