Environment Defaults
Environment defaults define the baseline scanning and processing behavior applied to new projects in your organization. These settings control what happens when an SBOM is uploaded or ingested β which checks run, how data is retained, and what automation is applied.
Default Settings
The following settings can be configured as organization-wide defaults. When a new project is created, it inherits these values.
Import Actions
Run SBOM Checks
Execute quality and compliance checks on uploaded SBOMs
Off
Always Use Latest Parts
Keep component information updated with the latest available data
Off
Run Internal Labeling
Identify and label internal components
Off
Run Auto Archive
Automatically archive old SBOM versions
Off
Apply Automation Rules
Execute configured automation rules on upload
Off
Run Vulnerability Scan
Scan components for known vulnerabilities
Off
Run Component Support Analysis
Evaluate component support status (EOL, deprecated, maintained)
Off
Retain Vulnerability Status with Version
Preserve VEX status when a new version of an SBOM is uploaded
Off
Interpret License List as "AND" expression
Treat multi-license declarations as requiring all listed licenses
Off
Copy VEX Across Versions on Import
Carry forward VEX dispositions from previous SBOM versions to new imports
Off
Enable PR Comments
Post SBOM analysis results as comments on pull requests
Off
Data Retention
Data Retention (days)
Number of days to retain SBOM versions before archiving. Options: 1, 30, 90, 365, or Forever (0).
Forever (0)
Configuring Defaults
Setting Organization Defaults
Navigate to Settings > Organization > Environment Defaults.
Toggle the desired import actions on or off.
Select a Data Retention period from the dropdown.
Click Save for Future Projects to apply the settings to newly created projects going forward.
Applying to All Existing Projects
To retroactively apply the current defaults to all existing projects:
Configure the desired settings.
Click Apply to All Projects.
Confirm the action in the confirmation dialog.
This overwrites the individual settings of all existing projects. Any per-project customizations will be lost.
Inheritance Rules
Environment defaults follow a top-down inheritance model:
Organization defaults are the baseline. They define the starting configuration for all new projects.
Project settings are initialized from organization defaults when a project is created.
After creation, project settings are independent β changing organization defaults does not automatically propagate to existing projects unless you explicitly click "Apply to All Projects."
Overriding Logic
To customize a specific project's settings:
Navigate to the project's settings page.
Modify the desired settings.
Save.
The project's settings will diverge from the organization defaults. Future changes to organization defaults will not affect this project unless explicitly applied.
Common Misconfigurations
Vulnerability scanning disabled by default
New projects don't show vulnerability data
Enable "Run Vulnerability Scan" in defaults
SBOM checks disabled
Quality/compliance scores not generated
Enable "Run SBOM Checks" in defaults
Data retention set to 1 day
SBOM history lost almost immediately
Increase retention to 90+ days or Forever
"Apply to All Projects" clicked accidentally
All project-specific customizations overwritten
Re-configure individual projects as needed
PR comments enabled but no source control integration
Comments not posted
Configure a GitHub, GitLab, or Bitbucket integration first
VEX status not preserved between versions
Triage work lost on SBOM re-upload
Enable "Retain Vulnerability Status with Version"
Recommended Best Practices
Enable vulnerability scanning and SBOM checks by default β these are the core value-add features and should be active for most projects.
Enable "Retain Vulnerability Status with Version" to avoid re-triaging vulnerabilities when SBOMs are re-uploaded.
Set data retention to at least 90 days for audit trail purposes. Use "Forever" if storage is not a concern.
Enable "Copy VEX Across Versions on Import" if your workflow involves frequent SBOM updates and you want to preserve triage decisions.
Enable PR comments for projects using source control integrations β this provides immediate feedback to developers on pull requests.
Review defaults when onboarding a new team to ensure they align with the team's security requirements.
Use "Save for Future Projects" when adjusting defaults, and only use "Apply to All Projects" when you intentionally want to standardize all projects.
Last updated