Secbez Docs

Configuration

What's configurable in a Secbez Enterprise deployment — at a glance. Wiring details are scoped per engagement.

This page is a high-level overview of what's configurable in an Enterprise deployment. The exact wiring — environment variables, image references, network policies, internal CA bundles, secrets management — is scoped with you when the deployment is stood up and delivered as part of the engagement.

Per-repository and per-organization settings

Settings that affect day-to-day usage live on the dashboard and behave the same way they do in SaaS:

  • Scan triggers — manual triggers and any optional automatic events configured per repository.
  • Path includes / excludes — restrict the scan to specific directories or skip generated paths.
  • Policy — severity / confidence thresholds for warn and fail outcomes; per-rule and per-path overrides.
  • Suppressions and baseline — server-side suppression rules, inline markers, baseline lifecycle.
  • Notifications and integrations — outgoing webhooks and standard notification channels.
  • Members and roles — owner, admin, member, read-only, with optional per-repository overrides.

Deployment-level settings

Deployment-level settings are the operator's surface — what gets configured once when the deployment is stood up and rarely changes after that:

  • License — tier, expiration, deployment binding, feature flags.
  • Database and storage — for metadata, findings, baselines, audit, and graph snapshots.
  • Queue — managed queue for scan-request dispatch.
  • Model routing — which step uses which model (managed provider, BYO key, BYO endpoint, BYO open-source model on your GPUs). See BYO Models.
  • Budgets — file, candidate, LLM-call, and time budgets per scan or per repository. Deep Scan removes them; see Deep Scan.
  • GitHub integration — App credentials and (for GitHub Enterprise Server) the GHES API base URL.
  • Networking — outbound allowlist, air-gapped mode, and any environment-specific constraints.
  • Observability — logs, metrics, and traces, integrated with your existing stack.

The exact set is shaped to your environment — bring constraints (regulated network, internal CA, mirrored registry, custom auth, in-house compliance framework) to the engagement and we scope them together.

License model

The license is a signed bundle delivered with the deployment. It carries the tier (pilot | starter | growth | enterprise), expiration, and deployment binding. License enforcement is intentionally minimal — it signals "this is a product" rather than acting as DRM. Unlicensed mode is available for development and staging.

Where the wiring lives

A connection guide tailored to your install target ships with the deployment bundle. Reach out to your account contact for the latest bundle.

On this page

Per-repository and per-organization settingsDeployment-level settingsLicense modelWhere the wiring lives