Skip to main content

.dino.yml

Dino is configured through a .dino.yml file in your project root. Run dino init to generate one interactively, or create it manually.

Minimal Config

# yaml-language-server: $schema=https://usedino.dev/schema.json
endpoint: https://api.example.com/graphql
protocol: graphql
format: json
That’s it. Dino will scan your API with all 6 agents using sensible defaults.

Full Reference

FieldTypeDefaultDescription
endpointURLYour API endpoint. Required for scans.
protocol"graphql""graphql"API protocol. Only GraphQL is supported currently.
format"json" | "markdown""json"Output format for scan results.
tenantstringTenant ID. Loads config from tenants/<id>.yml. Optional for ad-hoc scans.
environmentstringTarget environment (e.g., staging, production).
snapshotDirstring".dino/snapshots"Directory for schema snapshots used by diff, lint, changelog.
aiKeystringAnthropic API key for AI reasoning. Prefer the DINO_AI_KEY env var instead.
auth.enabledbooleanfalseEnable authenticated scans. Required for RBAC matrix agent.
auth.rolestringDefault auth role for scans (e.g., USER, ADMIN).
autonomy.level"observe" | "enforce""observe"Shadow Mode level for dino watch.
rateLimit.burstinteger (1–500)Tier defaultBurst size for rate limit testing.

JSON Schema

The # yaml-language-server comment at the top of your config file enables IDE autocomplete if you use the YAML extension in VS Code. 
# yaml-language-server: $schema=https://usedino.dev/schema.json
dino init adds this comment automatically.

Config File Search Order

Dino uses cosmiconfig to find your config. It searches in this order:
  1. .dino.yml or .dino.yaml
  2. .dinorc (JSON or YAML)
  3. .dinorc.json, .dinorc.yaml, .dinorc.yml
  4. package.json"dino" key
Executable config files (.js, .ts, .cjs, .mjs) are blocked for security. Only YAML and JSON configs are loaded.

Precedence

When the same setting is defined in multiple places: 
CLI flags  >  Environment variables  >  .dino.yml  >  Smart defaults
For example, --format markdown overrides format: json in your config file.

Smart Defaults

If you omit fields, Dino applies sensible defaults:
  • All 6 agents enabled (RBAC matrix auto-skips if auth.enabled is false)
  • Pipeline timeout: 300 seconds
  • Per-request timeout: 30 seconds
  • Snapshot dir: .dino/snapshots
  • Watch interval: 60 seconds
  • Watch autonomy: observe (safe default — never blocks CI unless you opt in)

Examples

Ad-hoc scan (no tenant)

endpoint: https://api.myapp.com/graphql
protocol: graphql
format: json

Authenticated scan with RBAC testing

endpoint: https://api.myapp.com/graphql
protocol: graphql
format: json
auth:
  enabled: true
  role: USER

CI/CD with enforce mode

endpoint: https://staging.myapp.com/graphql
protocol: graphql
format: json
autonomy:
  level: enforce
See Environment Variables for setting DINO_AI_KEY and DINO_API_TOKEN without putting secrets in your config file.