The CLI reads its settings from three sources in order of decreasing precedence: command-line flags override environment variables, which override the config file, which overrides built-in defaults.
CLI flags > environment variables > config file > defaults
Config file
The default config file lives at ~/.infraudit/config.yaml. You can override the path on any command with --config /path/to/config.yaml.
The file is created automatically by infraudit config init or infraudit auth login with 0600 permissions so the stored token is not world-readable.
File structure
server_url: http://localhost:8080
output: table
auth:
token: <jwt-token>
refresh_token: <refresh-token>
email: user@example.com
| Key | Type | Description |
|---|
server_url | string | InfraAudit API base URL |
output | string | Default output format: table, json, or yaml |
auth.token | string | JWT access token returned at login |
auth.refresh_token | string | Refresh token used to obtain new access tokens |
auth.email | string | Email address the session belongs to |
auth.token automatically when it expires, as long as auth.refresh_token is still valid.
Managing config values
Use the config subcommands to read and write individual values without editing the file by hand:
# First-time setup (prompts for server URL and output format)
infraudit config init
# Set a value
infraudit config set server_url https://api.infraudit.dev
infraudit config set output json
# Read a single value
infraudit config get server_url
# List all values
infraudit config list
Environment variables
Two environment variables override the config file without modifying it:
| Variable | Overrides | Default |
|---|
INFRAUDIT_SERVER_URL | server_url | http://localhost:8080 |
INFRAUDIT_OUTPUT | output | table |
INFRAUDIT_SERVER_URL=https://staging.infraudit.dev infraudit status
Multiple environments
If you work against more than one InfraAudit instance — for example, a local development server, a staging environment, and production — keep a separate config file per environment and point --config at the correct one:
# Create a config for staging
infraudit --config ~/.infraudit/staging.yaml config init
# Run a command against staging
infraudit --config ~/.infraudit/staging.yaml drift list
INFRAUDIT_SERVER_URL per shell session before running commands.
Security notes
Do not check ~/.infraudit/config.yaml into source control. The auth.token value is a Bearer credential equivalent to a password.
- The config file is created with
0600 permissions. Do not change this.
- In CI/CD pipelines, authenticate using
infraudit auth login --email "$CI_EMAIL" --password "$CI_PASSWORD" sourced from secrets rather than copying the config file into the build environment. See CI/CD usage for a complete example.
- Each team member should maintain their own config file with their own credentials.