API Server

CORS¶

alpine.cors.allow.credentials¶

Controls the content of the Access-Control-Allow-Credentials response header.
Has no effect when alpine.cors.enabled is false.

Required	false
Type	`boolean`
Default	`true`
ENV	`ALPINE_CORS_ALLOW_CREDENTIALS`

alpine.cors.allow.headers¶

Controls the content of the Access-Control-Allow-Headers response header.
Has no effect when alpine.cors.enabled is false.

Required	false
Type	`string`
Default	`Origin, Content-Type, Authorization, X-Requested-With, Content-Length, Accept, Origin, X-Api-Key, X-Total-Count, *`
ENV	`ALPINE_CORS_ALLOW_HEADERS`

alpine.cors.allow.methods¶

Controls the content of the Access-Control-Allow-Methods response header.
Has no effect when alpine.cors.enabled is false.

Required	false
Type	`string`
Default	`GET POST PUT DELETE OPTIONS`
ENV	`ALPINE_CORS_ALLOW_METHODS`

alpine.cors.allow.origin¶

Controls the content of the Access-Control-Allow-Origin response header.
Has no effect when alpine.cors.enabled is false.

Required	false
Type	`string`
Default	`*`
ENV	`ALPINE_CORS_ALLOW_ORIGIN`

alpine.cors.enabled¶

Defines whether Cross Origin Resource Sharing (CORS) headers shall be included in REST API responses.

Required	false
Type	`boolean`
Default	`true`
ENV	`ALPINE_CORS_ENABLED`

alpine.cors.expose.headers¶

Controls the content of the Access-Control-Expose-Headers response header.
Has no effect when alpine.cors.enabled is false.

Required	false
Type	`string`
Default	`Origin, Content-Type, Authorization, X-Requested-With, Content-Length, Accept, Origin, X-Api-Key, X-Total-Count`
ENV	`ALPINE_CORS_EXPOSE_HEADERS`

alpine.cors.max.age¶

Controls the content of the Access-Control-Max-Age response header.
Has no effect when alpine.cors.enabled is false.

Required	false
Type	`integer`
Default	`3600`
ENV	`ALPINE_CORS_MAX_AGE`

Database¶

alpine.database.password¶

Specifies the password to use when authenticating to the database.

Required	false
Type	`string`
Default	`dtrack`
ENV	`ALPINE_DATABASE_PASSWORD`

alpine.database.password.file¶

Specifies the file to load the database password from. If set, takes precedence over alpine.database.password.

Required	false
Type	`string`
Default	`null`
Example	`/var/run/secrets/database-password`
ENV	`ALPINE_DATABASE_PASSWORD_FILE`

alpine.database.pool.enabled¶

Specifies if the database connection pool is enabled.

Required	false
Type	`boolean`
Default	`true`
ENV	`ALPINE_DATABASE_POOL_ENABLED`

alpine.database.pool.idle.timeout¶

This property controls the maximum amount of time that a connection is allowed to sit idle in the pool.

Required	false
Type	`integer`
Default	`300000`
ENV	`ALPINE_DATABASE_POOL_IDLE_TIMEOUT`

alpine.database.pool.max.lifetime¶

This property controls the maximum lifetime of a connection in the pool. An in-use connection will never be retired, only when it is closed will it then be removed.

Required	false
Type	`integer`
Default	`600000`
ENV	`ALPINE_DATABASE_POOL_MAX_LIFETIME`

alpine.database.pool.max.size¶

This property controls the maximum size that the pool is allowed to reach, including both idle and in-use connections.

Required	false
Type	`integer`
Default	`20`
ENV	`ALPINE_DATABASE_POOL_MAX_SIZE`

alpine.database.pool.min.idle¶

This property controls the minimum number of idle connections in the pool. This value should be equal to or less than alpine.database.pool.max.size. Warning: If the value is less than alpine.database.pool.max.size, alpine.database.pool.idle.timeout will have no effect.

Required	false
Type	`integer`
Default	`10`
ENV	`ALPINE_DATABASE_POOL_MIN_IDLE`

alpine.database.url¶

Specifies the JDBC URL to use when connecting to the database. For best performance, set the reWriteBatchedInserts query parameter to true.

Required	true
Type	`string`
Default	`null`
Example	`jdbc:postgresql://localhost:5432/dtrack?reWriteBatchedInserts=true`
ENV	`ALPINE_DATABASE_URL`

alpine.database.username¶

Specifies the username to use when authenticating to the database.

Required	false
Type	`string`
Default	`dtrack`
ENV	`ALPINE_DATABASE_USERNAME`

database.migration.password¶

Defines the database password for executing migrations. If not set, the value of alpine.database.password will be used.

Required	false
Type	`string`
Default	`${alpine.database.password}`
ENV	`DATABASE_MIGRATION_PASSWORD`

database.migration.url¶

Defines the database JDBC URL to use when executing migrations. If not set, the value of alpine.database.url will be used. Should generally not be set, unless TLS authentication is used, and custom connection variables are required.

Required	false
Type	`string`
Default	`${alpine.database.url}`
ENV	`DATABASE_MIGRATION_URL`

database.migration.username¶

Defines the database user for executing migrations. If not set, the value of alpine.database.username will be used.

Required	false
Type	`string`
Default	`${alpine.database.username}`
ENV	`DATABASE_MIGRATION_USERNAME`

database.run.migrations¶

Defines whether database migrations should be executed on startup.

From v5.6.0 onwards, migrations are considered part of the initialization tasks. Setting init.tasks.enabled to false will disable migrations, even if database.run.migrations is enabled.

Required	false
Type	`boolean`
Default	`true`
ENV	`DATABASE_RUN_MIGRATIONS`

database.run.migrations.only¶

Defines whether the application should exit upon successful execution of database migrations. Enabling this option makes the application suitable for running as k8s init container. Has no effect unless database.run.migrations is true.

From v5.6.0 onwards, usage of init.and.exit should be preferred.

Required	false
Type	`boolean`
Default	`false`
ENV	`DATABASE_RUN_MIGRATIONS_ONLY`

Development¶

dev.services.enabled¶

Whether dev services shall be enabled.

When enabled, Dependency-Track will automatically launch containers for:

Frontend
Kafka
PostgreSQL

at startup, and configures itself to use them. They are disposed when Dependency-Track stops. The containers are exposed on randomized ports, which will be logged during startup.

Trying to enable dev services in a production build will prevent the application from starting.

Note that the containers launched by the API server can not currently be discovered and re-used by other Hyades services. This is a future enhancement tracked in https://github.com/DependencyTrack/hyades/issues/1188.

Required	false
Type	`boolean`
Default	`false`
ENV	`DEV_SERVICES_ENABLED`

dev.services.image.frontend¶

The image to use for the frontend dev services container.

