Skip to content

Configuration

Jump to bottom
John Williams edited this page Mar 16, 2026 · 1 revision

Configuration

Last Mile 360 is configured via a .last-mile.yml file in the project root. All options are optional — the scanner runs with sensible defaults if no config file exists.

Full Reference

# .last-mile.yml — Last Mile 360 Configuration

# ─── Agent Selection ─────────────────────────────────────────────
# Choose which agents to run. Default: all
agents:
  - security
  - database
  - infrastructure
  - observability
  - quality

# ─── Rule Overrides ──────────────────────────────────────────────
rules:
  # Disable specific rules entirely
  disable:
    - sast/console-log-production    # We use console.log intentionally
    - obs/console-only               # Same reason

  # Override severity for specific rules
  severity:
    sast/insecure-http-url: low      # We have HTTP URLs for local dev
    infra/no-dockerfile: info        # We deploy to Cloudflare, no Docker needed

# ─── File Ignoring ───────────────────────────────────────────────
ignore:
  # Glob patterns for files/directories to skip
  paths:
    - "node_modules/**"              # Always ignored by default
    - "dist/**"                      # Build output
    - "coverage/**"                  # Test coverage reports
    - ".next/**"                     # Next.js build cache
    - "vendor/**"                    # Vendored dependencies
    - "**/*.min.js"                  # Minified files
    - "**/*.bundle.js"              # Bundled files
    - "migrations/*.sql"             # Generated migration files
    - "docs/**"                      # Documentation

# ─── Secret Scanning ─────────────────────────────────────────────
secrets:
  # Allow specific patterns (useful for private repos with test keys)
  allow:
    - "sk-test-*"                    # Stripe test keys are not real secrets
    - "pk_test_*"                    # Stripe publishable test keys
    - "EXAMPLE_*"                    # Example values in docs

  # Additional secret patterns to detect
  custom_patterns:
    - name: "Internal API Token"
      pattern: "int_[a-zA-Z0-9]{32}"
      severity: high

# ─── Scoring ─────────────────────────────────────────────────────
scoring:
  # Override category weights (must sum to 100)
  weights:
    security: 35
    database: 20
    infrastructure: 20
    observability: 12.5
    quality: 12.5

  # Minimum score to pass (used with --fail-under flag)
  fail_under: 70

# ─── Output ──────────────────────────────────────────────────────
output:
  # Where to write the report
  report_path: ".last-mile/report.md"
  
  # Include source code snippets in findings
  include_snippets: true
  
  # Maximum findings to display per rule (0 = unlimited)
  max_findings_per_rule: 10

# ─── AI / Inference ──────────────────────────────────────────────
inference:
  # Disable AI-powered analysis (SAST rules only)
  disable_ai: false
  
  # Model preference
  model: "claude-sonnet"             # Options: claude-sonnet, workers-ai, gpt-4
  
  # Cost limit per scan (USD)
  cost_limit: 0.50

Common Configurations

Minimal Security-Only Scan

agents:
  - security
ignore:
  paths:
    - "**/*.test.*"
    - "**/*.spec.*"

CI Pipeline (Strict)

scoring:
  fail_under: 80
output:
  report_path: ".last-mile/report.md"
  include_snippets: false
inference:
  disable_ai: true

Supabase Project

agents:
  - security
  - database
rules:
  severity:
    db/no-rls: critical

Cloudflare Workers Project

rules:
  disable:
    - infra/no-dockerfile
    - infra/no-health-endpoint
  severity:
    infra/no-node-version: info

Private Repo with Test Keys

secrets:
  allow:
    - "sk_test_*"
    - "pk_test_*"
    - "whsec_test_*"
    - "DUMMY_*"
    - "FAKE_*"

Disabling Rules

Rules can be disabled in three ways:

1. Via .last-mile.yml 

rules:
  disable:
    - sast/console-log-production

2. Via Inline Comments

// last-mile-disable-next-line sast/console-log-production
console.log('This is intentional debug output');

3. Via Environment Variable

LAST_MILE_DISABLE_RULES=sast/console-log-production,obs/console-only last-mile scan .

Ignoring Files

Default Ignores

These paths are always ignored (cannot be overridden):

  • node_modules/
  • .git/
  • package-lock.json
  • yarn.lock
  • pnpm-lock.yaml

Custom Ignores

ignore:
  paths:
    - "generated/**"
    - "**/*.generated.ts"
    - "legacy/**"

.last-mileignore File

Alternatively, create a .last-mileignore file (same syntax as .gitignore):

# .last-mileignore
dist/
build/
*.min.js
*.map

Overriding Severity

Any rule's severity can be raised or lowered:

rules:
  severity:
    # Raise: treat console.log as medium instead of low
    sast/console-log-production: medium
    
    # Lower: treat missing Dockerfile as info (not applicable)
    infra/no-dockerfile: info
    
    # Raise: treat missing RLS as critical for Supabase projects
    db/no-rls: critical

Valid severity values: critical, high, medium, low, info

Selecting Agents

Run only specific agents for faster, focused scans:

agents:
  - security      # Only security analysis
  - database      # Only database rules

Or via CLI flag:

last-mile scan . --agents security,database

When agents are excluded, their category still appears in the report with score N/A and weight redistributed proportionally.

Last Mile 360

Agents

Usage

Technical

Project

Clone this wiki locally