Project config (.vulkro-sf.yml)
Drop a .vulkro-sf.yml at (or above) your SFDX project root and
vulkro-sf antipatterns picks it up automatically. The scanner walks
up to four parent directories looking for the file, so a scan
against force-app/ finds the sibling config at the project root.
The file is optional; absent file = scanner defaults. A malformed file logs a warning and the scanner falls back to defaults rather than failing the scan.
Schema
# Detectors to silence for this project. Each entry is an AP-NNN id.
# Findings from these detectors are dropped from the output before
# the cache write, so a later config-only change re-emits them
# without re-running detectors.
disable:
- AP-013 # SOQL without WHERE/LIMIT - noisy on a reporting-heavy package
- AP-029 # Cross-package class - silenced because we genuinely depend on a partner
# Salesforce namespaces the project owns, beyond what sfdx-project.json
# declares. Merged additively with the --exclude-namespace CLI flag.
# Use for legacy / merged-package projects (NPSP carries npe01 /
# npe03 / npo02 namespaces alongside its top-level npsp).
extra_excluded_namespaces:
- npe01
- npe03
- npo02
All fields are optional. Omitted fields are not interpreted as empty arrays - they keep scanner defaults.
Honesty notes
- Cache invalidation is automatic. The cache key includes the
effective compliance flags and namespace set, so editing
extra_excluded_namespacesinvalidates the relevant entries without your needing to pass--no-cache. disabledoes not affect the cache. The full finding set is cached pre-filter, so removing an entry fromdisablere-emits those findings immediately on the next scan.- The config file is per-project, not per-detector. Detector-level tuning (severity thresholds, allow-lists) lives in the scanner itself; if you need that level of control, open an issue with the detector id.
- No secrets. The file is read into memory and never sent anywhere. The scanner is offline by design; the config is the same.
CLI equivalents
Every config-file knob has a CLI equivalent so CI runners can avoid checking in a file:
| Config file | CLI flag |
|---|---|
disable: [AP-013] | (no CLI equivalent - this is config-only) |
extra_excluded_namespaces: [npe01] | --exclude-namespace=npe01 |
CLI flags override the config file when both set the same field.
Where to go next
- vulkro-sf antipatterns - the full CLI reference including every flag the config-file fields shadow.
- Suppress comments - drop a single finding without disabling the whole detector.
- Incremental cache - the cache the
disablefield bypasses on read.