Required	false
Type	`string`
Default	`ghcr.io/dependencytrack/hyades-frontend:snapshot`
ENV	`DEV_SERVICES_IMAGE_FRONTEND`

dev.services.image.kafka¶

The image to use for the Kafka dev services container.

Required	false
Type	`string`
Default	`apache/kafka-native:3.8.0`
ENV	`DEV_SERVICES_IMAGE_KAFKA`

dev.services.image.postgres¶

The image to use for the PostgreSQL dev services container.

Required	false
Type	`string`
Default	`postgres:16`
ENV	`DEV_SERVICES_IMAGE_POSTGRES`

General¶

alpine.api.key.prefix¶

Defines the prefix to be used for API keys. A maximum prefix length of 251 characters is supported. The prefix may also be left empty.

Required	false
Type	`string`
Default	`odt_`
ENV	`ALPINE_API_KEY_PREFIX`

alpine.auth.jwt.ttl.seconds¶

Defines the number of seconds for which JWTs issued by Dependency-Track will be valid for.

Required	false
Type	`integer`
Default	`604800`
ENV	`ALPINE_AUTH_JWT_TTL_SECONDS`

alpine.bcrypt.rounds¶

Specifies the number of bcrypt rounds to use when hashing a user's password. The higher the number the more secure the password, at the expense of hardware resources and additional time to generate the hash.

Required	true
Type	`integer`
Default	`14`
ENV	`ALPINE_BCRYPT_ROUNDS`

alpine.data.directory¶

Defines the path to the data directory. This directory will hold logs, keys, and any database or index files along with application-specific files or directories.

Required	true
Type	`string`
Default	`~/.dependency-track`
ENV	`ALPINE_DATA_DIRECTORY`

alpine.private.key.path¶

Defines the paths to the public-private key pair to be used for signing and verifying digital signatures. The keys will be generated upon first startup if they do not exist.

Required	false
Type	`string`
Default	`${alpine.data.directory}/keys/private.key`
Example	`/var/run/secrets/private.key`
ENV	`ALPINE_PRIVATE_KEY_PATH`

alpine.public.key.path¶

Defines the paths to the public-private key pair to be used for signing and verifying digital signatures. The keys will be generated upon first startup if they do not exist.

Required	false
Type	`string`
Default	`${alpine.data.directory}/keys/public.key`
Example	`/var/run/secrets/public.key`
ENV	`ALPINE_PUBLIC_KEY_PATH`

alpine.secret.key.path¶

Defines the path to the secret key to be used for data encryption and decryption. The key will be generated upon first startup if it does not exist.

Required	false
Type	`string`
Default	`${alpine.data.directory}/keys/secret.key`
ENV	`ALPINE_SECRET_KEY_PATH`

init.and.exit¶

Whether to only execute initialization tasks and exit.

Required	false
Type	`boolean`
Default	`false`
ENV	`INIT_AND_EXIT`

init.tasks.enabled¶

Whether to execute initialization tasks on startup. Initialization tasks include:

Execution of database migrations
Populating the database with default objects (permissions, users, licenses, etc.)

Required	false
Type	`boolean`
Default	`true`
ENV	`INIT_TASKS_ENABLED`

integrity.check.enabled¶

Required	false
Type	`boolean`
Default	`false`
ENV	`INTEGRITY_CHECK_ENABLED`

integrity.initializer.enabled¶

Specifies whether the Integrity Initializer shall be enabled.

Required	false
Type	`boolean`
Default	`false`
ENV	`INTEGRITY_INITIALIZER_ENABLED`

tmp.delay.bom.processed.notification¶

Delays the BOM_PROCESSED notification until the vulnerability analysis associated with a given BOM upload is completed. The intention being that it is then "safe" to query the API for any identified vulnerabilities. This is specifically for cases where polling the /api/v1/bom/token/ endpoint is not feasible. THIS IS A TEMPORARY FUNCTIONALITY AND MAY BE REMOVED IN FUTURE RELEASES WITHOUT FURTHER NOTICE.

Required	false
Type	`boolean`
Default	`false`
ENV	`TMP_DELAY_BOM_PROCESSED_NOTIFICATION`

vulnerability.policy.analysis.enabled¶

Defines whether vulnerability policy analysis is enabled.

Required	false
Type	`boolean`
Default	`false`
ENV	`VULNERABILITY_POLICY_ANALYSIS_ENABLED`

vulnerability.policy.bundle.auth.password¶

For nginx server, if username and bearer token both are provided, basic auth will be used, else the auth header will be added based on the not null values Defines the password to be used for basic authentication against the service hosting the policy bundle.

Required	false
Type	`string`
Default	`null`
ENV	`VULNERABILITY_POLICY_BUNDLE_AUTH_PASSWORD`

vulnerability.policy.bundle.auth.username¶

Defines the username to be used for basic authentication against the service hosting the policy bundle.

Required	false
Type	`string`
Default	`null`
ENV	`VULNERABILITY_POLICY_BUNDLE_AUTH_USERNAME`

vulnerability.policy.bundle.bearer.token¶

Defines the token to be used as bearerAuth against the service hosting the policy bundle.

Required	false
Type	`string`
Default	`null`
ENV	`VULNERABILITY_POLICY_BUNDLE_BEARER_TOKEN`

vulnerability.policy.bundle.source.type¶

Defines the type of source from which policy bundles are being fetched from. Required when vulnerability.policy.bundle.url is set.

Required	false
Type	`enum`
Valid Values	`[nginx, s3]`
Default	`NGINX`
ENV	`VULNERABILITY_POLICY_BUNDLE_SOURCE_TYPE`

vulnerability.policy.bundle.url¶

Defines where to fetch the policy bundle from.For S3, just the base url needs to be provided with port For nginx, the whole url with bundle name needs to be given

Required	false
Type	`string`
Default	`null`
Example	`http://example.com:80/bundles/bundle.zip`
ENV	`VULNERABILITY_POLICY_BUNDLE_URL`

vulnerability.policy.s3.access.key¶

S3 related details. Access key, secret key, bucket name and bundle names are mandatory if S3 is chosen. Region is optional

Required	false
Type	`string`
Default	`null`
ENV	`VULNERABILITY_POLICY_S3_ACCESS_KEY`

vulnerability.policy.s3.bucket.name¶

Required	false
Type	`string`
Default	`null`
ENV	`VULNERABILITY_POLICY_S3_BUCKET_NAME`

vulnerability.policy.s3.bundle.name¶

Required	false
Type	`string`
Default	`null`
ENV	`VULNERABILITY_POLICY_S3_BUNDLE_NAME`

vulnerability.policy.s3.region¶

Required	false
Type	`string`
Default	`null`
ENV	`VULNERABILITY_POLICY_S3_REGION`

vulnerability.policy.s3.secret.key¶

Required	false
Type	`string`
Default	`null`
ENV	`VULNERABILITY_POLICY_S3_SECRET_KEY`

HTTP¶

alpine.http.proxy.address¶

HTTP proxy address. If set, then alpine.http.proxy.port must be set too.

