Attestly
Home/Docs

Documentation

Custom detectors

Add detectors for internal services or vendor SDKs we don't ship with.

Last updated May 6, 2026

Attestly's built-in detector library covers the popular tools. For internal services or niche vendors, you can add your own.

Defining a detector

In your repository, create a file called .attestly/detectors.ts:

import { defineDetectors } from "@attestly/sdk";

export default defineDetectors([
  {
    key: "internal-billing",
    legalEntity: "Yourcompany Billing Service",
    purpose: "Internal payment processing",
    location: "United States",
    isAi: false,
    packages: ["@yourcompany/billing-sdk"],
    imports: [/^@yourcompany\/billing/],
    dataCategoriesByDefault: ["financial", "identifiers"],
  },
  {
    key: "internal-ml-ranker",
    legalEntity: "Yourcompany Inc.",
    purpose: "Search-result ranking",
    location: "United States",
    isAi: true,
    riskClass: "minimal",
    imports: [/^@yourcompany\/ml\/rank/],
  },
]);

We pick this file up automatically on every scan, version it alongside the scan result, and merge it into the built-in detector list.

Conventions

  • key must be globally unique across your tenant. internal-*, vendor-*, and team-* are good prefixes.
  • packages matches against package manifests; imports matches against actual import statements in your source.
  • riskClass is one of minimal, limited, high, or unacceptable — only relevant for isAi: true detectors.
  • dataCategoriesByDefault lets the generator pre-fill data flows for this detector. Reviewers can still override per system.

Disabling a built-in detector

Sometimes a built-in detector misfires (e.g. you imported stripe for type definitions only). Disable it in the same file:

export default defineDetectors([
  { key: "stripe", disabled: true },
]);

Disabled detectors still appear in the audit log, with a reason code, so a future auditor can see what was hidden and why.