Environment Variables Reference
This page documents the main environment variables used by Open-SSPM.
Required Variables
DATABASE_URL
Required - PostgreSQL connection URL.
DATABASE_URL=postgres://user:password@host:port/database?sslmode=requireExamples:
- Local development:
postgres://postgres:postgres@localhost:5432/opensspm?sslmode=disable - Production with SSL:
postgres://user:pass@db.example.com:5432/opensspm?sslmode=require
CONNECTOR_SECRET_KEY
Required if you want to store connector credentials in the database.
Generate a new key:
openssl rand -base64 32Example:
CONNECTOR_SECRET_KEY=MDEyMzQ1Njc4OWFiY2RlZjAxMjM0NTY3ODlhYmNkZWY=WARNING
Store this key securely. Losing it means stored connector credentials must be entered again.
CONNECTOR_SECRET_KEY_FILE
Alternative to CONNECTOR_SECRET_KEY. Path to a file containing the base64-encoded key.
CONNECTOR_SECRET_KEY_FILE=/etc/open-sspm/connector-secret-keyServer Configuration
HTTP_ADDR
Address and port for the HTTP server.
- Default:
:8080
HTTP_ADDR=:8080METRICS_ADDR
Address for the metrics endpoint.
- Default in the Go binary: disabled (
"") - Disable explicitly with:
off,disabled, orfalse - Common deployment value:
127.0.0.1:9090
METRICS_ADDR=127.0.0.1:9090STATIC_DIR
Absolute path to static assets. If unset, Open-SSPM searches common web/static locations relative to the working directory and executable path.
STATIC_DIR=/opt/open-sspm/web/staticLogging
LOG_FORMAT
- Values:
json,text - Default:
json
LOG_FORMAT=jsonLOG_LEVEL
- Values:
debug,info,warn,error - Default:
info
LOG_LEVEL=infoAuthentication
AUTH_COOKIE_SECURE
- Values:
0,1 - Default:
0
AUTH_COOKIE_SECURE=1Set this to 1 when users access Open-SSPM over HTTPS.
TRUSTED_PROXY_CIDRS
Comma-separated CIDRs to trust when deriving client IPs from X-Forwarded-For.
TRUSTED_PROXY_CIDRS=35.191.0.0/16,130.211.0.0/22By default, private, link-local, and loopback ranges are trusted.
DEV_SEED_ADMIN
Development-only helper that creates admin@admin.com / admin if no auth users exist.
- Values:
0,1 - Default:
0
DEV_SEED_ADMIN=1Sync
SYNC_INTERVAL
- Default:
15m
SYNC_INTERVAL=15mSYNC_DISCOVERY_INTERVAL
- Default:
15m
SYNC_DISCOVERY_INTERVAL=15mSYNC_DISCOVERY_ENABLED
- Values:
0,1 - Default:
1
SYNC_DISCOVERY_ENABLED=1RESYNC_ENABLED
- Values:
0,1 - Default:
1
RESYNC_ENABLED=1RESYNC_MODE
- Values:
signal,inline - Default:
signal
RESYNC_MODE=signalGLOBAL_EVAL_MODE
- Values:
best_effort,strict - Default:
best_effort
GLOBAL_EVAL_MODE=best_effortSync Locking
SYNC_LOCK_MODE
Locking mechanism for sync coordination.
- Values:
lease,advisory - Default:
lease
SYNC_LOCK_MODE=leaseSYNC_LOCK_TTL
- Default:
60s
SYNC_LOCK_TTL=60sSYNC_LOCK_HEARTBEAT_INTERVAL
- Default:
15s
SYNC_LOCK_HEARTBEAT_INTERVAL=15sSYNC_LOCK_HEARTBEAT_TIMEOUT
- Default:
15s
SYNC_LOCK_HEARTBEAT_TIMEOUT=15sSYNC_LOCK_INSTANCE_ID
Optional instance identifier for lock observability. If unset, Open-SSPM falls back to HOSTNAME or the OS hostname.
SYNC_LOCK_INSTANCE_ID=worker-01Per-Connector Intervals
Leave these unset to inherit SYNC_INTERVAL:
SYNC_OKTA_INTERVAL=15m
SYNC_ENTRA_INTERVAL=15m
SYNC_GOOGLE_WORKSPACE_INTERVAL=15m
SYNC_GITHUB_INTERVAL=15m
SYNC_DATADOG_INTERVAL=15m
SYNC_AWS_INTERVAL=15mSYNC_FAILURE_BACKOFF_MAX
Maximum delay after repeated sync failures.
If unset, the workers derive it from the active lane interval:
- Full sync worker:
SYNC_INTERVAL * 10 - Discovery worker:
SYNC_DISCOVERY_INTERVAL * 10
SYNC_FAILURE_BACKOFF_MAX=2hWorker Concurrency
SYNC_OKTA_WORKERS
- Default:
3
SYNC_OKTA_WORKERS=3SYNC_GITHUB_WORKERS
- Default:
6
SYNC_GITHUB_WORKERS=6SYNC_DATADOG_WORKERS
- Default:
3
SYNC_DATADOG_WORKERS=3Example
DATABASE_URL=postgres://postgres:postgres@localhost:5432/opensspm?sslmode=disable
CONNECTOR_SECRET_KEY=$(openssl rand -base64 32)
HTTP_ADDR=:8080
LOG_FORMAT=json
LOG_LEVEL=info
AUTH_COOKIE_SECURE=0
SYNC_INTERVAL=15m
SYNC_DISCOVERY_INTERVAL=15m
SYNC_DISCOVERY_ENABLED=1
RESYNC_MODE=signal
SYNC_OKTA_WORKERS=3
SYNC_GITHUB_WORKERS=6
SYNC_DATADOG_WORKERS=3