⚙️ Artifact-Shield: Configuration Reference
This document provides a comprehensive breakdown of every configuration key available in application.yml and the dynamic database-driven engine.
🛡️ Global Gateway Settings (shield.*)
| Key | Type | Default | Description |
|---|---|---|---|
shield.enabled | Boolean | true | Global switch to enable/disable the entire redaction and proxy pipeline. |
shield.max-input-length | Integer | 32000 | Maximum number of characters allowed in the content field of a request. |
shield.block-critical-risk | Boolean | false | If true, any request with a riskScore of 100 will be blocked entirely. If false, it will be sanitized and forwarded. |
🔍 Detector Configuration (shield.detectors.*)
Artifact-Shield uses a hierarchical configuration for its detectors (e.g., shield.detectors.pii.* or shield.detectors.financial.*).
| Key | Type | Description |
|---|---|---|
enabled | Boolean | Whether this specific detector category (e.g., pii) is active. |
weightPerMatch | Integer | The risk weight added to the total score for each match found by this detector. |
placeholderTemplate | String | The string used for redaction. Supports {type} as a dynamic replacement for the pattern name. |
patterns | Map | A set of key-value pairs where key is the Pattern Name and value is the Regex. |
Example:
yaml
shield:
detectors:
credential:
enabled: true
weightPerMatch: 35
placeholderTemplate: "[REDACTED_{type}]"
patterns:
AWS_KEY: "AKIA[0-9A-Z]{16}"📊 Score Thresholds (shield.score-thresholds.*)
Defines how cumulative risk points translate into severity labels.
| Key | Default | Label |
|---|---|---|
low | 20 | LOW |
medium | 50 | MEDIUM |
high | 75 | HIGH |
| Max | 100 | CRITICAL |
🔐 Enterprise Security (shield.security.*)
| Key | Default | Description |
|---|---|---|
enabled | false | Activates OAuth2/JWT Resource Server protection for all /v1/shield/* endpoints. |
cors-enabled | true | Enables Cross-Origin Resource Sharing for integration with the Admin Dashboard. |
jwt-issuer-uri | null | The secure URI of your OIDC provider (e.g., Keycloak, Okta). |
jwt-jwk-set-uri | null | The URL used by the gateway to fetch public keys for JWT verification. |
🗄️ Database Tables (Dynamic Config)
While application.yml handles static settings, the following tables in H2/PostgreSQL handle dynamic rules:
1. shield_patterns
| Column | Description |
|---|---|
detector_name | The category (e.g., pii, financial). |
pattern_name | The label for the match (e.g., EMAIL, SSN). |
regex | The raw regular expression string. |
risk_weight | Overrides the detector-level default weight. |
enabled | Live switch for this specific rule. |
2. shield_downstream_configs
| Column | Description |
|---|---|
alias | A unique name used in the forwardTo API field. |
api_url | The destination LLM endpoint (e.g., https://api.openai.com/v1/...). |
auth_token | The credential passed to the LLM (Bearer/API Key). |
keystore_path | (Optional) Local path to a .p12 client certificate for mTLS. |
truststore_path | (Optional) Local path to a .p12 server certificate for trust verification. |
📈 Observability & Logging (shield.logging.*)
| Key | Default | Description |
|---|---|---|
splunk.enabled | false | Enables real-time HEC logging to Splunk Enterprise. |
splunk.url | null | Your Splunk HEC collector endpoint. |
splunk.token | null | The secret token generated by your Splunk admin. |
For more help, contact your security engineer or visit the [Artifact-Shield internal wiki].