Configuration

Revet is configured via .revet.toml in your project root. Run revet init to generate a starter file.

Full reference

[general]
diff_base = "main"      # branch to diff against (default: "main")
fail_on   = "error"     # exit code threshold: "error" | "warning" | "info" | "never"

[modules]
# On by default
security        = true   # secret exposure + SQL injection
ml              = true   # ML pipeline anti-patterns
cycles          = true   # circular import detection

# Off by default — opt in as needed
infra                = false  # Terraform, Kubernetes, Docker
react                = false  # React hooks rules
async_patterns       = false  # async/await anti-patterns
dependency           = false  # import hygiene + unpinned versions
error_handling       = false  # empty catches, .unwrap(), bare except
complexity           = false  # overly complex functions
complexity_threshold = 10     # cyclomatic complexity warn threshold (error at 2×)
dead_imports         = false  # imports never used in the same file
dead_code            = false  # exported symbols never imported elsewhere
toolchain            = false  # CI tools not declared in manifests
hardcoded_endpoints  = false  # hardcoded IPs and production/staging URLs
magic_numbers        = false  # unnamed numeric literals (magic numbers)
test_coverage        = false  # public symbols with no test file mention
duplication          = false  # copy-paste code blocks across files
duplication_min_lines = 6    # minimum block size to flag (default: 6, min: 3)
call_graph_depth     = 3     # transitive caller depth for impact analysis (default: 3)

# Quality gate — fail the run if finding counts exceed limits
[gate]
error_max   = 0   # fail if any errors
warning_max = 10  # fail if more than 10 warnings
# info_max  = 50  # optional info limit

[ignore]
paths    = ["vendor/", "node_modules/", "dist/", "target/"]
findings = ["SEC-003"]   # suppress specific finding IDs globally

[ignore.per_path]
# Suppress specific rule prefixes for matching file globs
"**/tests/**"    = ["SEC", "SQL"]   # ignore SEC and SQL in test files
"**/fixtures/**" = ["*"]            # suppress all findings in fixtures

[output]
format       = "terminal"   # "terminal" | "json" | "sarif" | "github"
color        = true
show_evidence = true

[ai]
provider = "anthropic"              # "anthropic" | "openai" | "ollama"
model    = "claude-sonnet-4-20250514"
api_key  = "sk-..."                 # or set ANTHROPIC_API_KEY / OPENAI_API_KEY env var; not needed for ollama
max_cost_per_run = 1.00             # USD cap per run (ignored for ollama); default: 1.00
# base_url = "http://localhost:11434"  # override API endpoint (ollama or OpenAI-compatible proxy)

# Custom rules — zero or more
[[rules]]
id          = "no-console-log"
pattern     = 'console\.log'
message     = "console.log should not be used in production"
severity    = "warning"
paths       = ["*.ts", "*.js"]
suggestion  = "Use the logger utility instead"
fix_find    = 'console\.log\('
fix_replace = 'logger.info('

Quality gate

The [gate] section lets you fail CI if finding counts exceed per-severity limits. This is an alternative to fail_on when you want numeric thresholds rather than a severity floor.

[gate]
error_max   = 0    # fail if there are any errors
warning_max = 10   # fail if warnings exceed 10
info_max    = 50   # fail if info findings exceed 50

You can also override the gate on the CLI without changing the config file:

revet review --gate error:0,warning:5

CLI --gate takes precedence over [gate] in config, which takes precedence over --fail-on.

Inline suppression

Silence findings for a specific line without changing config:

password = "test-fixture"  # revet-ignore SEC
api_key  = get_key()       # revet-ignore SEC SQL

Multiple prefixes can be listed space-separated after revet-ignore. The comment can appear on the same line as the code or on the line immediately before it. Any comment style works (#, //, --, /* */).

Per-path suppression

Suppress specific rule prefixes for entire directories or file patterns, without touching the source files:

[ignore.per_path]
"**/tests/**"    = ["SEC", "SQL"]   # ignore SEC and SQL findings in all test files
"**/fixtures/**" = ["*"]            # suppress everything in fixtures
"**/migrations/**" = ["SQL"]        # SQL rules are noise in migration files

The keys are glob patterns matched against each file's path relative to the repo root. The values are lists of finding ID prefixes (or ["*"] to suppress all findings for that path).

Viewing suppressed findings

Use --show-suppressed to see which findings were suppressed and why, without changing what affects the exit code:

revet review --show-suppressed

Each suppressed finding is shown with a dimmed [suppressed: <reason>] tag:

  ⚠️  Possible Hardcoded Password  tests/fixtures/setup.py:8
     [suppressed: per-path rule: **/tests/**]

The summary line shows a breakdown: 51 finding(s) suppressed (3 inline, 48 per-path).

Baseline

Snapshot all current findings so future runs only report new ones:

revet baseline          # create / update
revet baseline --clear  # remove

The baseline file (.revet-cache/baseline.json) should be committed to your repo so the whole team shares the same baseline.

Full reference​

Quality gate​

Inline suppression​

Per-path suppression​

Viewing suppressed findings​

Baseline​