# Environment Defaults Environment defaults define the baseline scanning and processing behavior applied to new projects in your organization. These settings control what happens when an SBOM is uploaded or ingested — which checks run, how data is retained, and what automation is applied. *** ## Default Settings The following settings can be configured as organization-wide defaults. When a new project is created, it inherits these values. ### Import Actions | Setting | Description | Default | | ---------------------------------------------- | ------------------------------------------------------------------------- | ------- | | **Run SBOM Checks** | Execute quality and compliance checks on uploaded SBOMs | Off | | **Always Use Latest Parts** | Keep component information updated with the latest available data | Off | | **Run Internal Labeling** | Identify and label internal components | Off | | **Run Auto Archive** | Automatically archive old SBOM versions | Off | | **Apply Automation Rules** | Execute configured automation rules on upload | Off | | **Run Vulnerability Scan** | Scan components for known vulnerabilities | Off | | **Run Component Support Analysis** | Evaluate component support status (EOL, deprecated, maintained) | Off | | **Retain Vulnerability Status with Version** | Preserve VEX status when a new version of an SBOM is uploaded | Off | | **Interpret License List as "AND" expression** | Treat multi-license declarations as requiring all listed licenses | Off | | **Copy VEX Across Versions on Import** | Carry forward VEX dispositions from previous SBOM versions to new imports | Off | | **Enable PR Comments** | Post SBOM analysis results as comments on pull requests | Off | ### Data Retention | Setting | Description | Default | | ------------------------- | ------------------------------------------------------------------------------------------------- | ----------- | | **Data Retention (days)** | Number of days to retain SBOM versions before archiving. Options: 1, 30, 90, 365, or Forever (0). | Forever (0) | *** ## Configuring Defaults ### Setting Organization Defaults 1. Navigate to **Settings > Organization > Environment Defaults**. 2. Toggle the desired import actions on or off. 3. Select a **Data Retention** period from the dropdown. 4. Click **Save for Future Projects** to apply the settings to newly created projects going forward. ### Applying to All Existing Projects To retroactively apply the current defaults to all existing projects: 1. Configure the desired settings. 2. Click **Apply to All Projects**. 3. Confirm the action in the confirmation dialog. {% hint style="warning" %} This overwrites the individual settings of all existing projects. Any per-project customizations will be lost. {% endhint %} *** ## Inheritance Rules Environment defaults follow a top-down inheritance model: ``` Organization Defaults └── Project Settings (per project) ``` 1. **Organization defaults** are the baseline. They define the starting configuration for all new projects. 2. **Project settings** are initialized from organization defaults when a project is created. 3. After creation, project settings are **independent** — changing organization defaults does not automatically propagate to existing projects unless you explicitly click "Apply to All Projects." ### Overriding Logic To customize a specific project's settings: 1. Navigate to the project's settings page. 2. Modify the desired settings. 3. Save. The project's settings will diverge from the organization defaults. Future changes to organization defaults will not affect this project unless explicitly applied. *** ## Common Misconfigurations | Issue | Symptom | Fix | | ----------------------------------------------------- | ----------------------------------------------- | ---------------------------------------------------------- | | Vulnerability scanning disabled by default | New projects don't show vulnerability data | Enable "Run Vulnerability Scan" in defaults | | SBOM checks disabled | Quality/compliance scores not generated | Enable "Run SBOM Checks" in defaults | | Data retention set to 1 day | SBOM history lost almost immediately | Increase retention to 90+ days or Forever | | "Apply to All Projects" clicked accidentally | All project-specific customizations overwritten | Re-configure individual projects as needed | | PR comments enabled but no source control integration | Comments not posted | Configure a GitHub, GitLab, or Bitbucket integration first | | VEX status not preserved between versions | Triage work lost on SBOM re-upload | Enable "Retain Vulnerability Status with Version" | *** ## Recommended Best Practices * **Enable vulnerability scanning and SBOM checks by default** — these are the core value-add features and should be active for most projects. * **Enable "Retain Vulnerability Status with Version"** to avoid re-triaging vulnerabilities when SBOMs are re-uploaded. * **Set data retention to at least 90 days** for audit trail purposes. Use "Forever" if storage is not a concern. * **Enable "Copy VEX Across Versions on Import"** if your workflow involves frequent SBOM updates and you want to preserve triage decisions. * **Enable PR comments** for projects using source control integrations — this provides immediate feedback to developers on pull requests. * **Review defaults when onboarding a new team** to ensure they align with the team's security requirements. * Use **"Save for Future Projects"** when adjusting defaults, and only use **"Apply to All Projects"** when you intentionally want to standardize all projects.