%20rotate(90)%20scale(330)'%3e%3cstop%20stop-color='%23FFD78A'%20stop-opacity='0.65'/%3e%3cstop%20offset='0.45'%20stop-color='%23FF8E1F'%20stop-opacity='0.46'/%3e%3cstop%20offset='1'%20stop-color='%23FF2C00'%20stop-opacity='0'/%3e%3c/radialGradient%3e%3clinearGradient%20id='flameCore'%20x1='512'%20y1='212'%20x2='512'%20y2='822'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%23FFECA8'/%3e%3cstop%20offset='0.25'%20stop-color='%23FFD44D'/%3e%3cstop%20offset='0.6'%20stop-color='%23FF8F1F'/%3e%3cstop%20offset='1'%20stop-color='%23A20E00'/%3e%3c/linearGradient%3e%3clinearGradient%20id='flameWing'%20x1='315'%20y1='308'%20x2='709'%20y2='696'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%23FFF1B5'/%3e%3cstop%20offset='0.3'%20stop-color='%23FFB23D'/%3e%3cstop%20offset='0.78'%20stop-color='%23FF540B'/%3e%3cstop%20offset='1'%20stop-color='%238F0A00'/%3e%3c/linearGradient%3e%3clinearGradient%20id='shadow'%20x1='512'%20y1='332'%20x2='512'%20y2='836'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%23541000'%20stop-opacity='0'/%3e%3cstop%20offset='1'%20stop-color='%232A0300'/%3e%3c/linearGradient%3e%3cfilter%20id='softGlow'%20x='0'%20y='0'%20width='1024'%20height='1024'%20filterUnits='userSpaceOnUse'%20color-interpolation-filters='sRGB'%3e%3cfeGaussianBlur%20stdDeviation='28'%20result='blur'/%3e%3cfeBlend%20in='SourceGraphic'%20in2='blur'%20mode='screen'/%3e%3c/filter%3e%3c/defs%3e%3crect%20width='1024'%20height='1024'%20fill='url(%23bgGlow)'/%3e%3cg%20filter='url(%23softGlow)'%3e%3cpath%20d='M512%20262L390%20325L512%20806L634%20325L512%20262Z'%20fill='url(%23flameCore)'/%3e%3cpath%20d='M512%20315L266%20198L361%20353L512%20455L512%20315Z'%20fill='url(%23flameWing)'/%3e%3cpath%20d='M512%20315L758%20198L663%20353L512%20455L512%20315Z'%20fill='url(%23flameWing)'/%3e%3cpath%20d='M512%20386L216%20298L315%20427L512%20576L512%20386Z'%20fill='url(%23flameWing)'/%3e%3cpath%20d='M512%20386L808%20298L709%20427L512%20576L512%20386Z'%20fill='url(%23flameWing)'/%3e%3cpath%20d='M512%20460L266%20376L512%20806L512%20460Z'%20fill='url(%23flameCore)'/%3e%3cpath%20d='M512%20460L758%20376L512%20806L512%20460Z'%20fill='url(%23flameCore)'/%3e%3cpath%20d='M512%20262L452%20334L512%20455L572%20334L512%20262Z'%20fill='%23FFF2BA'/%3e%3cpath%20d='M512%20322L470%20385L512%20796L554%20385L512%20322Z'%20fill='url(%23shadow)'/%3e%3cpath%20d='M512%20220L414%20274L512%20300L610%20274L512%20220Z'%20fill='%23FFE7A1'/%3e%3cpath%20d='M414%20274L325%20210L390%20326L512%20387L414%20274Z'%20fill='%23FF6B13'/%3e%3cpath%20d='M610%20274L699%20210L634%20326L512%20387L610%20274Z'%20fill='%23FF6B13'/%3e%3c/g%3e%3c/svg%3e){kind=small}
.vulqn.json Reference
Place a .vulqn.json file at the root of your repository to customize VULQN’s review behavior for that repo. The file is fetched from the PR’s head SHA on every review — config changes take effect immediately on the PR that introduces them.
All fields are optional. Missing fields fall back to system defaults.
Schema
{ "version": 1, "ignore": { ... }, "focus": { ... }, "rules": [ ... ], "scoring": { ... }, "confidence": { ... }, "trigger": { ... }, "output": { ... }}The top-level version field is required and must be 1.
ignore
Exclude files from review. Additive on top of VULQN’s global ignore list (which already excludes node_modules, lock files, binaries, etc.).