Required	false
Type	`string`
Default	`null`
Example	`proxy.example.com`
ENV	`ALPINE_HTTP_PROXY_ADDRESS`

alpine.http.proxy.password¶

Required	false
Type	`string`
Default	`null`
ENV	`ALPINE_HTTP_PROXY_PASSWORD`

alpine.http.proxy.password.file¶

Specifies the file to load the HTTP proxy password from. If set, takes precedence over alpine.http.proxy.password.

Required	false
Type	`string`
Default	`null`
Example	`/var/run/secrets/http-proxy-password`
ENV	`ALPINE_HTTP_PROXY_PASSWORD_FILE`

alpine.http.proxy.port¶

Required	false
Type	`integer`
Default	`null`
Example	`8888`
ENV	`ALPINE_HTTP_PROXY_PORT`

alpine.http.proxy.username¶

Required	false
Type	`string`
Default	`null`
ENV	`ALPINE_HTTP_PROXY_USERNAME`

alpine.http.timeout.connection¶

Defines the connection timeout in seconds for outbound HTTP connections.

Required	false
Type	`integer`
Default	`30`
ENV	`ALPINE_HTTP_TIMEOUT_CONNECTION`

alpine.http.timeout.pool¶

Defines the request timeout in seconds for outbound HTTP connections.

Required	false
Type	`integer`
Default	`60`
ENV	`ALPINE_HTTP_TIMEOUT_POOL`

alpine.http.timeout.socket¶

Defines the socket / read timeout in seconds for outbound HTTP connections.

Required	false
Type	`integer`
Default	`30`
ENV	`ALPINE_HTTP_TIMEOUT_SOCKET`

alpine.no.proxy¶

Required	false
Type	`string`
Default	`null`
Example	`localhost,127.0.0.1`
ENV	`ALPINE_NO_PROXY`

Kafka¶

dt.kafka.topic.prefix¶

Required	false
Type	`string`
Default	`null`
ENV	`DT_KAFKA_TOPIC_PREFIX`

kafka.auto.offset.reset¶

Required	false
Type	`enum`
Valid Values	`[earliest, latest, none]`
Default	`earliest`
ENV	`KAFKA_AUTO_OFFSET_RESET`

kafka.bootstrap.servers¶

Required	true
Type	`string`
Default	`null`
Example	`localhost:9092`
ENV	`KAFKA_BOOTSTRAP_SERVERS`

kafka.keystore.password¶

Required	false
Type	`string`
Default	`null`
ENV	`KAFKA_KEYSTORE_PASSWORD`

kafka.keystore.path¶

Required	false
Type	`string`
Default	`null`
ENV	`KAFKA_KEYSTORE_PATH`

kafka.mtls.enabled¶

Required	false
Type	`boolean`
Default	`false`
ENV	`KAFKA_MTLS_ENABLED`

kafka.processor.epss.mirror.consumer.auto.offset.reset¶

Required	true
Type	`enum`
Valid Values	`[earliest, latest, none]`
Default	`earliest`
ENV	`KAFKA_PROCESSOR_EPSS_MIRROR_CONSUMER_AUTO_OFFSET_RESET`

kafka.processor.epss.mirror.consumer.group.id¶

Required	true
Type	`string`
Default	`dtrack-apiserver-processor`
ENV	`KAFKA_PROCESSOR_EPSS_MIRROR_CONSUMER_GROUP_ID`

kafka.processor.epss.mirror.max.batch.size¶

Required	true
Type	`integer`
Default	`500`
ENV	`KAFKA_PROCESSOR_EPSS_MIRROR_MAX_BATCH_SIZE`

kafka.processor.epss.mirror.max.concurrency¶

Required	true
Type	`integer`
Default	`-1`
ENV	`KAFKA_PROCESSOR_EPSS_MIRROR_MAX_CONCURRENCY`

kafka.processor.epss.mirror.processing.order¶

Required	true
Type	`enum`
Valid Values	`[key, partition, unordered]`
Default	`key`
ENV	`KAFKA_PROCESSOR_EPSS_MIRROR_PROCESSING_ORDER`

kafka.processor.epss.mirror.retry.initial.delay.ms¶

Required	true
Type	`integer`
Default	`3000`
ENV	`KAFKA_PROCESSOR_EPSS_MIRROR_RETRY_INITIAL_DELAY_MS`

kafka.processor.epss.mirror.retry.max.delay.ms¶

Required	true
Type	`integer`
Default	`180000`
ENV	`KAFKA_PROCESSOR_EPSS_MIRROR_RETRY_MAX_DELAY_MS`

kafka.processor.epss.mirror.retry.multiplier¶

Required	true
Type	`integer`
Default	`2`
ENV	`KAFKA_PROCESSOR_EPSS_MIRROR_RETRY_MULTIPLIER`

kafka.processor.epss.mirror.retry.randomization.factor¶

Required	true
Type	`double`
Default	`0.3`
ENV	`KAFKA_PROCESSOR_EPSS_MIRROR_RETRY_RANDOMIZATION_FACTOR`

kafka.processor.repo.meta.analysis.result.consumer.auto.offset.reset¶

Required	true
Type	`enum`
Valid Values	`[earliest, latest, none]`
Default	`earliest`
ENV	`KAFKA_PROCESSOR_REPO_META_ANALYSIS_RESULT_CONSUMER_AUTO_OFFSET_RESET`

kafka.processor.repo.meta.analysis.result.consumer.group.id¶

Required	true
Type	`string`
Default	`dtrack-apiserver-processor`
ENV	`KAFKA_PROCESSOR_REPO_META_ANALYSIS_RESULT_CONSUMER_GROUP_ID`

kafka.processor.repo.meta.analysis.result.max.concurrency¶

Required	true
Type	`integer`
Default	`-1`
ENV	`KAFKA_PROCESSOR_REPO_META_ANALYSIS_RESULT_MAX_CONCURRENCY`

kafka.processor.repo.meta.analysis.result.processing.order¶

Required	true
Type	`enum`
Valid Values	`[key, partition, unordered]`
Default	`key`
ENV	`KAFKA_PROCESSOR_REPO_META_ANALYSIS_RESULT_PROCESSING_ORDER`

kafka.processor.repo.meta.analysis.result.retry.initial.delay.ms¶

Required	true
Type	`integer`
Default	`1000`
ENV	`KAFKA_PROCESSOR_REPO_META_ANALYSIS_RESULT_RETRY_INITIAL_DELAY_MS`

kafka.processor.repo.meta.analysis.result.retry.max.delay.ms¶

Required	true
Type	`integer`
Default	`180000`
ENV	`KAFKA_PROCESSOR_REPO_META_ANALYSIS_RESULT_RETRY_MAX_DELAY_MS`

