CLI Configuration File

Configuration File

Once the Command Line Interface (CLI) is installed, run regscale init to create a file called init.yaml containing the configuration settings. These settings are enumerated below.

Editing a Setting

See Config for details on viewing and updating individual settings.

Configuration Sources

The CLI loads configuration from multiple sources in the following priority order:

Environment variables — Any init.yaml key can be overridden by setting an environment variable with the same name
Remote RegScale API — Configuration fetched from your RegScale instance (/api/tenants/getDetailedCliConfig)
Local init.yaml file — The primary configuration file
Default template values — Built-in defaults for all settings

Environment variables always take precedence over file-based configuration.

Running `regscale init`

Flag	Description
(no flags)	Merges new settings into your existing `init.yaml` without overwriting values you've already customized
`--reset`	Replaces `init.yaml` entirely with fresh defaults (backs up the old file first)
`--skip-prompts`	Skips interactive prompts for domain and credentials; uses environment variables or parameter values instead

Core Configuration

Key	Description	Used By / Why	Value Type	Default
`domain`	RegScale instance URL	Every CLI command — this is the base URL for all API calls to your RegScale platform	URI	`https://regscale.yourcompany.com/`
`token`	RegScale API bearer token	Every CLI command — authenticates all API requests. Populated automatically after `regscale login` or via environment variable	string	(populated by CLI)
`userId`	RegScale user ID (UUID format)	All integrations — identifies who created issues, assessments, and assets. Found on your RegScale home page under user profile	string	(required)
`maxThreads`	Maximum concurrent threads for bulk processing	All `sync_*` commands — controls how many parallel API calls are made during batch operations. Higher values speed up large syncs but increase server load	integer	`1000`
`timeout`	Default HTTP request timeout in seconds	All API calls — increase this if you experience timeouts on slow networks or when syncing large datasets	integer	`60`
`sslVerify`	Verify SSL/TLS certificates for API calls	All API calls — set to `false` only in development environments with self-signed certificates. Keep `true` for production	boolean	`true`
`disableCache`	Disable response caching	All API calls — enable this when debugging stale data issues. Caching improves performance for repeated lookups during sync operations	boolean	`false`
`evidenceFolder`	Directory to store evidence files	`collect_evidence` commands (AWS, GCP, CrowdStrike) — evidence attachments are downloaded and stored here before uploading to RegScale	path	`./evidence`
`passScore`	Minimum score (0-100) for an assessment to pass	Assessment scoring — controls the threshold displayed on RegScale scorecards for passing compliance assessments	integer	`80`
`failScore`	Score threshold (0-100) for an assessment to fail	Assessment scoring — scores below this value are flagged as failures on RegScale scorecards	integer	`30`

Vulnerability & Issue Management

These settings control how the CLI handles findings from scanner integrations. They apply globally to all sync_findings, sync_vulnerabilities, and sync_compliance commands.

Key	Description	Used By / Why	Options	Default
`vulnerabilityCreation`	How to handle vulnerabilities from scans	All scanner integrations (`sync_findings`, `sync_vulnerabilities`) — controls whether the CLI creates RegScale issues from scan results. Set to `IssueCreation` if you want issues auto-created, or leave as `NoIssue` to let the server handle POAMs from the vulnerability batch endpoint	`NoIssue` — don't create issues (server handles via POAMs); `IssueCreation` — create issues from vulnerabilities; `PoamCreation` — create issues as POA&Ms	`NoIssue`
`issueCreation`	How to group findings into issues	All scanner integrations — determines issue granularity. `PerAsset` creates more issues but gives per-device tracking; `Consolidated` reduces noise by grouping the same vulnerability across assets	`Consolidated` — one issue per unique vulnerability; `PerAsset` — one issue per vulnerability/asset pair	`Consolidated`
`complianceCreation`	How to create compliance items	`sync_compliance` commands (GCP, AWS, Wiz, CrowdStrike) — controls what RegScale records are created from compliance scan results	`Assessment`, `Issue`, or `POAM`	`Assessment`
`poamTitleType`	Title format for POAMs created from scans	All integrations when creating POAMs — affects how POAMs appear in RegScale lists and reports	`Cve` — use CVE number; `PluginId` — use scanner plugin ID	`Cve`
`assessmentDays`	Number of days to add to today for planned assessment finish date	`sync_compliance` commands — sets the planned completion date when creating new assessments in RegScale	integer	`10`

