/docs/configuration
Configuration guide.
Rugproof reads .rugproof.yml at your repo root. Everything is optional — with no config, Rugproof audits src/**/*.sol and contracts/**/*.sol and blocks CI on high+ findings. Start by copying .rugproof.yml.example.
Key settings
| Key | Default | Purpose |
|---|---|---|
severity_threshold | high | CI/hook gate: findings at this severity or worse exit non-zero. |
profile | standard | strict | standard | lenient rule weighting. |
chains | 10 EVM chains | Targets for /audit-live, /simulate, /verify-deploy. |
include / exclude | src,contracts / test,lib | Globs that scope every audit. |
ignore | — | Per-finding suppressions (id + path + a documented reason). |
auto_specialists | true | Auto-dispatch protocol specialists from /audit. |
cache | enabled, 30d | Skip unchanged files on re-audit (see caching-and-incremental). |
privacy_mode | false | Never send any data off-machine; cache in tmpfs only. |
offline | false | No external API calls. Equivalent to RUGPROOF_OFFLINE=1. |
Recipes
Block CI only on Critical
severity_threshold: critical
hooks:
pre_push: { enabled: true, fail_on: critical }
Monorepo: audit one package, cache aggressively
include: ["packages/core/src/**/*.sol"]
exclude: ["**/test/**", "**/mocks/**"]
cache: { enabled: true, ttl_days: 30 }
Fully offline / air-gapped
offline: true
telemetry: { enabled: false, crash_reports: false }
update_check: { enabled: false }
Or set the env var RUGPROOF_OFFLINE=1 for a single run — every MCP server falls back to labeled stub data and no network call is made.
Inline suppression (in code)
// rugproof-ignore: REENT-001 — single trusted caller, reviewed 2025-Q4
function trustedOp() external onlyOwner { ... }
API keys
Live integrations read keys from the environment, never from .rugproof.yml: ETHERSCAN_API_KEY (one key, all Etherscan v2 chains), BERATRAIL_API_KEY, TENDERLY_ACCESS_KEY/TENDERLY_ACCOUNT/TENDERLY_PROJECT, GITHUB_TOKEN (raises the history rate limit). All are optional — absent keys degrade to mock data.