kafka.processor.repo.meta.analysis.result.retry.multiplier¶

Required	true
Type	`integer`
Default	`2`
ENV	`KAFKA_PROCESSOR_REPO_META_ANALYSIS_RESULT_RETRY_MULTIPLIER`

kafka.processor.repo.meta.analysis.result.retry.randomization.factor¶

Required	true
Type	`double`
Default	`0.3`
ENV	`KAFKA_PROCESSOR_REPO_META_ANALYSIS_RESULT_RETRY_RANDOMIZATION_FACTOR`

kafka.processor.vuln.mirror.consumer.auto.offset.reset¶

Required	true
Type	`enum`
Valid Values	`[earliest, latest, none]`
Default	`earliest`
ENV	`KAFKA_PROCESSOR_VULN_MIRROR_CONSUMER_AUTO_OFFSET_RESET`

kafka.processor.vuln.mirror.consumer.group.id¶

Required	true
Type	`string`
Default	`dtrack-apiserver-processor`
ENV	`KAFKA_PROCESSOR_VULN_MIRROR_CONSUMER_GROUP_ID`

kafka.processor.vuln.mirror.max.concurrency¶

Required	true
Type	`integer`
Default	`-1`
ENV	`KAFKA_PROCESSOR_VULN_MIRROR_MAX_CONCURRENCY`

kafka.processor.vuln.mirror.processing.order¶

Required	true
Type	`enum`
Valid Values	`[key, partition, unordered]`
Default	`partition`
ENV	`KAFKA_PROCESSOR_VULN_MIRROR_PROCESSING_ORDER`

kafka.processor.vuln.mirror.retry.initial.delay.ms¶

Required	true
Type	`integer`
Default	`3000`
ENV	`KAFKA_PROCESSOR_VULN_MIRROR_RETRY_INITIAL_DELAY_MS`

kafka.processor.vuln.mirror.retry.max.delay.ms¶

Required	true
Type	`integer`
Default	`180000`
ENV	`KAFKA_PROCESSOR_VULN_MIRROR_RETRY_MAX_DELAY_MS`

kafka.processor.vuln.mirror.retry.multiplier¶

Required	true
Type	`integer`
Default	`2`
ENV	`KAFKA_PROCESSOR_VULN_MIRROR_RETRY_MULTIPLIER`

kafka.processor.vuln.mirror.retry.randomization.factor¶

Required	true
Type	`double`
Default	`0.3`
ENV	`KAFKA_PROCESSOR_VULN_MIRROR_RETRY_RANDOMIZATION_FACTOR`

kafka.processor.vuln.scan.result.consumer.auto.offset.reset¶

Required	true
Type	`enum`
Valid Values	`[earliest, latest, none]`
Default	`earliest`
ENV	`KAFKA_PROCESSOR_VULN_SCAN_RESULT_CONSUMER_AUTO_OFFSET_RESET`

kafka.processor.vuln.scan.result.consumer.group.id¶

Required	true
Type	`string`
Default	`dtrack-apiserver-processor`
ENV	`KAFKA_PROCESSOR_VULN_SCAN_RESULT_CONSUMER_GROUP_ID`

kafka.processor.vuln.scan.result.max.concurrency¶

Required	true
Type	`integer`
Default	`-1`
ENV	`KAFKA_PROCESSOR_VULN_SCAN_RESULT_MAX_CONCURRENCY`

kafka.processor.vuln.scan.result.processed.consumer.auto.offset.reset¶

Required	true
Type	`enum`
Valid Values	`[earliest, latest, none]`
Default	`earliest`
ENV	`KAFKA_PROCESSOR_VULN_SCAN_RESULT_PROCESSED_CONSUMER_AUTO_OFFSET_RESET`

kafka.processor.vuln.scan.result.processed.consumer.fetch.min.bytes¶

Required	true
Type	`integer`
Default	`524288`
ENV	`KAFKA_PROCESSOR_VULN_SCAN_RESULT_PROCESSED_CONSUMER_FETCH_MIN_BYTES`

kafka.processor.vuln.scan.result.processed.consumer.group.id¶

Required	true
Type	`string`
Default	`dtrack-apiserver-processor`
ENV	`KAFKA_PROCESSOR_VULN_SCAN_RESULT_PROCESSED_CONSUMER_GROUP_ID`

kafka.processor.vuln.scan.result.processed.consumer.max.poll.records¶

Required	true
Type	`integer`
Default	`10000`
ENV	`KAFKA_PROCESSOR_VULN_SCAN_RESULT_PROCESSED_CONSUMER_MAX_POLL_RECORDS`

kafka.processor.vuln.scan.result.processed.max.batch.size¶

Required	true
Type	`integer`
Default	`1000`
ENV	`KAFKA_PROCESSOR_VULN_SCAN_RESULT_PROCESSED_MAX_BATCH_SIZE`

kafka.processor.vuln.scan.result.processed.max.concurrency¶

Required	true
Type	`integer`
Default	`1`
ENV	`KAFKA_PROCESSOR_VULN_SCAN_RESULT_PROCESSED_MAX_CONCURRENCY`

kafka.processor.vuln.scan.result.processed.processing.order¶

Required	true
Type	`enum`
Valid Values	`[key, partition, unordered]`
Default	`unordered`
ENV	`KAFKA_PROCESSOR_VULN_SCAN_RESULT_PROCESSED_PROCESSING_ORDER`

kafka.processor.vuln.scan.result.processed.retry.initial.delay.ms¶

Required	true
Type	`integer`
Default	`3000`
ENV	`KAFKA_PROCESSOR_VULN_SCAN_RESULT_PROCESSED_RETRY_INITIAL_DELAY_MS`

kafka.processor.vuln.scan.result.processed.retry.max.delay.ms¶

Required	true
Type	`integer`
Default	`180000`
ENV	`KAFKA_PROCESSOR_VULN_SCAN_RESULT_PROCESSED_RETRY_MAX_DELAY_MS`

kafka.processor.vuln.scan.result.processed.retry.multiplier¶

Required	true
Type	`integer`
Default	`2`
ENV	`KAFKA_PROCESSOR_VULN_SCAN_RESULT_PROCESSED_RETRY_MULTIPLIER`

kafka.processor.vuln.scan.result.processed.retry.randomization.factor¶

Required	true
Type	`double`
Default	`0.3`
ENV	`KAFKA_PROCESSOR_VULN_SCAN_RESULT_PROCESSED_RETRY_RANDOMIZATION_FACTOR`

kafka.processor.vuln.scan.result.processing.order¶

Required	true
Type	`enum`
Valid Values	`[key, partition, unordered]`
Default	`key`
ENV	`KAFKA_PROCESSOR_VULN_SCAN_RESULT_PROCESSING_ORDER`