Integration Credentials

Azure Active Directory

Used by: regscale ad commands (authenticate, sync_admins, sync_general, sync_readonly, list_groups)

Key	Description	Why	Value Type
`adAccessToken`	Bearer token (populated by the CLI)	Auto-populated after `regscale ad authenticate` — do not set manually	string
`adAuthUrl`	Azure AD authentication endpoint	Required for OAuth2 token exchange with Azure AD	URI (default: `https://login.microsoftonline.com/`)
`adClientId`	Application (client) ID from Active Directory	Identifies your registered Azure AD app — found in Azure Portal > App Registrations	string
`adClientSecret`	Client secret from Active Directory	Authenticates your Azure AD app — generate in Azure Portal > App Registrations > Certificates & Secrets	string
`adGraphUrl`	Microsoft Graph API scope	Defines the API permissions scope — typically leave as default unless using a custom scope	URI (default: `https://graph.microsoft.com/.default`)
`adTenantId`	Directory (tenant) ID from Active Directory	Identifies your Azure AD tenant — found in Azure Portal > Azure Active Directory > Overview	string

Microsoft Defender 365

Used by: regscale defender sync_365_alerts, sync_365_recommendations

Key	Description	Why	Value Type
`azure365AccessToken`	Bearer token (populated by the CLI)	Auto-populated after `regscale defender authenticate`	string
`azure365ClientId`	Azure AD application client ID	Identifies the app registered for Defender 365 API access	string
`azure365Secret`	Azure AD application secret	Authenticates the registered app	string
`azure365TenantId`	Azure AD tenant ID	Scopes API access to your organization's tenant	string

Microsoft Defender for Cloud

Used by: regscale defender sync_cloud_resources, sync_cloud_alerts, sync_cloud_recommendations

Key	Description	Why	Value Type
`azureCloudAccessToken`	Bearer token (populated by the CLI)	Auto-populated after authentication	string
`azureCloudClientId`	Azure AD application client ID	Identifies the app registered for Defender for Cloud API access	string
`azureCloudSecret`	Azure AD application secret	Authenticates the registered app	string
`azureCloudSubscriptionId`	Azure subscription ID	Scopes scanning to a specific Azure subscription's resources	string
`azureCloudTenantId`	Azure AD tenant ID	Scopes API access to your organization's tenant	string

Azure Entra

Used by: regscale defender collect_entra_evidence, show_entra_mappings

Key	Description	Why	Value Type
`azureEntraAccessToken`	Bearer token (populated by the CLI)	Auto-populated after authentication	string
`azureEntraClientId`	Azure AD application client ID	Identifies the app registered for Entra ID access	string
`azureEntraSecret`	Azure AD application secret	Authenticates the registered app	string
`azureEntraTenantId`	Azure AD tenant ID	Scopes access to your organization's Entra ID directory	string

AWS

Used by: regscale aws commands (sync_assets, sync_findings, sync_compliance, inventory, etc.)

Key	Description	Why	Value Type
`awsAccessKeyId`	AWS access key ID	Authenticates API calls to AWS services (Security Hub, Inspector, GuardDuty, etc.). Can also use AWS CLI profiles or IAM roles instead	string
`awsSecretAccessKey`	AWS secret access key	Paired with the access key ID for AWS API authentication	string

The CLI also supports AWS service inventory configuration under aws.inventory.enabled_services with toggles for individual services across compute, containers, database, integration, networking, security, and storage categories. This controls which AWS services are inventoried during regscale aws inventory.

CrowdStrike

Used by: regscale crowdstrike commands (sync_incidents, sync_vulnerabilities, sync_assets, sync_compliance)

Key	Description	Why	Value Type
`crowdstrikeClientId`	CrowdStrike API client ID	Required for Falcon API authentication — create in CrowdStrike Console > API Clients & Keys	string
`crowdstrikeClientSecret`	CrowdStrike API client secret	Paired with client ID for OAuth2 authentication	string
`crowdstrikeBaseUrl`	CrowdStrike API base URL	Varies by your CrowdStrike cloud region (US-1, US-2, EU-1, US-GOV-1)	URI (e.g., `https://api.crowdstrike.com`)

GCP

Used by: regscale gcp commands (sync_assets, sync_findings, sync_compliance, collect_evidence)

Key	Description	Why	Value Type
`gcpCredentials`	Path to GCP service account JSON credentials file	Authenticates with Google Cloud APIs — download from GCP Console > IAM > Service Accounts	path
`gcpOrganizationId`	GCP organization ID	Required when `gcpScanType` is `organization` — scans all projects under this org	string
`gcpProjectId`	GCP project ID	Required when `gcpScanType` is `project` — scans only this specific project	string
`gcpScanType`	Scan scope	Determines whether SCC findings are fetched at organization or project level	`organization` or `project`

Qualys

Used by: regscale qualys commands (import_scans, sync_qualys, import_total_cloud, etc.)

