Global Configuration¶

Global Configuration is applied universally to all scans (ASM and DAST) across the entire platform. When both Global Configuration and Profile Configuration are defined for a scan, the configurations are merged according to a Profile-override precedence model.

Configuration Merge Behavior¶

When Global Configuration and Profile Configuration contain overlapping keys, the configurations are merged using a deep merge algorithm similar to Terraform's merge() function. The Profile Configuration takes precedence and completely overrides the Global Configuration value for that specific key. Non-overlapping keys from both configurations are preserved in the final merged configuration.

Merge Example:

Global Configuration:

key_a:
  - abc
  - def

key_b: 42

Profile Configuration:

key_a:
  - ghi

key_c: 1337

Resulting Merged Configuration:

key_a:
  - ghi

key_b: 42
key_c: 1337

In this example, key_a is completely replaced by the Profile Configuration value, while key_b is inherited from Global Configuration and key_c is added from Profile Configuration.

ASM Configuration¶

ASM scanners are used to identify assets to add to the Escape Platform.

Alongside discovery, the ASM scanners will also execute surface scanning on the assets to provide a glance of the asset risks.

Example¶

Here is an example configuration:

---
inference:
  null_is_unauthenticated: true
  scalars:
    my_custom_scalar:
      description: API keys internal to my organization. Should not be committed or
        exposed to internet.
      examples:
      - org_ABCDEFGHIJKLMNOPABCDEFGHIJKLMNOP
      ignored_names: []
      ignored_pattern: null
      is_sourceable: true
      names:
      - org_key
      - organization_key
      parents: []
      pattern: ^org_[A-Z]{32}$
      raise_on_commit: true
      raise_on_exposure: true
      sensitivity: HIGH
      strategy: key_or_value
network:
  cancel_unhealthy_scan_after: 120
  custom_headers:
    my-header:
    - value1
    - value2
    x-scanned-by:
    - escape.tech
  escape_user: true
  parallel_requests: 10
  request_timeout_s: 2
  requests_per_second: 1000
  sec_escape_user: true
port_scanning:
  ports:
  - 80
  - 443
  - 22
  - 8080
service_discovery:
  base_urls_delimiters:
  - ^.*/api/v1/
  - ^.*/api/v2/
  base_urls_wordlist:
  - https://api.example.com
  blocklisted_domains: []
  endpoints_wordlist:
  - /
  - /users
  - /user
  - /{$}
  - /login
  - /{$}:cancel
  - /products
  - /events
  - /users/{$}
  - /search
  - /orders
  - /{$}:getIamPolicy
  - /{$}:setIamPolicy
  - /{$}:testIamPermissions
  - /accounts
  - /v1beta1/{$}
  - /me
  - /groups
  - /tags/{$}
  - /{$}/operations
  - /tags/{$}#tagKeys
  - /projects
  - /{$}/locations
  - /categories
  - /logout
  - /register
  - /account
  - /health
  - /status
  - /user/login
  - /auth
  - /webhooks
  - /token
  - /tags
  - /ping
  - /jobs
  - /subscriptions
  - /applications
  - /playlist
  - /notifications
  - /customers
  - /transactions
  - /contacts
  - /playlist/{$}
  - /devices
  - /locations
  - /organizations
  - /v1beta1/{$}:getIamPolicy
  - /v1beta1/{$}:setIamPolicy
  - /v1beta1/{$}:testIamPermissions
  - /oauth/token
  - /product
  - /order
  - /{$}/Player/{$}
  - /{$}/Players
  - /user/logout
  - /version
  - /info
  - /channels
  - /languages
  - /countries
  - /v1beta1/{$}:cancel
  - /playlist/{$}/image
  - /payments
  - /services
  - /documents
  - /roles
  - /{$}/GamesByDate/{$}
  - /profile
  - /v1beta1/{$}/locations
  - /users/me
  - /user/me
  - /v1beta1/{$}/operations
  - /v1beta/{$}
  - /drvlc/certificate
  - /rvcer/certificate
  - /users/login
  - /tasks
  - /teams
  - /reports
  - /files
  - /images
  - /products/{$}
  - /messages
  - /events/{$}
  - /{$}/CurrentSeason
  - /domains
  - /collections
  - /items
  - /config
  - /session
  - /jobs/{$}
  - /{$}/AreAnyGamesInProgress
  - /{$}/TeamSeasonStats/{$}
  - /companies
  - /{$}/DfsSlatesByDate/{$}
  - /{$}/Stadiums
  - /v1alpha1/{$}
  - /history
  - /applications/{$}
  - /clients
  graphql_endpoints_wordlist:
  - ''
  - graphql
  - api/graphql
  - appsync
subdomain_enumeration:
  blocklist:
  - ^.*\.example\.org$

