Configuration - VEXLIT Docs

04 Configuration

Customize to your needs

Create a vexlit.config.js to disable rules, override severity, or ignore paths.

vexlit.config.js

export default {
  languages: ["javascript", "typescript", "python"],
  ignore: ["vendor/", "generated/"],
  rules: {
    "VEXLIT-019": false,           // Disable a rule
    "VEXLIT-004": { severity: "critical" }, // Override severity
  },
};

Default ignored paths

node_modules, .git, dist, build, .next, __pycache__, .venv, coverage

07 Setup Guides

Project-specific configuration

Recommended setup for common project types.

Monorepo

For Nx, Turborepo, or Lerna monorepos, scan from the root. VEXLIT auto-detects language boundaries per package.

# Scan entire monorepo
vexlit scan .

# Scan specific package
vexlit scan packages/api

# Diff scan in CI (recommended)
vexlit scan --diff --fail-on medium

Next.js / React

VEXLIT detects JSX/TSX automatically. Focus on API routes and server components where user input flows into sensitive operations.

# Scan app directory
vexlit scan src/app

# Include API routes + components
vexlit scan src/ --fail-on critical

Django / Flask (Python)

Python projects are scanned for SQL injection, SSTI, SSRF, and insecure deserialization. Virtual env directories are auto-ignored.

# Scan Django project
vexlit scan myproject/

# Exclude migrations
vexlit scan . --ignore 'migrations/'

Spring Boot (Java)

Java/Kotlin projects get full taint analysis. VEXLIT traces user input through controllers, services, and repositories.

# Scan Java sources
vexlit scan src/main/java

# Include Kotlin sources
vexlit scan src/main --fail-on high