Key	Description	Why	Value Type
`qualysUrl`	Qualys API base URL	Your Qualys platform URL — varies by subscription (e.g., `https://qualysapi.qualys.com/api/2.0/fo/scan/`)	URI
`qualysUserName`	Qualys username	API authentication — must have API access enabled in Qualys	string
`qualysPassword`	Qualys password	Paired with username for basic authentication	string

Tenable

Used by: regscale tenable commands (io, sc, nessus, was, sync_vulns)

Key	Description	Why	Value Type	Default
`tenableAccessKey`	Tenable access key	API authentication for Tenable.io or Tenable.sc — generate in Tenable Settings > API Keys	string
`tenableSecretKey`	Tenable secret key	Paired with access key for authentication	string
`tenableUrl`	Tenable Security Center base URL	Only needed for Tenable.sc (on-prem) — Tenable.io uses a fixed URL	URI
`tenableMinimumSeverityFilter`	Minimum severity to process	Filters out low-priority findings before syncing to RegScale, reducing noise	`low`, `medium`, `high`, `critical`	`low`
`tenableGroupByPlugin`	Group findings by plugin instead of vulnerability	When `true`, creates one POA&M per plugin ID rather than per CVE — useful for findings without CVEs	boolean	`false`

Wiz

Used by: regscale wiz commands (inventory, issues, vulnerabilities, sync_compliance, etc.)

Key	Description	Why	Value Type	Default
`wizAccessToken`	Bearer token (populated by the CLI)	Auto-populated after `regscale wiz authenticate`	string
`wizAuthUrl`	Wiz OAuth token endpoint	Required for OAuth2 client credentials flow	URI	`https://auth.wiz.io/oauth/token`
`wizClientId`	Wiz OAuth client ID	Create in Wiz Settings > Service Accounts	string
`wizClientSecret`	Wiz OAuth client secret	Paired with client ID for authentication	string
`wizUrl`	Wiz GraphQL API endpoint	Your Wiz tenant's API URL — provided during service account setup	URI
`wizScope`	Wiz OAuth scope	Auto-populated based on your tenant — do not modify unless directed by Wiz support	string
`wizExcludes`	Comma-separated asset names to exclude from syncing	Filters out specific assets (by name) that should not be synced to RegScale — useful for test or dev resources	string
`wizReportAge`	Days back to fetch reports	Controls how far back to look for Wiz reports when collecting evidence	integer	`15`
`wizLastInventoryPull`	Timestamp of last inventory sync	Used internally for delta syncs — the CLI updates this automatically after each `inventory` run	string
`wizInventoryFilterBy`	GraphQL filter for inventory queries	Custom Wiz GraphQL filter to scope which assets are synced (e.g., filter by subscription, tag, or type)	string
`wizIssueFilterBy`	GraphQL filter for issue queries	Custom Wiz GraphQL filter to scope which issues are synced	string
`wizVulnerabilitiesFilterBy`	GraphQL filter for vulnerability queries	Custom Wiz GraphQL filter to scope which vulnerabilities are synced	string
`wizFullPullLimitHours`	Maximum hours between full data syncs	After this many hours since the last full pull, the CLI performs a full resync instead of a delta. Lower values increase data freshness but take longer	integer	`8`

Prisma Cloud

Used by: regscale prisma commands (sync_hosts, sync_images, sync_sbom)