"ignore": { "pathPrefixes": ["scripts/", "docs/"], "extensions": [".generated.ts", ".pb.go"], "filenames": ["schema.graphql"]}| Field | Type | Description |
|---|---|---|
pathPrefixes | string[] | Drop files whose path starts with any of these prefixes |
extensions | string[] | Drop files whose path ends with any of these extensions |
filenames | string[] | Drop files whose basename matches exactly |
focus
Only review files matching specific path prefixes. If set, files not matching any prefix are skipped.
"focus": { "paths": ["src/", "packages/", "apps/"]}| Field | Type | Description |
|---|---|---|
paths | string[] | Only review files matching one of these prefixes. Empty array [] disables focus (reviews everything). |
rules
Inject custom review instructions for files matching specific path prefixes. Multiple rules can match the same file — all matching instructions are injected.
"rules": [ { "paths": ["packages/core/src/ports/"], "instructions": "Check all new ports are exported from index.ts and have an adapter." }, { "paths": ["backend/"], "instructions": "Flag any auth logic outside of the designated auth package." }]| Field | Type | Description |
|---|---|---|
paths | string[] | Path prefixes this rule applies to |
instructions | string | Instructions injected into the AI prompt for matching files |
scoring
Control how VULQN calculates the confidence score for a PR review.
"scoring": { "criticalPenalty": 25, "mediumPenalty": 8, "praiseBonus": 5, "praiseCap": 15}Formula: 100 - (critical × criticalPenalty) - (medium × mediumPenalty) + min(praise × praiseBonus, praiseCap)
The result is clamped to [0, 100].
| Field | Type | Default | Description |
|---|---|---|---|
criticalPenalty | number | 25 | Points deducted per critical finding |
mediumPenalty | number | 8 | Points deducted per medium finding |
praiseBonus | number | 5 | Points added per praise finding |
praiseCap | number | 15 | Maximum total bonus from praise |
All values must be ≥ 0. Invalid values fall back to defaults.
confidence
Control when VULQN fails a PR build and which findings are included.
"confidence": { "failOnCritical": true, "failBelowScore": 80, "minFindingConfidence": "medium"}| Field | Type | Default | Description |
|---|---|---|---|
failOnCritical | boolean | true | A critical finding always fails the build, regardless of score |
failBelowScore | number | 80 | Fail build if confidence score is strictly below this threshold (e.g. score = 80 with threshold 80 = pass) (clamped to 0–100) |
minFindingConfidence | "high" | "medium" | "medium" | Drop AI findings below this confidence level |
trigger
Control which PRs VULQN reviews.
"trigger": { "skipDrafts": true, "targetBranches": ["main", "develop"], "skipAuthors": ["dependabot[bot]", "renovate[bot]"]}| Field | Type | Default | Description |
|---|---|---|---|
skipDrafts | boolean | false | Skip draft/WIP PRs. GitHub uses the draft flag; Bitbucket detects WIP:, [WIP], or Draft: title prefixes. |
targetBranches | string[] | [] (all) | Only review PRs targeting these branches. Empty array = review all branches. |
skipAuthors | string[] | [] | Skip PRs from these authors. Useful for bot accounts. |
output
Control what VULQN posts on the PR.
"output": { "updatePrDescription": true, "postSummary": true}| Field | Type | Default | Description |
|---|---|---|---|
updatePrDescription | boolean | true | Update the PR description with a VULQN review section |
postSummary | boolean | true | Post a summary comment on the PR |
Full example
{ "version": 1, "ignore": { "pathPrefixes": ["docs/", "scripts/"], "extensions": [".generated.ts"], "filenames": ["schema.graphql"] }, "focus": { "paths": ["src/", "packages/"] }, "rules": [ { "paths": ["src/auth/"], "instructions": "Flag any hardcoded credentials or tokens. Check all auth flows handle token expiry." } ], "scoring": { "criticalPenalty": 30, "mediumPenalty": 8, "praiseBonus": 5, "praiseCap": 15 }, "confidence": { "failOnCritical": true, "failBelowScore": 75, "minFindingConfidence": "medium" }, "trigger": { "skipDrafts": true, "targetBranches": ["main"], "skipAuthors": ["dependabot[bot]", "renovate[bot]"] }, "output": { "updatePrDescription": true, "postSummary": true }}