Server configuration reference
Every setting the dpndncY server reads, with defaults. Configure via environment variables (12-factor) or the on-prem .env file. Sensible defaults mean a single-container install needs almost none of these.
Core
| Variable | Default | Purpose |
|---|---|---|
APP_URL / NEXT_PUBLIC_APP_ORIGIN | http://localhost:3000 | Public console origin. |
PORT / WEB_PORT | 3001 / 3000 | API and web ports. |
APP_SECRET | — | Session/crypto secret. Required in production. |
DPNDNCY_DATA_DIR | /data | Database (SQLite), scan artifacts, key archive, attestation history. |
TZ | UTC | Server timezone. |
Database
| Variable | Purpose |
|---|---|
DATABASE_URL | Set to a postgres://… URL to use PostgreSQL 16. Unset = embedded SQLite (default). |
POSTGRES_DB / POSTGRES_USER / POSTGRES_PASSWORD | Used by the bundled Postgres in the on-prem compose / Helm chart. |
One dialect, two backends
The app writes one SQL dialect; an adapter translates to SQLite or Postgres. Migrations run automatically on boot for both — switching is just
DATABASE_URL.Signing
| Variable | Purpose |
|---|---|
DPNDNCY_SIGNING_KEY_AUTOGEN | Generate a signing key on first boot (dev only). |
DPNDNCY_SIGNING_KEY_PATH | Path to a BYOK private key (production). |
SSO
| Variable | Purpose |
|---|---|
OIDC_ISSUER_URL, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, OIDC_SCOPES | OIDC single sign-on. |
SAML_IDP_SSO_URL, SAML_IDP_CERT, SAML_SP_ENTITY_ID | SAML 2.0 single sign-on. |
Operations
| Variable | Purpose |
|---|---|
SUPERADMIN_EMAIL / SUPERADMIN_PASSWORD / SUPERADMIN_NAME | First admin, seeded on first boot. |
NVD_API_KEY | Optional NVD API key for faster advisory refresh. |
DPNDNCY_AIRGAPPED | Disable all outbound calls; load advisory data from offline bundles. |
COOKIE_SECURE / TRUST_PROXY | Set behind TLS / a reverse proxy. |
SMTP_* | SMTP relay for email notifications. |
SESSION_TTL_SECONDS | Session lifetime. |
MAX_ZIP_UPLOAD_MB | Upload size cap for archive scans. |
No telemetry
dpndncY has no telemetry. There is no phone-home; the platform does not see your usage, code, or results.
Example
.env (production)
APP_URL=https://dpndncy.example.com
APP_SECRET=<32-byte-random>
DATABASE_URL=postgres://dpndncy:****@db:5432/dpndncy
DPNDNCY_SIGNING_KEY_PATH=/data/keys/signing.key
OIDC_ISSUER_URL=https://login.example.com
COOKIE_SECURE=true
TRUST_PROXY=true