Key	Description	Why	Value Type	Default
`prismaConsoleUrl`	Prisma Cloud console base URL	Your Prisma Cloud Compute console URL — found in Prisma Cloud > Compute > Manage > System	URI
`prismaUsername`	Prisma Cloud console username	API authentication — must have CI User or higher role	string
`prismaPassword`	Prisma Cloud console password	Paired with username for basic authentication	string
`prismaPageSize`	API pagination page size	Controls how many results are fetched per API call. Increase for faster syncs on large deployments; decrease if experiencing timeouts	integer	`50`
`prismaApiTimeout`	API request timeout in seconds	Increase if Prisma Cloud responses are slow due to large datasets	integer	`30`
`prismaApiRetries`	Number of API retry attempts	How many times to retry failed API calls before giving up	integer	`3`
`prismaVerifySsl`	Verify SSL certificates	Set to `false` only for on-prem Prisma Cloud Compute with self-signed certs	boolean	`true`
`prismaDeduplicateFindings`	Deduplicate findings across scans	When `true`, prevents duplicate vulnerabilities when the same finding appears across multiple scan sources	boolean	`true`
`prismaDeduplicationMode`	Deduplication strategy	How to identify duplicate findings — `by_asset` deduplicates within each asset	string	`by_asset`
`prismaEnableSoftwareInventory`	Enable software inventory syncing	When `true`, syncs installed packages and libraries as software inventory records in RegScale	boolean	`false`
`prismaDefaultFilters`	Default API filter JSON	Pre-filter Prisma API queries by collection — reduces data volume for multi-tenant deployments	string	`{"collections": []}`

Jira

Used by: regscale jira commands (issues, tasks)

Key	Description	Why	Value Type
`jiraApiToken`	Jira API token for authentication	Generate in Atlassian Account Settings > Security > API Tokens	string
`jiraUrl`	Jira instance base URL	Your Jira Cloud or Server URL (e.g., `https://yourorg.atlassian.net`)	URI
`jiraUserName`	Jira username	The email address associated with the API token	string

ServiceNow

Used by: regscale servicenow commands (issues, issues_and_attachments, sync_work_notes, sync_changes)

Key	Description	Why	Value Type
`snowUrl`	ServiceNow instance base URL	Your ServiceNow instance URL (e.g., `https://yourorg.service-now.com`)	URI
`snowUserName`	ServiceNow username	Must have read access to incident and change tables	string
`snowPassword`	ServiceNow password	Paired with username for basic authentication	string

Salesforce

Used by: regscale salesforce sync

Key	Description	Why	Value Type
`salesforceUserName`	Salesforce username	Can also use environment variable `SF_USERNAME` for containerized deployments	string
`salesforcePassword`	Salesforce password	Can also use environment variable `SF_PASSWORD`	string
`salesforceToken`	Salesforce security token	Appended to password for API authentication. Can also use environment variable `SF_TOKEN`	string

Okta

Used by: regscale okta commands (get_active_users, get_admin_users, etc.)

Key	Description	Why	Value Type
`oktaApiToken`	Okta API token (SSWS or OAuth)	Authenticates API access — generate in Okta Admin Console > Security > API > Tokens	string
`oktaClientId`	Okta OAuth2 client ID	Only needed if using OAuth2 instead of SSWS token authentication	string
`oktaUrl`	Okta organization base URL	Your Okta org URL (e.g., `https://yourorg.okta.com`)	URI

SonarCloud

Used by: regscale sonarcloud sync_alerts, import_gitlab_sast

Key	Description	Why	Value Type	Default
`sonarUrl`	SonarCloud API base URL	Change only if using SonarQube on-prem instead of SonarCloud	URI	`https://sonarcloud.io`
`sonarToken`	SonarCloud API token	Generate in SonarCloud > My Account > Security > Tokens	string

Dependabot / GitHub

Used by: regscale dependabot sync_alerts

Key	Description	Why	Value Type	Default
`dependabotId`	GitHub user ID	Identifies the user for API attribution	string
`dependabotOwner`	GitHub repository owner	The organization or user that owns the repo being scanned	string
`dependabotRepo`	GitHub repository name	The specific repo to fetch Dependabot alerts from	string
`dependabotToken`	GitHub personal access token	Must have `security_events` scope to read Dependabot alerts	string
`githubDomain`	GitHub API domain	Change only for GitHub Enterprise Server — leave as default for GitHub.com	URI	`api.github.com`

Databricks

Used by: regscale bigquery sync_assets_bq

Key	Description	Why	Value Type
`databricksHostname`	Databricks SQL endpoint hostname	Found in Databricks workspace > SQL Warehouses > Connection details	string
`databricksPath`	HTTP path for Databricks SQL cluster	The compute resource path from your SQL warehouse connection details	string
`databricksAccessToken`	Databricks personal access token	Generate in Databricks > User Settings > Developer > Access Tokens	string

