Skip to main content
Safe Chain reads the following environment variables. They are useful for setting persistent defaults across terminal sessions or for configuring Safe Chain in CI/CD pipelines.
CLI flags take precedence over environment variables, which in turn take precedence over the config file. See priority order.
SAFE_CHAIN_LOGGING
string
Controls the verbosity of Safe Chain’s output.Values: silent, normal, verboseDefault: normal
  • silent — suppresses all Safe Chain output except malware-blocked notifications
  • normal — standard informational output
  • verbose — detailed diagnostic output, useful for troubleshooting
export SAFE_CHAIN_LOGGING=verbose
SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS
integer
Sets the minimum age (in hours) a package must have before Safe Chain allows its installation.Values: Integer ≥ 0Default: 48
export SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS=24
SAFE_CHAIN_MINIMUM_PACKAGE_AGE_EXCLUSIONS
string
A comma-separated list of package names or scopes to exclude from the minimum package age check. Supports @scope/* wildcards to trust all packages from an organization.Exclusions from this variable are merged with any exclusions defined in the config file.
export SAFE_CHAIN_MINIMUM_PACKAGE_AGE_EXCLUSIONS="@aikidosec/*,my-internal-pkg"
The legacy variable name SAFE_CHAIN_NPM_MINIMUM_PACKAGE_AGE_EXCLUSIONS is also accepted for backwards compatibility.
SAFE_CHAIN_NPM_CUSTOM_REGISTRIES
string
A comma-separated list of npm registry hostnames that Safe Chain should scan in addition to the default npm registry.Registries from this variable are merged with any registries defined in the config file.
export SAFE_CHAIN_NPM_CUSTOM_REGISTRIES="npm.company.com,registry.internal.net"
SAFE_CHAIN_PIP_CUSTOM_REGISTRIES
string
A comma-separated list of PyPI registry hostnames that Safe Chain should scan in addition to the default PyPI registry.Registries from this variable are merged with any registries defined in the config file.
export SAFE_CHAIN_PIP_CUSTOM_REGISTRIES="pip.company.com,registry.internal.net"
AIKIDO_SCAN_TIMEOUT_MS
integer
Maximum time in milliseconds Safe Chain will wait for the pre-install malware scan to complete. If the scan does not finish within this window, Safe Chain throws an error and the installation is aborted.Default: 10000 (10 seconds)Takes precedence over the scanTimeout value in the config file.
export AIKIDO_SCAN_TIMEOUT_MS=30000

Usage examples

Set all variables for a CI/CD environment: 
export SAFE_CHAIN_LOGGING=verbose
export SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS=24
export SAFE_CHAIN_MINIMUM_PACKAGE_AGE_EXCLUSIONS="@aikidosec/*,my-internal-pkg"
export SAFE_CHAIN_NPM_CUSTOM_REGISTRIES="npm.company.com"
export SAFE_CHAIN_PIP_CUSTOM_REGISTRIES="pip.company.com"

Priority order

When the same setting is configured in multiple places, Safe Chain applies this precedence:
  1. CLI flags (highest priority) — e.g. --safe-chain-logging=verbose
  2. Environment variables — e.g. SAFE_CHAIN_LOGGING=verbose
  3. Config file (~/.safe-chain/config.json) — lowest priority

Build docs developers (and LLMs) love

Get started for freeTalk to us