Configuration reference¶

Fields¶

CustomScalarConfig¶

Property	Type	Required	Description
`description`	`string`		The description of the scalar.
`examples`	`List[string]`	*	Sample values for the scalar (used in the explore phase as default values).
`ignored_names`	`List[string]`	*	Names to ignore for the scalar.
`ignored_pattern`	`string`		Regex to ignore for the scalar.
`is_sourceable`	`boolean`		Use this scalar in the Agentic Exploration of the API. If true, the scalar will be reinjected during the Agentic Exploration of the API.
`names`	`List[string]`	*	Possible names for the scalar.
`parents`	`List[`ScalarParent`]`	*	Root type the scalar is compatible with.
`pattern`	`string`		Potential regex-friendly values to match the scalar value.
`raise_on_commit`	`boolean`		Mark this scalar as non-commitable. If escape find this scalar in a git repository, an issue will be raised.
`raise_on_exposure`	`boolean`		Mark this scalar as non-exposable. If escape find this scalar in any HTTP requests, an issue will be raised.
`sensitivity`	ScalarSensitivity		Data sensitivity level. Values MEDIUM and HIGH will serve to raise Sensitive Data issues in Escape.
`strategy`	MatchingStrategy		The detection strategy.

InferenceConfig¶

Inference configures how escape will detect secrets exposed by the API or in files.

The inference is also used to reinject IDs in the DAST scanners.

Property	Type	Required	Description
`null_is_unauthenticated`	`boolean`		Consider empty API responses as unauthenticated. To improve error inference, if your API always returns a response but without data when the user is unauthenticated, set this to true.
`scalars`	`Dict[`CustomScalarConfig`]`		The user's defined scalars.

NetworkConfig¶

Property	Type	Description
`cancel_unhealthy_scan_after`	`integer`	The maximum time in seconds to wait for the scan to be healthy before canceling it.
`custom_headers`	`Dict[string, List[string]]`	Custom headers to add to the requests.
`escape_user`	`boolean`	Add the X-Escape-User header to the requests. Legacy attribute, keeping it for backward compatibility.
`parallel_requests`	`integer`	The maximum number of parallel requests to send.
`request_timeout_s`	`integer`	The maximum timeout duration for each request (in seconds).
`requests_per_second`	`integer`	The maximum number of request per second (on API level, not crawling level).
`sec_escape_user`	`boolean`	Add the Sec-Escape-User header to the requests. New attribute, used to enable the Sec-Escape-User header for the scan.

PortScannerConfig¶

Configuration for the port scanner.

Property	Type	Required	Description
`ports`	`List[integer]`	*	List of ports to scan. If empty, most common ports will be scanned.

ServiceDiscoveryConfig¶

Configuration for the service discovery.

Property	Type	Required	Description
`base_urls_delimiters`	`List[string]`		List of delimiters to use to split the crawled URLs into services. If you want to customize how Escape splits crawled URLs into services, you can use this list. This is a list of regexes we will be matched against the crawled URLs using a regex match. Then the smallest right part of the match will be used as the endpoint, and the left part as the service.
`base_urls_wordlist`	`List[string]`		Wordlist of base URLs to try to discover services on. Eg. /api/v1/
`blocklisted_domains`	`List[string]`	*	List of regexes to filter out domains from service discovery. If you don't want Escape to explore a specific domain, you can skip it here. Example: `yaml<br>blocklisted_domains:<br> - "auth\.example\.com" # Skip one domain<br> - ".*\.example\.com" # Skip all domains<br> - "auth" # Greedy match: will skip if "auth" is contained in the string<br>`
`endpoints_wordlist`	`List[string]`		Wordlist of endpoints to try to discover services on. Eg. /users/
`graphql_endpoints_wordlist`	`List[string]`		Wordlist of GraphQL endpoints to try to discover services on. If you want to customize how Escape discovers GraphQL services, define a wordlist of endpoints to try. By default, Escape will try most common GraphQL endpoints. If multiples endpoints matches, Escape will retain the first one.

SubdomainEnumerationConfig¶

Property	Type	Required	Description
`blocklist`	`List[string]`	*	List of regexes to filter out subdomains from enumeration. If a subdomain matches one of the regexes, it will not be enumerated. Example: `yaml<br>blocklist:<br> - "^example\.com$" # Skip one domain<br> - "^.*\.example\.org$" # Skip all domains<br> - "auth" # Greedy match: will skip if "auth" is contained in the string<br>`

ASMConfig¶

Property	Type	Required
`inference`	InferenceConfig	*
`network`	NetworkConfig	*
`port_scanning`	PortScannerConfig	*
`service_discovery`	ServiceDiscoveryConfig	*
`subdomain_enumeration`	SubdomainEnumerationConfig	*

Enums¶

MatchingStrategy¶

Value
`key`
`key_strict`
`value`
`value_strict`
`key_or_value`
`key_or_value_strict`
`key_strict_or_value`
`key_and_value_strict`

ScalarParent¶

Value
`String`
`Int`
`Float`
`Boolean`

ScalarSensitivity¶

Value
`NONE`
`LOW`
`MEDIUM`
`HIGH`