kafka.processor.vuln.scan.result.retry.initial.delay.ms¶

Required	true
Type	`integer`
Default	`1000`
ENV	`KAFKA_PROCESSOR_VULN_SCAN_RESULT_RETRY_INITIAL_DELAY_MS`

kafka.processor.vuln.scan.result.retry.max.delay.ms¶

Required	true
Type	`integer`
Default	`180000`
ENV	`KAFKA_PROCESSOR_VULN_SCAN_RESULT_RETRY_MAX_DELAY_MS`

kafka.processor.vuln.scan.result.retry.multiplier¶

Required	true
Type	`integer`
Default	`2`
ENV	`KAFKA_PROCESSOR_VULN_SCAN_RESULT_RETRY_MULTIPLIER`

kafka.processor.vuln.scan.result.retry.randomization.factor¶

Required	true
Type	`double`
Default	`0.3`
ENV	`KAFKA_PROCESSOR_VULN_SCAN_RESULT_RETRY_RANDOMIZATION_FACTOR`

kafka.security.protocol¶

Required	false
Type	`enum`
Valid Values	`[PLAINTEXT, SASL_SSL_PLAINTEXT, SASL_PLAINTEXT, SSL]`
Default	`null`
ENV	`KAFKA_SECURITY_PROTOCOL`

kafka.tls.enabled¶

Required	false
Type	`boolean`
Default	`false`
ENV	`KAFKA_TLS_ENABLED`

kafka.truststore.password¶

Required	false
Type	`string`
Default	`null`
ENV	`KAFKA_TRUSTSTORE_PASSWORD`

kafka.truststore.path¶

Required	false
Type	`string`
Default	`null`
ENV	`KAFKA_TRUSTSTORE_PATH`

LDAP¶

alpine.ldap.attribute.mail¶

Specifies the LDAP attribute used to store a users email address

Required	false
Type	`string`
Default	`mail`
ENV	`ALPINE_LDAP_ATTRIBUTE_MAIL`

alpine.ldap.attribute.name¶

Specifies the Attribute that identifies a users ID.

Example (Microsoft Active Directory):

userPrincipalName

Example (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc):

uid

Required	false
Type	`string`
Default	`userPrincipalName`
ENV	`ALPINE_LDAP_ATTRIBUTE_NAME`

alpine.ldap.auth.username.format¶

Specifies if the username entered during login needs to be formatted prior to asserting credentials against the directory. For Active Directory, the userPrincipal attribute typically ends with the domain, whereas the samAccountName attribute and other directory server implementations do not. The %s variable will be substituted with the username asserted during login.

Example (Microsoft Active Directory):

%s@example.com

Example (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc):

%s

Required	false
Type	`string`
Default	`null`
Example	`%s@example.com`
ENV	`ALPINE_LDAP_AUTH_USERNAME_FORMAT`

alpine.ldap.basedn¶

Specifies the base DN that all queries should search from

Required	false
Type	`string`
Default	`null`
Example	`dc=example,dc=com`
ENV	`ALPINE_LDAP_BASEDN`

alpine.ldap.bind.password¶

If anonymous access is not permitted, specify a password for the username used to bind.

Required	false
Type	`string`
Default	`null`
ENV	`ALPINE_LDAP_BIND_PASSWORD`

alpine.ldap.bind.username¶

If anonymous access is not permitted, specify a username with limited access to the directory, just enough to perform searches. This should be the fully qualified DN of the user.

Required	false
Type	`string`
Default	`null`
ENV	`ALPINE_LDAP_BIND_USERNAME`

alpine.ldap.enabled¶

Defines if LDAP will be used for user authentication. If enabled, alpine.ldap.* properties should be set accordingly.

Required	false
Type	`boolean`
Default	`false`
ENV	`ALPINE_LDAP_ENABLED`

alpine.ldap.groups.filter¶

Specifies the LDAP search filter used to retrieve all groups from the directory.

Example (Microsoft Active Directory):

(&(objectClass=group)(objectCategory=Group))

Example (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc):

(&(objectClass=groupOfUniqueNames))

Required	false
Type	`string`
Default	`(&(objectClass=group)(objectCategory=Group))`
ENV	`ALPINE_LDAP_GROUPS_FILTER`

alpine.ldap.groups.search.filter¶

Specifies the LDAP search filter used to search for groups by their name. The {SEARCH_TERM} variable will be substituted at runtime.

Example (Microsoft Active Directory):

(&(objectClass=group)(objectCategory=Group)(cn={SEARCH_TERM}))

Example (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc):

(&(objectClass=groupOfUniqueNames)(cn={SEARCH_TERM}))

Required	false
Type	`string`
Default	`(&(objectClass=group)(objectCategory=Group)(cn={SEARCH_TERM}))`
ENV	`ALPINE_LDAP_GROUPS_SEARCH_FILTER`

alpine.ldap.security.auth¶

Specifies the LDAP security authentication level to use. Its value is one of the following strings: "none", "simple", "strong". If this property is empty or unspecified, the behaviour is determined by the service provider.

Required	false
Type	`enum`
Valid Values	`[none, simple, strong]`
Default	`simple`
ENV	`ALPINE_LDAP_SECURITY_AUTH`

alpine.ldap.server.url¶

Specifies the LDAP server URL.

Examples (Microsoft Active Directory):

ldap://ldap.example.com:3268
ldaps://ldap.example.com:3269

Examples (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc):

ldap://ldap.example.com:389
ldaps://ldap.example.com:636

Required	false
Type	`string`
Default	`null`
ENV	`ALPINE_LDAP_SERVER_URL`

alpine.ldap.team.synchronization¶

This option will ensure that team memberships for LDAP users are dynamic and synchronized with membership of LDAP groups. When a team is mapped to an LDAP group, all local LDAP users will automatically be assigned to the team if they are a member of the group the team is mapped to. If the user is later removed from the LDAP group, they will also be removed from the team. This option provides the ability to dynamically control user permissions via an external directory.

Required	false
Type	`boolean`
Default	`false`
ENV	`ALPINE_LDAP_TEAM_SYNCHRONIZATION`

alpine.ldap.user.groups.filter¶

Specifies the LDAP search filter to use to query a user and retrieve a list of groups the user is a member of. The {USER_DN} variable will be substituted with the actual value of the users DN at runtime.

Example (Microsoft Active Directory):

(&(objectClass=group)(objectCategory=Group)(member={USER_DN}))

Example (Microsoft Active Directory - with nested group support):

(member:1.2.840.113556.1.4.1941:={USER_DN})

Example (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc):

(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN}))

Required	false
Type	`string`
Default	`(member:1.2.840.113556.1.4.1941:={USER_DN})`
ENV	`ALPINE_LDAP_USER_GROUPS_FILTER`

alpine.ldap.user.provisioning¶

Specifies if mapped LDAP accounts are automatically created upon successful authentication. When a user logs in with valid credentials but an account has not been previously provisioned, an authentication failure will be returned. This allows admins to control specifically which ldap users can access the system and which users cannot. When this value is set to true, a local ldap user will be created and mapped to the ldap account automatically. This automatic provisioning only affects authentication, not authorization.

