You can use Spectral without any configuration needed. You may want to configure Spectral in the following cases:

  • Special treatment of source root: in a given repo or folder, include specific folders, exclude others
  • Scan-time ignores: ignore classes of files or detectors, or pieces of text at scan time (you can also perform ignores in your Spectral account)
  • Detector inclusion or exclusion: for cases where you want to disable existing detectors, or enable experimental ones
  • Output formats: you can switch output formats to JSON, JUnit, and others, which can help shape your pipeline automation
  • Custom detectors: Spectral can load custom detectors that you build, and you can specify where it is in the configuration

We assume you have a copy of Spectral, if not -- check out the getting started section. Then use spectral init to generate a base configuration.

$ spectral init
Initialized your spectral configuration in '.spectral/'.

You should now have a starter configuration layout in a special .spectral folder like so:

$ tree .spectral
├── ignores.yaml
├── rules
│   ├── merchants.speql.yaml
│   └── sample.yaml
└── spectral.yaml
1 directory, 4 files

You should check this folder into source control.


This is the main Spectral configuration file. It configures Spectral for:

  • Input sources -- what paths to scan
  • Ignores -- what to ignore and at what stage to apply ignores
  • Reporter outputs -- what reporter module to activate
  • Detectors -- what detectors to include and/or exclude
  • Metadata -- what kind of extra functionality to activate such as masking, debug run and so on
# you can omit the reporter section entirely (you'll get a stylish reporter by default)
stylish: {} # nice looking CLI reports
# stylish: { html: "output.html" } # produce HTML reports
# stylish: { csv: "output.csv" } # produce CSV reports
# log: # use a logger
# json: true # enable JSON logging
# file: out.json # put output in a file
# junit: {} # Great for integrating with CI systems that understand JUnit XML (all of them, probably)
# ignores: {} # A reporter output that streams results as ignores
# Ignoring Matches
# you can specify ignores for matches that you know exist
# and acknowledge them, but you don't care about them for now.
# These are regex: rule_id, rule_name, match_text, path.
# To get a fingerprint, run `spectral fingerprint --text YOUR-SECRET`
# match_ignores:
# ignores:
# - match_text: MYSQL_ROOT_PASSWORD
# - rule_id: <rule id>
# rule_name: <rule name>
# match_text: <rule id>
# path: <path>
# match_fingerprint: 79cdb7f2e0e4a96520304ff641f45f230be4f362a4a16c704730115a85fa545f
name: sample
- local: .
name: sources
# you can add a few more.
# everything is relative to working directory (where you run spectral from)
# - local: nteract/node_modules
# name: nteract
- rules # folder(s) relative to this file
# cherry-pick rules for these roots
# include:
# tags:
# - node
# ids: []
# exclude:
# tags:
# - node
# ids: []
# add as many more projects as you like:
# all_pythons:
# ...


This is where you specify what findings to ignore, things you know are a risk or things you believe are not a risk and you don't want to see in the Spectral findings report.

# ignores known and problematic files, per rule.
# "problematic" files can be test files, mock data files and so on.
- .*create-react-context/.*