SecureBuild
DocsConfiguration reference
Docs/Self-hosted/Configuration reference

Configuration reference

Go services read the Param struct from YAML and/or environment (see Self-hosted overview). The Next.js app uses process environment variables at build time and runtime. Env names mirror YAML keys: same name in UPPER_SNAKE_CASE.

Go services: loading

  • SECUREBUILD_CONFIG_SOURCE — Path to a .yaml / .yml file, or env for environment-only. Unset defaults to the core team's hosted config path—set explicitly for self-hosted.
  • When using a YAML file, any set environment variable with a matching name overrides that key.

Go services: Param fields

All keys below are defined on Param in pkg/param/param.go.

Database & APK

YAML keyEnvironmentDescription
db_uriDB_URIPostgreSQL connection URI.
apk_repositoryAPK_REPOSITORYHTTPS base URL for the public APK origin (no trailing slash).
apk_public_key_nameAPK_PUBLIC_KEY_NAMEFilename segment for GET /key/<name> on the APK proxy.
apk_public_key_dataAPK_PUBLIC_KEY_DATABase64-encoded public key PEM (full file including headers).
apk_signing_key_dataAPK_SIGNING_KEY_DATABase64-encoded private key PEM for signing APKINDEX (full file including headers).

Registry

YAML keyEnvironmentDescription
registry_image_prefixREGISTRY_IMAGE_PREFIXImage reference prefix (host or host/path; no scheme or tag).
oci_image_prefixOCI_IMAGE_PREFIXOptional alternate prefix for proxy/local flows; empty uses registry_image_prefix everywhere.
registry_usernameREGISTRY_USERNAMERegistry login name.
registry_passwordREGISTRY_PASSWORDRegistry password or token.

LLM providers

YAML keyEnvironmentDescription
anthropic_api_keyANTHROPIC_API_KEYAnthropic API key.
openai_api_keyOPENAI_API_KEYOpenAI API key.

Pool

YAML keyEnvironmentDescription
pool_sizePOOL_SIZEVM pool sizing (see codebase for semantics).

Cosign & keyless

YAML keyEnvironmentDescription
cosign_keyCOSIGN_KEYCosign signing key material.
cosign_pubCOSIGN_PUBCosign public key.
cosign_passwordCOSIGN_PASSWORDPassword for encrypted cosign key.
oidc_gcp_project_idOIDC_GCP_PROJECT_IDGCP project for OIDC keyless signing.
oidc_gcp_attestor_accountOIDC_GCP_ATTESTOR_ACCOUNTGCP attestor account.
oidc_gcp_attestor_key_jsonOIDC_GCP_ATTESTOR_KEY_JSONGCP service account JSON for attestor.

Object storage (r2_* / S3-compatible)

YAML keyEnvironmentDescription
r2_bucket_nameR2_BUCKET_NAMEPrimary bucket.
r2_access_keyR2_ACCESS_KEYAccess key ID.
r2_secret_keyR2_SECRET_KEYSecret access key.
r2_endpointR2_ENDPOINTS3 API endpoint URL.
r2_regionR2_REGIONSigV4 signing region. Set to your AWS bucket region (e.g. us-east-1) when using Amazon S3. Omit for Cloudflare R2 (defaults to auto).
r2_use_dynamic_folderR2_USE_DYNAMIC_FOLDERDynamic folder layout flag.
r2_use_path_styleR2_USE_PATH_STYLEUse path-style addressing (e.g. MinIO).

Cloudflare

YAML keyEnvironmentDescription
cloudflare_account_idCLOUDFLARE_ACCOUNT_IDAccount ID.
cloudflare_queue_nameCLOUDFLARE_QUEUE_NAMEQueue name.
cloudflare_api_keyCLOUDFLARE_API_KEYAPI token or key.
cloudflare_zone_idCLOUDFLARE_ZONE_IDDNS zone ID.
cloudflare_cache_purge_tokenCLOUDFLARE_CACHE_PURGE_TOKENCache purge token.

Integrations and secrets

YAML keyEnvironmentDescription
updater_github_api_tokenUPDATER_GITHUB_API_TOKENGitHub token for updater.
release_monitor_api_tokenRELEASE_MONITOR_API_TOKENRelease Monitor API token.
external_registry_encryption_secretEXTERNAL_REGISTRY_ENCRYPTION_SECRETSecret for encrypting external registry data in the app.
oci_proxy_jwt_secretOCI_PROXY_JWT_SECRETJWT signing secret for OCI proxy tokens.
oci_proxy_skip_tls_verifyOCI_PROXY_SKIP_TLS_VERIFYSkip TLS verify for OCI proxy upstream (dev only).

Remote VM API (optional)

YAML keyEnvironmentDescription
replicated_api_originREPLICATED_API_ORIGINBase URL for remote VM provisioning HTTP API (omit if using local/static backends only).
replicated_api_tokenREPLICATED_API_TOKENBearer token for that API (not for registry login).
instance_type_x86INSTANCE_TYPE_X86Instance type name for x86 VMs (API-specific).
instance_type_arm64INSTANCE_TYPE_ARM64Instance type name for arm64 VMs.