Required	false
Type	`boolean`
Default	`false`
ENV	`ALPINE_LDAP_USER_PROVISIONING`

alpine.ldap.users.search.filter¶

Specifies the LDAP search filter used to search for users by their name. The {SEARCH_TERM} variable will be substituted at runtime.

Example (Microsoft Active Directory):

(&(objectClass=group)(objectCategory=Group)(cn={SEARCH_TERM}))

Example (ApacheDS, Fedora 389 Directory, NetIQ/Novell eDirectory, etc):

(&(objectClass=inetOrgPerson)(cn={SEARCH_TERM}))

Required	false
Type	`string`
Default	`(&(objectClass=user)(objectCategory=Person)(cn={SEARCH_TERM}))`
ENV	`ALPINE_LDAP_USERS_SEARCH_FILTER`

Observability¶

alpine.metrics.auth.password¶

Defines the password required to access metrics. Has no effect when alpine.metrics.auth.username is not set.

Required	false
Type	`string`
Default	`null`
ENV	`ALPINE_METRICS_AUTH_PASSWORD`

alpine.metrics.auth.username¶

Defines the username required to access metrics. Has no effect when alpine.metrics.auth.password is not set.

Required	false
Type	`string`
Default	`null`
ENV	`ALPINE_METRICS_AUTH_USERNAME`

alpine.metrics.enabled¶

Defines whether Prometheus metrics will be exposed. If enabled, metrics will be available via the /metrics endpoint.

Required	false
Type	`boolean`
Default	`false`
ENV	`ALPINE_METRICS_ENABLED`

OpenID Connect¶

alpine.oidc.client.id¶

Defines the client ID to be used for OpenID Connect. The client ID should be the same as the one configured for the frontend, and will only be used to validate ID tokens.

Required	false
Type	`string`
Default	`null`
ENV	`ALPINE_OIDC_CLIENT_ID`

alpine.oidc.enabled¶

Defines if OpenID Connect will be used for user authentication. If enabled, alpine.oidc.* properties should be set accordingly.

Required	false
Type	`boolean`
Default	`false`
ENV	`ALPINE_OIDC_ENABLED`

alpine.oidc.issuer¶

Defines the issuer URL to be used for OpenID Connect. This issuer MUST support provider configuration via the /.well-known/openid-configuration endpoint. See also:

https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

Required	false
Type	`string`
Default	`null`
ENV	`ALPINE_OIDC_ISSUER`

alpine.oidc.team.synchronization¶

This option will ensure that team memberships for OpenID Connect users are dynamic and synchronized with membership of OpenID Connect groups or assigned roles. When a team is mapped to an OpenID Connect group, all local OpenID Connect users will automatically be assigned to the team if they are a member of the group the team is mapped to. If the user is later removed from the OpenID Connect group, they will also be removed from the team. This option provides the ability to dynamically control user permissions via the identity provider. Note that team synchronization is only performed during user provisioning and after successful authentication.

Required	false
Type	`boolean`
Default	`false`
ENV	`ALPINE_OIDC_TEAM_SYNCHRONIZATION`

alpine.oidc.teams.claim¶

Defines the name of the claim that contains group memberships or role assignments in the provider's userinfo endpoint. The claim must be an array of strings. Most public identity providers do not support group or role management. When using a customizable / on-demand hosted identity provider, name, content, and inclusion in the userinfo endpoint will most likely need to be configured.

Required	false
Type	`string`
Default	`groups`
ENV	`ALPINE_OIDC_TEAMS_CLAIM`

alpine.oidc.user.provisioning¶

Specifies if mapped OpenID Connect accounts are automatically created upon successful authentication. When a user logs in with a valid access token but an account has not been previously provisioned, an authentication failure will be returned. This allows admins to control specifically which OpenID Connect users can access the system and which users cannot. When this value is set to true, a local OpenID Connect user will be created and mapped to the OpenID Connect account automatically. This automatic provisioning only affects authentication, not authorization.

Required	false
Type	`boolean`
Default	`false`
ENV	`ALPINE_OIDC_USER_PROVISIONING`

alpine.oidc.username.claim¶

Defines the name of the claim that contains the username in the provider's userinfo endpoint. Common claims are name, username, preferred_username or nickname. See also:

https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse

Required	false
Type	`string`
Default	`name`
ENV	`ALPINE_OIDC_USERNAME_CLAIM`

Task Execution¶

alpine.worker.thread.multiplier¶

Defines a multiplier that is used to calculate the number of threads used by the event subsystem. This property is only used when alpine.worker.threads is set to 0. A machine with 4 cores and a multiplier of 4, will use (at most) 16 worker threads.

Required	true
Type	`integer`
Default	`4`
ENV	`ALPINE_WORKER_THREAD_MULTIPLIER`

alpine.worker.threads¶

Defines the number of worker threads that the event subsystem will consume. Events occur asynchronously and are processed by the Event subsystem. This value should be large enough to handle most production situations without introducing much delay, yet small enough not to pose additional load on an already resource-constrained server. A value of 0 will instruct Alpine to allocate 1 thread per CPU core. This can further be tweaked using the alpine.worker.thread.multiplier property.

Required	true
Type	`integer`
Default	`0`
ENV	`ALPINE_WORKER_THREADS`

Task Scheduling¶

task.component.metadata.maintenance.cron¶

Cron expression of the component metadata maintenance task.

The task deletes orphaned records from the INTEGRITY_META_COMPONENT and REPOSITORY_META_COMPONENT tables.

Required	true
Type	`cron`
Default	`0 /12 * *`
ENV	`TASK_COMPONENT_METADATA_MAINTENANCE_CRON`

task.component.metadata.maintenance.lock.max.duration¶

Maximum duration in ISO 8601 format for which the component metadata maintenance task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Required	true
Type	`duration`
Default	`PT15M`
ENV	`TASK_COMPONENT_METADATA_MAINTENANCE_LOCK_MAX_DURATION`

task.component.metadata.maintenance.lock.min.duration¶

Minimum duration in ISO 8601 format for which the component metadata maintenance task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Required	true
Type	`duration`
Default	`PT1M`
ENV	`TASK_COMPONENT_METADATA_MAINTENANCE_LOCK_MIN_DURATION`

task.defect.dojo.upload.cron¶

Cron expression of the DefectDojo upload task.

Required	true
Type	`cron`
Default	`0 2 * * *`
ENV	`TASK_DEFECT_DOJO_UPLOAD_CRON`

task.epss.mirror.cron¶

Cron expression of the EPSS mirroring task.

Required	true
Type	`cron`
Default	`0 1 * * *`
ENV	`TASK_EPSS_MIRROR_CRON`

task.fortify.ssc.upload.cron¶

Cron expression of the Fortify SSC upload task.