Axonius

Used by: regscale axonius and regscale axonius_v2 commands

Key	Description	Why	Value Type	Default
`axoniusUrl`	Axonius API base URL	Your Axonius instance URL	URI
`axoniusAccessToken`	Axonius V1 API access token	Used by V1 integration (`regscale axonius`) — generate in Axonius Settings	string
`axoniusSecretToken`	Axonius V1 secret token	Paired with V1 access token	string
`axoniusApiKey`	Axonius V2 API key	Used by V2 integration (`regscale axonius_v2`) — uses the Axonius SDK	string
`axoniusApiSecret`	Axonius V2 API secret	Paired with V2 API key	string
`axoniusPageSize`	Page size for API pagination	Controls how many assets are fetched per API call. Increase for faster syncs; decrease if hitting memory limits	integer	`2000`
`axoniusTimeout`	API request timeout in seconds	Increase if Axonius queries time out on large datasets	integer	`120`
`axoniusVerifySsl`	Verify SSL certificates	Set to `false` only for on-prem Axonius with self-signed certs	boolean	`true`

Sicura

Used by: regscale sicura commands (sync_assets, sync_findings)

Key	Description	Why	Value Type
`sicuraUrl`	Sicura API base URL	Your Sicura instance URL	URI
`sicuraToken`	Sicura API token	API authentication token from Sicura	string

Scanner Variables

These settings fine-tune scanner behavior across all integrations. They can be set in init.yaml or overridden by the RegScale server configuration.

Key	Description	Used By / Why	Options / Type	Default
`threadMaxWorkers`	Max worker threads per integration task	All `sync_*` commands — limits parallel API calls within each integration. Lower values (1-2) reduce server load; higher values (4-8) speed up large syncs	`1`–`8`	`4`
`ingestClosedIssues`	Import closed/resolved findings	All scanner integrations — when `true`, findings with a "closed" or "resolved" status from the scanner are still synced to RegScale. Useful for audit trails	boolean	`false`
`incrementPoamIdentifier`	Auto-increment POAM IDs (V-0001, V-0002, etc.)	POA&M creation — when `true`, assigns sequential identifiers to new POAMs for compliance reporting	boolean	`false`
`closeFindingsNotInScan`	Close findings not present in the latest scan	All scanner integrations — when `true`, issues and vulnerabilities from previous scans that no longer appear are automatically marked as closed. Disable if scanners don't return complete datasets each run	boolean	`true`
`findingChunkSize`	Batch size for finding ingestion	All scanner integrations — controls how many findings are sent per batch API call. Increase for faster ingestion; decrease if hitting server payload limits	`1`–`50000`	`5000`
`maxRetries`	API retry attempts	All API calls — how many times to retry failed requests (e.g., 429 rate limits, 503 timeouts) before giving up	`0`–`10`	`3`
`useMilestones`	Enable milestone tracking for issues	Issue creation — when `true`, adds milestone records to issues for tracking remediation progress over time	boolean	`false`
`preventAutoClose`	Prevent automatic issue closure	Issue management — when `true`, issues are never auto-closed by the CLI, even when the underlying finding is resolved. Useful when manual review is required before closure	boolean	`false`
`customCaCert`	Path to custom CA certificate bundle	All API calls — required when behind a corporate proxy that uses SSL inspection with a custom CA. Set to the path of your CA bundle (`.pem` file)	path	(none)
`stigBatchSize`	Batch size for STIG processing	`regscale stig` commands — controls how many STIG checklist items are processed per batch	integer	`100`

Other Settings

Key	Description	Used By / Why	Value Type	Default
`cisaKev`	CISA Known Exploited Vulnerabilities feed URL	All integrations with `useKev: true` — the CLI downloads this feed to check if vulnerabilities are in the KEV catalog and applies accelerated due dates	URI	`https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json`
`nistCpeApiKey`	NIST CPE database API key	CPE lookups — an API key removes rate limits when querying the NIST National Vulnerability Database for CPE data	string
`oscalLocation`	Path to OSCAL catalog directory	OSCAL import/export — directory containing OSCAL JSON catalog files for control framework mapping	path	`/opt/OSCAL`
`pwshPath`	Path to PowerShell executable	STIG processing — some STIG operations use PowerShell scripts for checklist parsing	path	`/opt/microsoft/powershell/7/pwsh`

Issue Due Date Configuration

Issue due dates are configured per integration under the issues key. Each integration defines the number of days from today to set as the due date for each severity level. These due dates determine when issues appear as overdue in RegScale dashboards and compliance reports.

