rsigma config validate🔗

Load every config layer that would apply at runtime and report problems before they cause a daemon or eval to misbehave.

Synopsis🔗

rsigma config validate [--config <PATH>] [--format <text|json>] [--strict]

Description🔗

Walks the same discovery chain the daemon and eval commands use, deserializes every layer, and reports:

• Unknown keys that don't match the schema (typo guard).
• Inactive sections that are set but inert in this build because the gating Cargo feature is disabled (e.g. daemon.api.tls without daemon-tls).
• Errors that prevent a file from loading at all.

By default unknown keys are warnings; --strict upgrades them to hard errors so CI can gate on configuration cleanliness.

Flags🔗

Output🔗

Text mode🔗

Diagnostics go to stderr. Loaded layers are listed in increasing precedence order, then each unknown key and inactive section is printed, followed by a summary line.

Loaded (low to high precedence):
  - /etc/rsigma/config.yaml
  - ./rsigma.yaml
warning: unknown key 'bogus_key' in ./rsigma.yaml
Config is valid.

JSON mode🔗

A single envelope is written to stdout (data goes to stdout; warnings stay on stderr only in text mode).

{
  "ok": true,
  "sources": ["/etc/rsigma/config.yaml", "./rsigma.yaml"],
  "unknown_keys": [
    { "file": "./rsigma.yaml", "key": "bogus_key" }
  ],
  "inactive_sections": []
}

A failure surfaces "ok": false and (for parse failures) an "error" field.

Exit codes🔗

Examples🔗

Check the discovered config:

rsigma config validate

Validate a specific file and fail the build on typos:

rsigma config validate -c rsigma.yaml --strict

Use the JSON envelope from a CI step:

rsigma config validate --format json | jq -e '.ok'

See also🔗

• config show to see the effective values after layering.
• Configuration Reference.