Setting the baseUrl is required for all notifications, the Jira plugin, and SCM integrations.

NEW IN RELEASE 138 baseUrl is now set via the configuration REST API.


The IQ Server is an application exposed using a Dropwizard server. The main configuration file for the IQ Server installation is a YAML formatted file called config.yml. By default, config.yml is located in the IQ server installation directory, i.e. the same folder that contains the IQ Server .jar file.

There are some configuration options that can only be changed from inside config.yml. Most other options are found in the System Preferences section of the IQ Server browser UI, which you can access by clicking on the System Preferences icon located in the top right of the IQ Server header (sytem preferences cogwheel).


There are some considerations for editing config.yml.

  • TAB characters are not supported. Use space characters only for indenting. We strongly recommend using a text editor that will display any TAB characters inserted into the file.
  • The YAML (.yml) structure is tree-like. Indents define structure hierarchy and are relevant to proper parsing of the file.
  • Indented lines are considered child options of the first un-commented outdented line preceding them.
  • Comments begin with the # character. Commented lines are ignored.


If the config.yml file is not properly formatted, then IQ Server will not start. If you suspect that a badly formatted config.yml is the root cause, then open a terminal, navigate to the installation directory, and attempt to start the server with the demo.bat or ./ commands.

Below is an example error from a Windows machine.

ERROR [2022-03-01 11:08:48,052] com.sonatype.insight.brain.service.InsightBrainService: Fatal error trying to start server
! org.yaml.snakeyaml.scanner.ScannerException: while scanning for the next token
! found character '\t(TAB)' that cannot start any token. (Do not use \t(TAB) for indentation)
!  in 'reader', line 21, column 1:

If you're unable to reformat the config.yml to correct the issue:

  1. Remove the config.yml file from your installation directory and save it somewhere locally. You may consider renaming it.
  2. Visit our Downloads page and download the latest IQ .zip or .tar.gz.
  3. Open the package and locate the config.yml file.
  4. Move the config.yml file from the package into your installation directory.
  5. Diff your previous config.yml file to the new one and update any default options you've changed.

This process will reset any changes you've made to config.yml. Save your original config.yml and diff with the new file to ensure that your options carry over.

See the Advanced Server Configuration for Java Overrides and configuration with Environment Variables


The config.yml is annotated inline with the default configuration.  Below are the latest base settings.

sonatypeWork ./sonatype-work/clm-serverDirectory for data files.No
licenseFile./license.licPath to a license file to automatically install if unlicensed.No
baseUrl nullBase URL of the IQ Server for user-facing links back to the server.  Required for Email, SCM, and Jira integrations.

NEW IN RELEASE 138 Yes - now set via the configuration REST API

forceBaseUrlfalseWhether or not certain redirects and services are forced to use the configured baseUrl.

NEW IN RELEASE 138 Yes - now set via the configuration REST API

policyMonitoringHour0Hour of the day (0-23) to schedule Policy Monitoring execution. The default is midnight.

NEW IN RELEASE 142 Yes - now set via the configuration REST API

csrfProtectiontrueEnables/disables cross-site request forgery protection. Defaults to true for increased security.

NEW IN RELEASE 142 Yes - now set via the configuration REST API

userAgentSuffix"example fragment"A custom fragment to add to the "user-agent" for HTTP calls

NEW IN RELEASE 142 Yes - now set via the configuration REST API

webhookSecretPassphrase"^d1swM!FF&qQ"The passphrase used to encrypt the Webhook Secret Keys

NEW IN RELEASE 142 Yes - now set via the configuration REST API


Configures the number of threads used for the EventBus.

The EventBus is used to asynchronously post various events (e.g. policy evaluation, entity management, license/security vulnerability overrides, etc). These events can then be consumed by various services (e.g. webhooks, source control, etc).

NEW IN RELEASE 142 Yes - now set via the configuration REST API

via the new name eventBus.maxThreadPoolSize

createSampleDatatrueSample data is created for new installs.No