Environment Variables#
Complete reference for APHIDS environment variables. Environment variables are the preferred configuration method — they replace the need for config.yaml entirely.
Core Variables#
These are the primary variables for configuring APHIDS. When set, no config.yaml is needed.
| Variable | Purpose | Default | Replaces in config.yaml |
|---|---|---|---|
APHIDS_API_KEY |
Hive API authentication key | — | authorization.apiKey |
APHIDS_API_URL |
Hive REST API base URL | https://api.hive.darksidesecurity.io/ |
baseUrl |
APHIDS_WS_URL |
WebSocket URL for agents and notifications | Auto-derived from APHIDS_API_URL |
baseWsUrl |
APHIDS_CONTAINER_RUNTIME |
Container runtime (docker, podman, nerdctl) |
Auto-detect | — |
APHIDS_TOOL_TIMEOUT |
Default per-tool timeout in seconds | 1800 (30 min) |
— |
APHIDS_DEBUG |
Enable debug logging (true/false) |
false |
debug |
APHIDS_SCAN_GROUP |
Scan group name (used in MCP mode) | Auto-generated | — |
Minimal Setup#
# This is all you need for online mode — no config.yaml required
export APHIDS_API_KEY="your-key-here"
aphids-cli -o options.yaml
Container Variables#
These are set inside the APHIDS container and control output behavior:
| Variable | Purpose | Default |
|---|---|---|
OUTPUT |
Output directory inside container | /output/ |
APPNAME |
Output file prefix | aphids |
AWS_DEFAULT_REGION |
AWS region for Bedrock/services | us-east-1 |
Docker Environment Variable Passthrough#
When running the container directly, pass variables with -e flags:
# Minimal — just API key
docker run --rm \
-e APHIDS_API_KEY="your-key" \
-v $(pwd)/options.yaml:/output/options.yaml:ro \
-v $(pwd)/output:/output \
ghcr.io/darksidesecurity/aphids:latest \
-o options.yaml
# Full configuration via env vars
docker run --rm \
-e APHIDS_API_KEY="your-key" \
-e APHIDS_API_URL="https://api.hive.darksidesecurity.io/" \
-e APHIDS_WS_URL="wss://ws.continuity.hive.darksidesecurity.io/" \
-e APHIDS_DEBUG="true" \
-e APHIDS_TOOL_TIMEOUT="3600" \
-v $(pwd)/options.yaml:/output/options.yaml:ro \
-v $(pwd)/output:/output \
ghcr.io/darksidesecurity/aphids:latest \
-o options.yaml
Volume Mount Reference#
| Host Path | Container Path | Mode | Purpose |
|---|---|---|---|
options.yaml |
/output/options.yaml |
:ro |
Scan definitions |
./output/ |
/output/ |
read-write | Results, checkpoints, tool output |
./src/ |
/workspace/ |
:ro |
Source code for SAST/SCA tools |
Always mount /output/
Without this mount, scan results are lost when the container exits.
MCP Client Configuration#
When configuring MCP clients, pass environment variables in the client config:
{
"mcpServers": {
"aphids": {
"command": "aphids-cli",
"args": ["--mcp"],
"env": {
"APHIDS_API_KEY": "your-key-here",
"APHIDS_TOOL_TIMEOUT": "3600"
}
}
}
}
CI/CD Platform Secrets#
Never hardcode API keys. Use your platform's secret management:
| Platform | Secret Setup | Usage |
|---|---|---|
| GitHub Actions | Settings → Secrets → Actions | -e APHIDS_API_KEY=${{ secrets.APHIDS_API_KEY }} |
| GitLab CI | Settings → CI/CD → Variables (masked) | variables: APHIDS_API_KEY: $APHIDS_API_KEY |
| Jenkins | Credentials → Add → Secret text | credentials('aphids-api-key') |
| Azure Pipelines | Pipelines → Library → Variable groups | -e APHIDS_API_KEY=$(APHIDS_API_KEY) |
| AWS | Secrets Manager / Parameter Store | SDK or CLI retrieval |
| GCP | Secret Manager | gcloud secrets versions access |
See CI/CD Integration for complete pipeline examples.