Syntax
vectra-guard init [OPTIONS]
vg init [OPTIONS]
Description
Generate a default configuration file with recommended security settings. Creates either a global config (~/.config/vectra-guard/config.yaml) or a local repo config (.vectra-guard/config.yaml).
Options
Overwrite existing configuration file if one exists
Generate config in TOML format instead of YAML
Create config in local .vectra-guard/ directory (repo-specific)
Create config in ~/.config/vectra-guard/ (user-wide). This is the default when neither --local nor --global is specified.
Exit Codes
- 0: Configuration created successfully
- 1: Error (e.g., file exists without —force)
Examples
Initialize global config (default)
vg init
# Creates: ~/.config/vectra-guard/config.yaml
# Config initialized at ~/.config/vectra-guard/config.yaml
Initialize local repo config
vg init --local
# Creates: .vectra-guard/config.yaml
# Also creates: .vectra-guard/cache/
# Config initialized at .vectra-guard/config.yaml
vg init --toml
# Creates: ~/.config/vectra-guard/config.toml
Force overwrite existing config
vg init --force
# Overwrites existing config with defaults
Local TOML config
vg init --local --toml
# Creates: .vectra-guard/config.toml
Generated Configuration
The default config includes:
logging:
format: json
policies:
allowlist:
- echo "safe"
- touch /tmp/ok
denylist:
- rm -rf /
- sudo
- mkfs
- dd if=
sandbox:
cache_dir: ~/.vectra-guard/cache
workspace_dir: /current/directory
cve:
enabled: false
cache_dir: ~/.vectra-guard/cve
update_interval_hours: 24
sources:
- osv
env_protection:
enabled: true
masking_mode: full # Options: full, partial, hash, fake
block_env_access: true # Block printenv, env commands
block_dotenv_read: true # Block reading .env files
allow_read_vars:
- PATH
- HOME
- USER
[logging]
format = "json"
[policies]
allowlist = ["echo \"safe\"", "touch /tmp/ok"]
denylist = ["rm -rf /", "sudo ", "mkfs", "dd if="]
[sandbox]
cache_dir = "~/.vectra-guard/cache"
workspace_dir = "/current/directory"
[cve]
enabled = false
cache_dir = "~/.vectra-guard/cve"
update_interval_hours = 24
sources = ["osv"]
[env_protection]
enabled = true
masking_mode = "full" # Options: full, partial, hash, fake
block_env_access = true # Block printenv, env commands
block_dotenv_read = true # Block reading .env files
allow_read_vars = ["PATH", "HOME", "USER"]
Customization After Init
After initialization, edit the config to:
-
Enable CVE scanning:
-
Adjust guard level:
guard_level:
level: high # off, low, medium, high, paranoid
-
Configure sandbox mode:
sandbox:
mode: auto # always, auto, never
enable_cache: true
-
Add custom policies:
policies:
allowlist:
- npm install
- git status
denylist:
- curl.*\|.*sh
-
Enable soft delete:
soft_delete:
enabled: true
retention_days: 7
Config Discovery Order
Vectra Guard searches for config in this order:
--config flag (if provided).vectra-guard/config.yaml (local repo)./vectra-guard.yaml (current directory)~/.config/vectra-guard/config.yaml (global)- Built-in defaults
- Configuration guide: See
/configuration docs
- exec - Execute with configured settings
- validate - Validate scripts using configured policies