DejaCode is configured with environment variables stored in a
.env file is created at the root of the DejaCode codebase during its
You can configure your preferences using the following settings in the
DejaCode is based on the Django web framework and its settings system. The list of settings available in Django is documented at Django Settings.
Settings specific to DejaCode are all prefixed with
Restarting the services is required following any changes to .env:
docker compose restart web worker
The database can be configured using the following settings:
A list of strings representing the host/domain names that this application can serve.
To enable this setting you need to have a proper host and domain name configured for your DejaCode installation.
This setting is a security measure to prevent an attacker from poisoning caches and password reset emails with links to malicious hosts by submitting requests with a fake HTTP Host header, which is possible even under many seemingly-safe webserver configurations.
Values in this list can be fully qualified names (e.g. ‘www.example.com’), in which case they will be matched against the request’s Host header exactly (case-insensitive, not including port).
A value beginning with a period can be used as a subdomain wildcard: ‘.example.com’ will match example.com, www.example.com, and any other subdomain of example.com. A value of ‘*’ will match anything; in this case you are responsible to provide your own validation of the Host header.
This settings enables the email notification feature in DejaCode. If set, the provided username, password and email/SMTP server details are used to send email notifications to your DejaCode users.
# The SMTP user used for authentication on your SMTP server.
# Password to use for the SMTP server defined in EMAIL_HOST.
# Can be empty on non-secured, test servers.
# The SMTP server host to use to send emails.
# Port to use for the SMTP server defined in EMAIL_HOST.
# Default "FROM" email address to use when sending email notifications
# Whether to use a TLS (secure) connection when talking to the SMTP server
# You should always use a secure connection.
The base URL of this DejaCode installation. This setting is required to build URLs that reference objects in the application. It is also used when including URLs in email notifications.
One Dataspace can be designed as accessible to anyone in a view-only mode. Set this with an existing Dataspace name to enable view-only access to anonymous, no logged-in users.
An administrative User in the Reference Dataspace can see and copy data from every Dataspace; otherwise, the User can only see data from his/her assigned Dataspace and copy from the Reference Dataspace. An administrative User in the Reference Dataspace can also maintain User definitions for all Dataspaces.
The default Reference Dataspace is always ‘nexB’ unless the following setting is set to another existing Dataspace. If set to an empty value or a non-existent Dataspace, ‘nexB’ will be considered the Reference Dataspace.
Caution: be careful when changing this setting as you may no longer have access to nexB-provided reference data.
You can control whether the DejaCode session framework uses web browser-lifetime
sessions vs. persistent sessions with the
SESSION_EXPIRE_AT_BROWSER_CLOSE is set to True, DejaCode cookies will expire as
soon as a user closes his or her web browser.
Use this if you want the user to have to log-in every time they open a browser.
SESSION_COOKIE_AGE setting is the maximum age of DejaCode session cookies, in
The DejaCode user session will expire if the user is “inactive” in the application for
longer than this value.
# 1 hour, in seconds.
By default, only a minimum of logging messages is displayed in the console, mostly to provide some progress about pipeline run execution.
DEBUG value can be provided to this setting to see all DejaCode debug
messages to help track down configuration issues for example.
This mode can be enabled globally through the
When enabled, DejaCode will perform virus scanning on any and all files that a user attempts to import in the various places where data imports are supported. A file with a detected virus will be blocked from upload, and DejaCode will present a pertinent error message to the user when this occurs.
To enable anti-virus scan on file upload, set the
CLAMD_ENABLED setting to
A string representing the time zone for the current ScanCode.io installation. By
US/Pacific time zone is used:
You can view a detailed list of time zones here.
To integrate DejaCode with other applications within the AboutCode stack, you have the flexibility to configure and set up integrations using the following application settings.
It’s important to understand that employing application settings will make these integrations globally accessible across all Dataspaces within your DejaCode instance.
Alternatively, if you wish to tailor the availability of these features to a specific Dataspace, you can define and set those values directly within the Dataspace configuration. This can be done through the Dataspace admin UI, allowing you to scope the availability of these integrations exclusively to the designated Dataspace.
Provide the URL and API key of your ScanCode.io instance.
You have the option to define and set those settings directly on your Dataspace. For detailed instructions, refer to Enable package scanning with your ScanCode.io server.
Provide the URL and API key of your PurlDB instance.
You have the option to define and set those settings directly on your Dataspace. For detailed instructions, refer to Enable PurlDB service.
Providing an API key is optional when using the public VulnerableCode instance.
You have the option to define and set those settings directly on your Dataspace. For detailed instructions, refer to Enable VulnerableCodeDB service.
This setting enables users to authenticate against an LDAP server.
To enable the LDAP authentication, set the following value for the
An alternative setup is to allow the authentication in the system first using LDAP, and then using a DejaCode user account if the authentication through LDAP was not successful. For example, this can be useful if the LDAP server is down.
The URI of the LDAP server.
By default, LDAP connections are unencrypted.
If you need a secure connection to the LDAP server, you can either use an
ldaps:// URI or enable the StartTLS extension.
To enable StartTLS, set
AUTH_LDAP_START_TLS to True.
AUTH_LDAP_BIND_PASSWORD should be set with the
distinguished name, and password to use when binding to the LDAP server.
Use empty strings (the default) for an anonymous bind.
The following setting is required to locate a user in the LDAP directory. The filter parameter should contain the placeholder %(user)s for the username. It must return exactly one result for authentication to succeed.
AUTH_LDAP_AUTOCREATE_USER is True (default), a new DejaCode user will
be created in the database with the minimum permission (a read-only user).
Enabling this setting also requires a valid dataspace name for the
New DejaCode users created on the first LDAP authentication will be located in
AUTH_LDAP_AUTOCREATE_USER to False in order to limit
authentication to users that already exist in the database only, in which case
new users must be manually created by a DejaCode administrator using the
AUTH_LDAP_USER_ATTR_MAP is used to copy LDAP directory information into
DejaCode user objects, at creation time (see
during updates (see
This dictionary maps DejaCode user fields to (case-insensitive) LDAP attribute
By default, all mapped user fields will be updated each time the user logs in.
To disable this, set
AUTH_LDAP_ALWAYS_UPDATE_USER to False.
User’s LDAP group memberships can be used with the DejaCode group permissions system.
The LDAP groups that a user belongs to will be mapped with existing DejaCode groups
using the Group
The permissions defined for each of the mapped DejaCode groups will be loaded for the
To enable and configure DejaCode to use LDAP groups you need to enable LDAP as explained above and also do these additional tasks:
In the reference nexB Dataspace, create the DejaCode groups and associated permissions through the DejaCode admin interface. From the Admin dashboard:
Configure DejaCode settings to enable LDAP groups retrieval by adding these lines to your DejaCode settings file. Set the proper
AUTH_LDAP_GROUP_SEARCHvalues matching for your LDAP configuration.
LDAP as the only way to log-in DejaCode.
Unencrypted connections with the LDAP server.
Anonymous bind to the LDAP server.
Users need to be manually created in DejaCode by an administrator first.
No mapping for users attributes is defined
Users field values in the database are not updated at authentication time.
Users are located using the
uidattribute with the
LDAP as the first way to log-in, and then using a DejaCode user account if the authentication through LDAP was not successful.
Encrypted connections with the LDAP server.
Binding to the LDAP server using
cn=admin,ou=users,dc=example,dc=comfor the distinguished name and
Users are located using the
cnattribute with the
Users will be automatically created or updated. New users will be located in the “nexB” dataspace.
Users attributes will be mapped according to the