InfraAudit is configured entirely through environment variables. For Docker Compose deployments, set them in your .env file. For Kubernetes, set them in a Secret or ConfigMap and reference them in the deployment manifests.
Required variables
The backend will not start without all five of these variables set:
| Variable | Description |
|---|
SUPABASE_URL | Your Supabase project URL — e.g. https://xxxxx.supabase.co |
SUPABASE_JWT_SECRET | JWT secret from Project Settings → API → JWT Settings |
SUPABASE_ANON_KEY | anon/public key from Project Settings → API |
SUPABASE_SERVICE_ROLE_KEY | service_role key from Project Settings → API |
ENCRYPTION_KEY | 32-byte hex key used to encrypt cloud credentials. Generate with openssl rand -hex 32 |
Never use the default placeholder value for ENCRYPTION_KEY. Generate a unique key before deploying. See Secrets and encryption for details. Server
| Variable | Default | Description |
|---|
SERVER_PORT | 8080 | Port the HTTP API listens on |
ENVIRONMENT | development | development or production. Production disables the Swagger UI and enables stricter error handling |
FRONTEND_URL | http://localhost:5173 | URL of the frontend, used for CORS headers and auth redirects |
ALLOWED_ORIGINS | * | Comma-separated list of allowed CORS origins. Set to your frontend URL in production |
Set ENVIRONMENT=production before exposing your deployment to the internet. It disables the /swagger UI and /debug endpoints.
Database
| Variable | Default | Description |
|---|
DB_DRIVER | postgres | postgres or sqlite. SQLite is supported for development and single-user deployments only |
DB_HOST | localhost | Postgres hostname. In Docker Compose this is the service name (postgres) |
DB_PORT | 5432 | Postgres port |
DB_NAME | infraudit | Database name |
DB_USER | infraudit | Database user |
DB_PASSWORD | — | Database password (required for Postgres) |
DB_SSLMODE | disable | Postgres SSL mode: disable, require, or verify-full. Use require for any remote database |
DB_MAX_OPEN_CONNS | 25 | Maximum number of open database connections |
DB_MAX_IDLE_CONNS | 5 | Maximum number of idle database connections |
SQLITE_PATH | ./infraudit.db | Path to the SQLite file when DB_DRIVER=sqlite |
Redis
| Variable | Default | Description |
|---|
REDIS_URL | redis://localhost:6379 | Redis connection URL. In Docker Compose this is redis://redis:6379 |
REDIS_PASSWORD | — | Redis password, if your Redis instance requires authentication |
REDIS_DB | 0 | Redis database index |
Redis is optional. If the API cannot connect to Redis at startup, it disables caching and continues running. All features remain available; some responses may be slower.
Job scheduler
These variables control when background jobs run. Values are standard cron expressions.
| Variable | Default | Description |
|---|
JOB_RESOURCE_SYNC_SCHEDULE | 0 */6 * * * | How often to sync the resource inventory from connected providers (every 6 hours) |
JOB_DRIFT_DETECTION_SCHEDULE | 0 */4 * * * | How often to run drift detection against baselines (every 4 hours) |
JOB_VULNERABILITY_SCAN_SCHEDULE | 0 2 * * * | When to run vulnerability scans (daily at 02:00) |
JOB_COST_SYNC_SCHEDULE | 0 3 * * * | When to sync billing data from providers (daily at 03:00) |
JOB_COMPLIANCE_CHECK_SCHEDULE | 0 4 * * * | When to run compliance assessments (daily at 04:00) |
JOB_TIMEOUT_SECONDS | 300 | Maximum runtime for a single job execution before it is cancelled |
Notifications
Slack
| Variable | Default | Description |
|---|
SLACK_WEBHOOK_URL | — | Slack incoming webhook URL for alert delivery |
SLACK_CHANNEL | #alerts | Default Slack channel for alerts |
Email (SMTP)
| Variable | Default | Description |
|---|
EMAIL_ENABLED | false | Enable email notifications |
SMTP_HOST | — | SMTP server hostname |
SMTP_PORT | 587 | SMTP port |
SMTP_USER | — | SMTP username |
SMTP_PASSWORD | — | SMTP password |
SMTP_FROM | — | From address for outgoing emails |
SMTP_TLS | true | Enable STARTTLS |
SENDGRID_API_KEY | — | SendGrid API key. When set, InfraAudit uses SendGrid instead of direct SMTP |
AI recommendations
| Variable | Default | Description |
|---|
GEMINI_API_KEY | — | Google Gemini API key. When not set, InfraAudit falls back to rule-based recommendations |
GEMINI_MODEL | gemini-2.5-pro | Gemini model to use for recommendations |
Vulnerability scanning
| Variable | Default | Description |
|---|
VULN_SEVERITY_THRESHOLD | medium | Minimum severity to store: critical, high, medium, or low |
TRIVY_CACHE_DIR | /tmp/trivy-cache | Local directory for the Trivy vulnerability database |
TRIVY_DB_REPOSITORY | — | Custom Trivy database OCI image URL, for air-gapped environments |
NVD_API_KEY | — | NVD API key for faster CVE enrichment |
Logging
| Variable | Default | Description |
|---|
LOG_LEVEL | info | Log verbosity: debug, info, warn, or error |
LOG_FORMAT | text | Log format: text for human-readable output or json for structured log ingestion |
Metrics
| Variable | Default | Description |
|---|
METRICS_ENABLED | true | Enable the /metrics Prometheus endpoint |
METRICS_AUTH_TOKEN | — | Bearer token required to access /metrics. Set this if the endpoint is internet-accessible |
| Variable | Default | Description |
|---|
REMEDIATION_REQUIRE_APPROVAL | true | Require explicit operator approval before executing any remediation action. Disable only in fully automated pipelines |
REMEDIATION_ROLLBACK_WINDOW_MINUTES | 30 | How long the rollback window remains open after a remediation is executed |