YAML Structure

issues:
  kevDueDate: 14           # Accelerated due date for CISA KEV vulnerabilities
  aws:
    high: 30               # High severity issues due in 30 days
    moderate: 90            # Moderate severity issues due in 90 days
    low: 365               # Low severity issues due in 365 days
    status: Open            # Initial issue status
    minimumSeverity: low    # Create issues for low severity and above
    useKev: true            # Apply KEV due dates when applicable
  tenable:
    critical: 30
    high: 30
    moderate: 90
    low: 180
    status: Open
    useKev: false
  wiz:
    critical: 30
    high: 90
    medium: 90
    low: 365
    status: Open
    minimumSeverity: low

Supported Integrations

Integration	Severity Levels	Additional Options
`aqua`	critical, high, moderate, low	`minimumSeverity`, `useKev`, `status`
`aws`	high, moderate, low	`minimumSeverity`, `useKev`, `status`
`axonius`	critical, high, moderate, low
`defender365`	high, moderate, low	`status`
`defenderCloud`	high, moderate, low	`status`
`defenderFile`	high, moderate, low	`useKev`, `status`
`ecr`	critical, high, moderate, low	`minimumSeverity`, `useKev`, `status`
`jira`	highest, high, medium, low, lowest	`status`
`nexpose`	critical, high, moderate, low	`minimumSeverity`, `useKev`, `status`
`prisma`	critical, high, moderate, low	`minimumSeverity`, `useKev`, `status`
`qualys`	high, moderate, low	`useKev`, `status`
`salesforce`	critical, high, medium, low	`status`
`snyk`	critical, high, moderate, low	`minimumSeverity`, `useKev`, `status`
`sonarcloud`	blocker, critical, major, minor	`status`
`tanium_cloud`	critical, high, moderate, low
`tenable`	critical, high, moderate, low	`useKev`, `status`
`veracode`	critical, high, moderate, low	`minimumSeverity`, `useKev`, `status`
`wiz`	critical, high, medium, low	`minimumSeverity`, `status`
`xray`	critical, high, moderate, low	`minimumSeverity`, `useKev`, `status`

Issue Options

Option	Description	Used By / Why	Values
`status`	Initial status for created issues	Sets the starting workflow state for new issues in RegScale. Most integrations default to `Open`	`Draft`, `Open`, `Pending Decommission`, `Supply Chain/Procurement Dependency`, `Vendor Dependency for Fix`, `Delayed`, `Exception/Waiver`
`minimumSeverity`	Minimum severity to create issues for	Filters out low-priority findings to reduce noise. Set to `high` or `critical` if you only want to track significant vulnerabilities	`low`, `medium`, `high`, `critical`
`useKev`	Apply CISA KEV due dates when applicable	When `true`, vulnerabilities found in the CISA KEV catalog get an accelerated due date (`kevDueDate`) instead of the standard severity-based due date	`true` / `false`
`kevDueDate`	Days until due date for KEV vulnerabilities	Set at the `issues` level (not per-integration). Applies to all integrations where `useKev` is `true`. FedRAMP requires 14 days for KEV vulnerabilities	integer (default: `14`)

Finding Field Mapping

Customize which fields are used for finding titles, descriptions, and remediation per integration. This is useful when scanner output includes multiple fields and you want to control which one appears in RegScale.

findingFromMapping:
  aqua:
    remediation: default    # Use the standard remediation field
    title: default          # Use the standard title field
    description: default    # Use the standard description field
  tenable_sc:
    remediation: default
    title: default
    description: default

Set a value to default to use the standard mapping, or specify a custom field name from the scanner's output.

Environment Variable Overrides

Any init.yaml key can be overridden by setting an environment variable with the same name:

export domain="https://my-regscale.com/"
export token="Bearer eyJhbGc..."
export maxThreads="500"
export vulnerabilityCreation="IssueCreation"

This is useful for:

Containerized deployments — inject secrets at runtime without storing them on disk
CI/CD pipelines — override settings per pipeline run (e.g., different RegScale instances for staging vs production)
AWS Secrets Manager — load credentials from secrets manager into environment variables before running the CLI