Spec sync & pipelines

YAML keyEnvironmentDescription
specsync_enabledSPECSYNC_ENABLEDEnable spec sync.
specsync_github_tokenSPECSYNC_GITHUB_TOKENGitHub token for spec sync.
specsync_github_branchSPECSYNC_GITHUB_BRANCHBranch for spec sync.
pipeline_dirPIPELINE_DIRPipeline workspace root on the worker. Docker Compose dev stack: use /var/run/securebuild/pipelines (bind-mounted from dev-pipelines/ at repo root). Worker running on the host: use an absolute host path to the same directory.

Logging, DB tooling, pprof

YAML keyEnvironmentDescription
log_levelLOG_LEVELLog level string.
grype_database_rootGRYPE_DATABASE_ROOTGrype DB path.
vunnel_imageVUNNEL_IMAGEContainer image ref for vunnel.
pprof_enabledPPROF_ENABLEDEnable Go pprof HTTP server.
remove_commit_sha_pinsREMOVE_COMMIT_SHA_PINSMelange YAML: strip commit SHA pins.

Build backends & auth

YAML keyEnvironmentDescription
build_backendBUILD_BACKENDWhere builds run: local worker, static SSH hosts, or remote VM API (see pkg/buildbackend).
max_parallel_buildsMAX_PARALLEL_BUILDSConcurrent builds per machine (default 1).
static_vmsSTATIC_VMSYAML list of {host, user, port, ssh_key_path | ssh_key} for static backend.
auth_methodAUTH_METHODApp auth alignment; password | github.
admin_user_emailADMIN_USER_EMAILBootstrap admin email when using password auth without SMTP (see worker behavior).
admin_user_passwordADMIN_USER_PASSWORDBootstrap admin password (plaintext in config—protect accordingly).

Next.js app: environment variables

The app reads configuration at runtime from process.env. NEXT_PUBLIC_* variables are inlined at build time and are visible in the browser bundle.

Values used via getParam (lib/data/param.ts)

Set PIPELINE_DIR on the app to the same filesystem path the worker uses (for example Doppler or your orchestrator env), and use a shared volume or mount so both processes see the same pipeline files—omitting it on the app produces a runtime error when server code reads pipelines.

VariableDescription
DB_URI or SECUREBUILD_PG_URIPostgreSQL URI for server-side data access.
REPLICATED_API_ORIGINSame meaning as Go Param when app needs API context.
REPLICATED_API_TOKENSame as Go Param.
REGISTRY_IMAGE_PREFIXRegistry prefix for server-side image URLs.
OCI_IMAGE_PREFIXOptional alternate prefix (default empty).
PIPELINE_DIRRequired on the app and worker. Same path and shared storage on both (Compose dev: /var/run/securebuild/pipelines; host: absolute repo dev-pipelines/).
AUTH_METHODpassword | github.
ADMIN_GITHUB_ORGGitHub org for membership checks when using GitHub auth.
APP_ORIGIN or NEXT_PUBLIC_APP_ORIGINPublic origin URL for links and callbacks.
SMTP_HOSTSMTP server for password-auth email flows.
SMTP_PORTSMTP port (default 587).
SMTP_USERSMTP username.
SMTP_PASSWORDSMTP password.
SMTP_FROMFrom address for outbound mail.

Auth & sessions

VariableDescription
HMAC_SECRETSecret for signing session JWT cookies (required in production).
GITHUB_CLIENT_SECRETGitHub OAuth app client secret (GitHub auth).
NEXT_PUBLIC_GITHUB_CLIENT_IDGitHub OAuth client ID (build-time).
NEXT_PUBLIC_GITHUB_REDIRECT_URIOAuth redirect URI (build-time).
NEXT_PUBLIC_GITHUB_OAUTH_STATEOAuth state parameter (build-time).

Public build-time (NEXT_PUBLIC_*)

VariableDescription
NEXT_PUBLIC_APK_REPOSITORYAPK repository base URL shown in the UI (must match deployment).
NEXT_PUBLIC_CENTRIFUGO_ADDRESSRealtime/WebSocket service URL if used.
NEXT_PUBLIC_VERSIONOptional version string (e.g. for Datadog).
NEXT_PUBLIC_GODMODE_REDIRECTInternal/debug redirect base if enabled in build.

Other

VariableDescription
EXTERNAL_REGISTRY_ENCRYPTION_SECRETEncrypts sensitive external registry fields in the app.
STRIPE_SECRET_KEYStripe secret for billing features.
E2E_TEST_MODEEnables test login paths when set.
DD_ENABLED, DD_SERVICE, DD_ENV, …Datadog tracing/metrics (see datadog/tracer.ts).
InfrastructureBuilding overview

Command Palette

Search for a command to run...