Required	true
Type	`cron`
Default	`0 2 * * *`
ENV	`TASK_FORTIFY_SSC_UPLOAD_CRON`

task.git.hub.advisory.mirror.cron¶

Cron expression of the vulnerability GitHub Advisories mirroring task.

Required	true
Type	`cron`
Default	`0 2 * * *`
ENV	`TASK_GIT_HUB_ADVISORY_MIRROR_CRON`

task.integrity.meta.initializer.cron¶

Cron expression of the integrity metadata initializer task.

Required	true
Type	`cron`
Default	`0 /12 * *`
ENV	`TASK_INTEGRITY_META_INITIALIZER_CRON`

task.integrity.meta.initializer.lock.max.duration¶

Maximum duration in ISO 8601 format for which the integrity metadata initializer task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Required	true
Type	`duration`
Default	`PT15M`
ENV	`TASK_INTEGRITY_META_INITIALIZER_LOCK_MAX_DURATION`

task.integrity.meta.initializer.lock.min.duration¶

Minimum duration in ISO 8601 format for which the integrity metadata initializer task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Required	true
Type	`duration`
Default	`PT90S`
ENV	`TASK_INTEGRITY_META_INITIALIZER_LOCK_MIN_DURATION`

task.internal.component.identification.cron¶

Cron expression of the internal component identification task.

Required	true
Type	`cron`
Default	`25 /6 * *`
ENV	`TASK_INTERNAL_COMPONENT_IDENTIFICATION_CRON`

task.internal.component.identification.lock.max.duration¶

Maximum duration in ISO 8601 format for which the internal component identification task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Required	true
Type	`duration`
Default	`PT15M`
ENV	`TASK_INTERNAL_COMPONENT_IDENTIFICATION_LOCK_MAX_DURATION`

task.internal.component.identification.lock.min.duration¶

Minimum duration in ISO 8601 format for which the internal component identification task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Required	true
Type	`duration`
Default	`PT90S`
ENV	`TASK_INTERNAL_COMPONENT_IDENTIFICATION_LOCK_MIN_DURATION`

task.kenna.security.upload.cron¶

Cron expression of the Kenna Security upload task.

Required	true
Type	`cron`
Default	`0 2 * * *`
ENV	`TASK_KENNA_SECURITY_UPLOAD_CRON`

task.ldap.sync.cron¶

Cron expression of the LDAP synchronization task.

Required	true
Type	`cron`
Default	`0 /6 * *`
ENV	`TASK_LDAP_SYNC_CRON`

task.ldap.sync.lock.max.duration¶

Maximum duration in ISO 8601 format for which the LDAP synchronization task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Required	true
Type	`duration`
Default	`PT15M`
ENV	`TASK_LDAP_SYNC_LOCK_MAX_DURATION`

task.ldap.sync.lock.min.duration¶

Minimum duration in ISO 8601 format for which the LDAP synchronization task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Required	true
Type	`duration`
Default	`PT90S`
ENV	`TASK_LDAP_SYNC_LOCK_MIN_DURATION`

task.metrics.maintenance.cron¶

Cron expression of the metrics maintenance task.

The task deletes records older than the configured metrics retention duration from the following tables:

DEPENDENCYMETRICS
PROJECTMETRICS
PORTFOLIOMETRICS

Required	true
Type	`cron`
Default	`0 /3 * *`
ENV	`TASK_METRICS_MAINTENANCE_CRON`

task.metrics.maintenance.lock.max.duration¶

Maximum duration in ISO 8601 format for which the metrics maintenance task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Required	true
Type	`duration`
Default	`PT15M`
ENV	`TASK_METRICS_MAINTENANCE_LOCK_MAX_DURATION`

task.metrics.maintenance.lock.min.duration¶

Minimum duration in ISO 8601 format for which the metrics maintenance task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Required	true
Type	`duration`
Default	`PT1M`
ENV	`TASK_METRICS_MAINTENANCE_LOCK_MIN_DURATION`

task.nist.mirror.cron¶

Cron expression of the NIST / NVD mirroring task.

Required	true
Type	`cron`
Default	`0 4 * * *`
ENV	`TASK_NIST_MIRROR_CRON`

task.osv.mirror.cron¶

Cron expression of the OSV mirroring task.

Required	true
Type	`cron`
Default	`0 3 * * *`
ENV	`TASK_OSV_MIRROR_CRON`

task.portfolio.metrics.update.cron¶

Cron expression of the portfolio metrics update task.

Required	true
Type	`cron`
Default	`10 * * * *`
ENV	`TASK_PORTFOLIO_METRICS_UPDATE_CRON`

task.portfolio.metrics.update.lock.max.duration¶

Maximum duration in ISO 8601 format for which the portfolio metrics update task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Required	true
Type	`duration`
Default	`PT15M`
ENV	`TASK_PORTFOLIO_METRICS_UPDATE_LOCK_MAX_DURATION`

task.portfolio.metrics.update.lock.min.duration¶

Minimum duration in ISO 8601 format for which the portfolio metrics update task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Required	true
Type	`duration`
Default	`PT90S`
ENV	`TASK_PORTFOLIO_METRICS_UPDATE_LOCK_MIN_DURATION`

task.project.maintenance.cron¶

Cron expression of the project maintenance task.

The task deletes inactive projects based on retention policy.

Required	true
Type	`cron`
Default	`0 /4 * *`
ENV	`TASK_PROJECT_MAINTENANCE_CRON`

task.project.maintenance.lock.max.duration¶

Maximum duration in ISO 8601 format for which the project maintenance task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Required	true
Type	`duration`
Default	`PT15M`
ENV	`TASK_PROJECT_MAINTENANCE_LOCK_MAX_DURATION`

task.project.maintenance.lock.min.duration¶

Minimum duration in ISO 8601 format for which the project maintenance task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Required	true
Type	`duration`
Default	`PT1M`
ENV	`TASK_PROJECT_MAINTENANCE_LOCK_MIN_DURATION`

task.repository.meta.analysis.cron¶

Cron expression of the portfolio repository metadata analysis task.

Required	true
Type	`cron`
Default	`0 1 * * *`
ENV	`TASK_REPOSITORY_META_ANALYSIS_CRON`

task.repository.meta.analysis.lock.max.duration¶

Maximum duration in ISO 8601 format for which the portfolio repository metadata analysis task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Required	true
Type	`duration`
Default	`PT15M`
ENV	`TASK_REPOSITORY_META_ANALYSIS_LOCK_MAX_DURATION`

task.repository.meta.analysis.lock.min.duration¶

Minimum duration in ISO 8601 format for which the portfolio repository metadata analysis task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Required	true
Type	`duration`
Default	`PT90S`
ENV	`TASK_REPOSITORY_META_ANALYSIS_LOCK_MIN_DURATION`

task.scheduler.initial.delay¶

Scheduling tasks after 3 minutes (3601000) of starting application

Required	true
Type	`integer`
Default	`180000`
ENV	`TASK_SCHEDULER_INITIAL_DELAY`

task.scheduler.polling.interval¶

Cron expressions for tasks have the precision of minutes so polling every minute

Required	true
Type	`integer`
Default	`60000`
ENV	`TASK_SCHEDULER_POLLING_INTERVAL`

task.tag.maintenance.cron¶

Cron expression of the tag maintenance task.

