Settings reference

All organization settings live under the Settings section in the left sidebar. Changes apply to your current organization only.

LLM configuration

/settings/llm

API: GET / PUT /api/settings/llm

Configure the model used for AI-assisted SAST, LLM secret detection, zero-day analysis, Suggest fix, and Open fix PR file rewriting.

Fields

Field	Description
Provider	Preset: OpenAI, OpenRouter, Azure, Ollama, or custom. Sets default base URL and model.
Base URL	OpenAI-compatible API root (e.g. `https://api.openai.com/v1`, `https://openrouter.ai/api/v1`, `http://localhost:11434` for Ollama).
Model	Model ID sent to the API (e.g. `gpt-4o-mini`, `google/gemini-2.5-flash`, `qwen2.5-coder:7b`).
API key	Stored encrypted per organization. Leave blank on save to keep existing key. Env fallback: `LLM_API_KEY`, `OPENAI_API_KEY`, `OPENROUTER_API_KEY`.
Enable LLM SAST	When on, full scans use LLM code analysis instead of pattern-only SAST; enables zero-day scanner on full scans.
Enable LLM secrets	When on, secrets scanner uses LLM in addition to patterns.
OSV API URL	Software composition / vulnerability database endpoint (default OSV.dev).
Vuln DB mode	`online` (query OSV) or offline mode when air-gapped.

Ollama tip: Run Ollama on the host; set base URL to your Ollama host. Use README model table for memory vs quality tradeoffs.

Security policies

/settings/policies

API: GET/POST /api/settings/policies, PATCH/DELETE /api/settings/policies/[policyId]

Organization-wide rules expressed in natural language. LLM SAST uses enabled policies as extra context when analyzing code.

Creating a policy

Name — Short label.
Rule — What to flag (plain English). Example: “Flag hardcoded API keys in source files.”
Severity — CRITICAL, HIGH, MEDIUM, LOW.
Category — Optional tag (Configuration, Auth, etc.).
Enabled — Toggle without deleting.

Use example templates on the page to seed common policies.

Build gates

/settings/build-gates

API: PUT /api/settings/build-gates with projectId

Per-project thresholds evaluated when a scan completes. Result stored on the scan as gateResult: PASS, FAIL, or WARN.

Fields

Field	Description
Max critical	Fail if critical count exceeds this (default 0 = no critical allowed).
Max high / medium / low	Upper limits per severity. Use `-1` for unlimited (UI empty = -1).
Fail on new	When enabled, fail if any finding is new compared to the previous completed scan on the same project.

Select a project from the dropdown, adjust thresholds, click Save. View gate status on the project page and scan list.

Team

/settings/team

API: GET/POST /api/users, PATCH/DELETE /api/users/[memberId]

Manage organization membership and roles.

Roles

Role	Typical use
`ADMIN`	Full org settings, team management
`SECURITY`	Run scans, triage findings, configure policies
`DEVELOPER`	View and update finding status, open fix PRs
`VIEWER`	Read-only access

Invite flow

Enter email and role, send invite.
New users receive credentials by email when SMTP is configured.
Existing users are added to the org immediately.

Integrations

/settings/integrations

Connect external systems and automate scans.

GitHub (OAuth)

One authorization for: repository import, private git clone on worker, Open fix PR.
Connect GitHub → OAuth flow → token stored encrypted (TOKEN_ENCRYPTION_KEY or NEXTAUTH_SECRET).
Disconnect revokes and removes stored token.
Manage repos on Repositories page.

No personal access token UI — OAuth only for fix PRs.

GitLab webhook

Copy webhook URL: {your-app}/api/webhooks/gitlab
Configure in GitLab project → Webhooks for push/MR events.
Set GITLAB_* env vars if using GitLab OAuth (optional).

GitHub webhook

POST /api/webhooks/github — set GITHUB_WEBHOOK_SECRET in env and configure the secret in your GitHub repo/org webhook.

CI / API key

The integrations page shows a sample curl to POST /api/scans with an API key header. Create API keys via your deployment’s admin/seed process or future UI.

Project settings (not under Settings menu)

/projects/[projectId]/settings

Edit project name and description only.

Scan schedule is not in this UI — use PUT /api/projects/{projectId}/schedule (see README).