What is the configuration precedence for Panther Analysis Tool (PAT) and will .panther_settings.yml override options passed via the command line?

Last updated: April 6, 2026

QUESTION

What is the order of precedence for PAT configuration sources? If I add a setting like auto_disable_base: true to my .panther_settings.yml file, will it override the flags I'm passing directly in my CI/CD pipeline commands?

ANSWER

PAT resolves configuration in the following order of precedence, from highest to lowest:

  1. Values passed directly on the command line (e.g. --debug, --batch, --skip-tests)

  2. Environment variables, any PAT option can be set via an env var by prefixing it with PANTHER_ (e.g. PANTHER_API_TOKEN, PANTHER_API_HOST)

  3. Configuration file .panther_settings.yml in your working directory

For more details, see Panther's documentation on PAT environment variables and the PAT configuration file. For context on auto_disable_base, see Automatically disabling base detections in the CLI workflow.