Configuration reference
Pullminder reads .pullminder.yml from the current working directory when it runs. Generate a starter file with pullminder init or create one by hand using the fields below.
Top-level fields
Section titled “Top-level fields”| Field | Type | Default | Description |
|---|---|---|---|
version | integer | 1 | Schema version. Must be 1. |
packs.enabled | list of slugs | ['secrets', 'sensitive-paths', 'test-conventions', 'review-quality', 'dependency-detection'] | Pattern packs to run. Authoritative when non-empty: only listed packs run. Leave empty ([]) to enable every default-enabled pack in the catalog. |
packs.disabled | list of slugs | [] | Packs to exclude. Overrides enabled and also applies to structural analyzers. |
min_severity | string | info | Minimum severity reported. Canonical values: critical, error, warning, info. Aliases: low → info, medium → warning, high → error. |
ignore | list of globs | ['vendor/**', 'node_modules/**', '*.generated.*'] | Paths skipped before any analyzer runs. Uses doublestar glob syntax (supports **). |
risk.warn | integer | 25 | Score threshold above which results render with a warning banner. |
risk.block | integer | 75 | Score threshold above which pullminder check exits with code 1 in strict mode. |
telemetry | boolean | unset (opt-out via env or config telemetry) | Explicit opt-out when set to false. Omitted by default; set to true to force-enable even when CI=true. |
How packs.enabled is evaluated
Section titled “How packs.enabled is evaluated”Pullminder distinguishes pattern packs (regex-based detectors such as secrets, go-security, infra-security) from structural analyzers (built-in checks such as diff-size, files-changed, sensitive-paths, test-conventions, dependency-detection).
- Empty
enabledlist: every default-enabled pack runs, plus every structural analyzer that is not indisabled. - Non-empty
enabledlist: only the listed pattern packs run. Structural analyzers still run unless they appear indisabled. Default-enabled pattern packs not listed are excluded —pullminder packs listreports them asdisabledwith sourceconfig:enabled-list.
Discover slugs with:
pullminder packs listpullminder packs info <slug>Example: minimal
Section titled “Example: minimal”version: 1packs: enabled: - secrets - sensitive-paths - test-conventions - review-quality - dependency-detection disabled: []
min_severity: info
ignore: - "vendor/**" - "node_modules/**" - "*.generated.*"
risk: warn: 25 block: 75Example: strict multi-language repo
Section titled “Example: strict multi-language repo”version: 1packs: enabled: - secrets - go-security - python-security - infra-security - sensitive-paths - test-conventions - dependency-detection disabled: - review-quality # we don't gate on diff size yet
min_severity: warning
ignore: - "vendor/**" - "node_modules/**" - "**/*.generated.go" - "dist/**"
risk: warn: 30 block: 60
telemetry: falseSeverity aliases
Section titled “Severity aliases”The severity scale has canonical values critical, error, warning, info. The CLI accepts three aliases so common conventions work without surprise:
| Alias | Canonical |
|---|---|
low | info |
medium | warning |
high | error |
Aliases are accepted wherever a severity is parsed — min_severity, --fail-on, and the pack catalog.
Related commands
Section titled “Related commands”pullminder init— scaffold a.pullminder.ymlpullminder packs list— discover pack slugs and see effective statuspullminder config— update fields in place while preserving comments