Configuration¶

sentrik works without any configuration file — it auto-detects your project and applies sensible defaults. When you need to customize, configuration lives in .sentra/config.yaml. Environment variables override file values (useful for CI).

Config resolution order¶

sentrik checks for configuration in this order:

Explicit path — --config path/to/config.yaml
.sentra/config.yaml — new convention (recommended)
.guard.yaml — legacy format (fully supported)
Auto-detect — in-memory defaults based on project detection

The `.sentra/` directory¶

.sentra/
  config.yaml     # Main config (commit to git)
  rules/          # Custom rules (optional, commit to git)
  .gitignore      # Ignores local/
  local/          # Machine-local state (not committed)

Create it with:

sentra init --no-interactive    # Auto-detected defaults
sentra init                     # Interactive wizard

Migrating from `.guard.yaml`¶

sentra migrate

Copies .guard.yaml to .sentra/config.yaml. Both formats remain fully supported — .sentra/config.yaml takes precedence when both exist.

Core settings¶

Setting	Default	Env Var	Description
`output_dir`	`out`	`GUARD_OUTPUT_DIR`	Output directory for artifacts
`standards_file`	`examples/sample_standards.yaml`	`GUARD_STANDARDS_FILE`	Path to rules YAML
`work_items_file`	`examples/sample_work_items.json`	`GUARD_WORK_ITEMS_FILE`	Path to work items
`provider`	`stub`	`GUARD_PROVIDER`	Scanner provider (`stub`, `sarif`, `composite`)
`gate_fail_on`	`[critical, high]`	`GUARD_GATE_FAIL_ON`	Severities that fail the gate
`reporters`	`[]`	—	Report formats (`html`, `junit`, `sarif`, `csv`)
`standards_packs`	`[]`	`GUARD_STANDARDS_PACKS`	Enabled standards packs
`parallel_scan`	`false`	`GUARD_PARALLEL_SCAN`	Enable parallel file scanning
`max_workers`	`4`	`GUARD_MAX_WORKERS`	Number of parallel worker threads
`ml_severity_enabled`	`false`	`GUARD_ML_SEVERITY_ENABLED`	Enable ML-based severity estimation

DevOps provider settings¶

Setting	Env Var	Description
`devops_provider`	`GUARD_DEVOPS_PROVIDER`	`stub`, `azure`, `github`, or `jira`
`azure_devops_org`	`GUARD_AZURE_DEVOPS_ORG`	Azure DevOps organization
`azure_devops_project`	`GUARD_AZURE_DEVOPS_PROJECT`	Azure DevOps project
`azure_devops_team`	`GUARD_AZURE_DEVOPS_TEAM`	Azure DevOps team (optional)
`azure_devops_repo`	`GUARD_AZURE_DEVOPS_REPO`	Azure DevOps repository name
`github_owner`	`GUARD_GITHUB_OWNER`	GitHub repository owner
`github_repo`	`GUARD_GITHUB_REPO`	GitHub repository name
`github_label`	`GUARD_GITHUB_LABEL`	Filter issues by label
`github_milestone`	`GUARD_GITHUB_MILESTONE`	Filter issues by milestone
`jira_base_url`	`GUARD_JIRA_BASE_URL`	Jira instance base URL
`jira_project_key`	`GUARD_JIRA_PROJECT_KEY`	Jira project key
`jira_jql`	`GUARD_JIRA_JQL`	Custom JQL query

Secrets (set in environment, never in config)¶

Variable	Description
`AZURE_DEVOPS_PAT`	Azure DevOps Personal Access Token
`GITHUB_TOKEN`	GitHub Personal Access Token
`JIRA_USER`	Jira username/email (Cloud)
`JIRA_TOKEN`	Jira API token (Cloud)
`JIRA_PAT`	Jira Personal Access Token (Data Center/Server)
`GUARD_API_KEY`	REST API authentication key
`GUARD_LICENSE_KEY`	License key for enterprise features
`GUARD_LICENSE_SECRET`	HMAC secret for license validation (production)

Governance settings¶

governance:
  profile: standard  # strict | standard | permissive
  human_review_required:
    on_requirement_change: true
    on_critical_finding: true
    on_auto_patch_above: medium
  auto_patch:
    enabled: true
    max_severity: low
  gate:
    fail_on: [critical, high]
    block_merge_on_obligations: false
  sync:
    auto_close_work_items: true
    require_sign_off: false
  audit:
    enabled: true
    log_file: out/agent_audit.jsonl

Profiles provide sensible defaults:

strict — Human review for everything, tightest gates
standard — Balanced (default)
permissive — Maximum agent autonomy

Enterprise settings¶

Setting	Env Var	Description
`license_key`	`GUARD_LICENSE_KEY`	License key (format: `GUARD-TIER-YYYYMMDD-HMAC`)
`vault.enabled`	`GUARD_VAULT_ENABLED`	Enable token vault
`vault.provider`	`GUARD_VAULT_PROVIDER`	Vault provider (`env`, `hashicorp`)
`async_approval.enabled`	`GUARD_APPROVAL_ENABLED`	Enable async approval gates
`async_approval.timeout`	`GUARD_APPROVAL_TIMEOUT`	Approval timeout in seconds

Example configuration¶

# .sentra/config.yaml
output_dir: out
standards_file: standards.yaml
work_items_file: work_items.json
provider: stub
gate_fail_on:
  - critical
  - high
reporters:
  - html
  - sarif
standards_packs:
  - owasp-top-10
devops_provider: github
github_owner: myorg
github_repo: myapp
governance:
  profile: standard
parallel_scan: true
max_workers: 8

Validate configuration¶

sentra validate-config

Reports errors and warnings for invalid settings.