The task deletes orphaned tags that are not used anymore.

Required	true
Type	`cron`
Default	`0 /12 * *`
ENV	`TASK_TAG_MAINTENANCE_CRON`

task.tag.maintenance.lock.max.duration¶

Maximum duration in ISO 8601 format for which the tag maintenance task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Required	true
Type	`duration`
Default	`PT15M`
ENV	`TASK_TAG_MAINTENANCE_LOCK_MAX_DURATION`

task.tag.maintenance.lock.min.duration¶

Minimum duration in ISO 8601 format for which the tag maintenance task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Required	true
Type	`duration`
Default	`PT1M`
ENV	`TASK_TAG_MAINTENANCE_LOCK_MIN_DURATION`

task.vulnerability.analysis.cron¶

Cron expression of the portfolio vulnerability analysis task.

Required	true
Type	`cron`
Default	`0 6 * * *`
ENV	`TASK_VULNERABILITY_ANALYSIS_CRON`

task.vulnerability.analysis.lock.max.duration¶

Maximum duration in ISO 8601 format for which the portfolio vulnerability analysis task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Required	true
Type	`duration`
Default	`PT15M`
ENV	`TASK_VULNERABILITY_ANALYSIS_LOCK_MAX_DURATION`

task.vulnerability.analysis.lock.min.duration¶

Minimum duration in ISO 8601 format for which the portfolio vulnerability analysis task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Required	true
Type	`duration`
Default	`PT90S`
ENV	`TASK_VULNERABILITY_ANALYSIS_LOCK_MIN_DURATION`

task.vulnerability.database.maintenance.cron¶

Cron expression of the vulnerability database maintenance task.

The task deletes orphaned records from the VULNERABLESOFTWARE table.

Required	true
Type	`cron`
Default	`0 0 * * *`
ENV	`TASK_VULNERABILITY_DATABASE_MAINTENANCE_CRON`

task.vulnerability.database.maintenance.lock.max.duration¶

Maximum duration in ISO 8601 format for which the vulnerability database maintenance task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Required	true
Type	`duration`
Default	`PT15M`
ENV	`TASK_VULNERABILITY_DATABASE_MAINTENANCE_LOCK_MAX_DURATION`

task.vulnerability.database.maintenance.lock.min.duration¶

Minimum duration in ISO 8601 format for which the vulnerability database maintenance task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Required	true
Type	`duration`
Default	`PT1M`
ENV	`TASK_VULNERABILITY_DATABASE_MAINTENANCE_LOCK_MIN_DURATION`

task.vulnerability.metrics.update.cron¶

Cron expression of the vulnerability metrics update task.

Required	true
Type	`cron`
Default	`40 * * * *`
ENV	`TASK_VULNERABILITY_METRICS_UPDATE_CRON`

task.vulnerability.metrics.update.lock.max.duration¶

Maximum duration in ISO 8601 format for which the vulnerability metrics update task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Required	true
Type	`duration`
Default	`PT15M`
ENV	`TASK_VULNERABILITY_METRICS_UPDATE_LOCK_MAX_DURATION`

task.vulnerability.metrics.update.lock.min.duration¶

Minimum duration in ISO 8601 format for which the vulnerability metrics update task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Required	true
Type	`duration`
Default	`PT90S`
ENV	`TASK_VULNERABILITY_METRICS_UPDATE_LOCK_MIN_DURATION`

task.vulnerability.policy.fetch.cron¶

Cron expression of the vulnerability policy bundle fetch task.

Required	true
Type	`cron`
Default	`/5 * * *`
ENV	`TASK_VULNERABILITY_POLICY_FETCH_CRON`

task.vulnerability.policy.fetch.lock.max.duration¶

Maximum duration in ISO 8601 format for which the vulnerability policy bundle fetch task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Required	true
Type	`duration`
Default	`PT5M`
ENV	`TASK_VULNERABILITY_POLICY_FETCH_LOCK_MAX_DURATION`

task.vulnerability.policy.fetch.lock.min.duration¶

Minimum duration in ISO 8601 format for which the vulnerability policy bundle fetch task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Required	true
Type	`duration`
Default	`PT5S`
ENV	`TASK_VULNERABILITY_POLICY_FETCH_LOCK_MIN_DURATION`

task.vulnerability.scan.maintenance.cron¶

Cron expression of the vulnerability scan maintenance task.

The task deletes records older than the configured retention duration from the VULNERABILITYSCAN table.

Required	true
Type	`cron`
Default	`0 * * * *`
ENV	`TASK_VULNERABILITY_SCAN_MAINTENANCE_CRON`

task.vulnerability.scan.maintenance.lock.max.duration¶

Maximum duration in ISO 8601 format for which the vulnerability database maintenance task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Required	true
Type	`duration`
Default	`PT15M`
ENV	`TASK_VULNERABILITY_SCAN_MAINTENANCE_LOCK_MAX_DURATION`

task.vulnerability.scan.maintenance.lock.min.duration¶

Minimum duration in ISO 8601 format for which the vulnerability database maintenance task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Required	true
Type	`duration`
Default	`PT1M`
ENV	`TASK_VULNERABILITY_SCAN_MAINTENANCE_LOCK_MIN_DURATION`

task.workflow.maintenance.cron¶

Cron expression of the workflow maintenance task.

The task:

Transitions workflow steps from PENDING to TIMED_OUT state
Transitions workflow steps from TIMED_OUT to FAILED state
Transitions children of FAILED steps to CANCELLED state
Deletes finished workflows according to the configured retention duration

Required	true
Type	`cron`
Default	`/15 * * *`
ENV	`TASK_WORKFLOW_MAINTENANCE_CRON`

task.workflow.maintenance.lock.max.duration¶

Maximum duration in ISO 8601 format for which the workflow maintenance task will hold a lock.

The duration should be long enough to cover the task's execution duration.

Required	true
Type	`duration`
Default	`PT5M`
ENV	`TASK_WORKFLOW_MAINTENANCE_LOCK_MAX_DURATION`

task.workflow.maintenance.lock.min.duration¶

Minimum duration in ISO 8601 format for which the workflow maintenance task will hold a lock.

The duration should be long enough to cover eventual clock skew across API server instances.

Required	true
Type	`duration`
Default	`PT1M`
ENV	`TASK_WORKFLOW_MAINTENANCE_LOCK_MIN_DURATION`