Introduction¶
Configure the GraphQL DAST.
Example¶
Here is an example configuration:
---
argument_generation:
max_generated_depth: 5
skip_generating_unspecified_enum_values: false
exploration_scope:
- dev.escape.tech
- staging.escape.tech
graphql_api_dast:
blocklist:
mutation: []
query: []
ff_request_sender_next: false
hotstart: []
hotstart_only: false
location_id: ''
max_duration: 120
max_generated_depth: 5
mode: read_write
no_operation_name: false
profile: default
schema_s3_key: ''
inference:
null_is_unauthenticated: true
scalars:
my_custom_scalar:
description: API keys internal to my organization. Should not be commited or
exposed to internet.
examples:
- org_ABCDEFGHIJKLMNOPABCDEFGHIJKLMNOP
ignored_names: []
ignored_pattern: null
is_sourceable: true
names:
- org_key
- organization_key
parents: []
pattern: ^org_[A-Z]{32}$
raise_on_commit: true
raise_on_exposure: true
sensitivity: HIGH
strategy: key_or_value
network:
cancel_unhealthy_scan_after: 120
custom_headers:
my-header:
- value1
- value2
x-scanned-by:
- escape.tech
escape_user: true
request_timeout_s: 2
requests_per_second: 1000
Configuration reference¶
Fields¶
ArgumentGenerationConfig¶
Configure how Escape will generate arguments.
max_generated_depth¶
Type : integer
The maximum depth of the generated arguments.
If your API has a very deep structure, you can increase this value to generate more arguments but it will slow down the scan.
If you have a very big schema, you may want to decrease this value to reduce the number of generated arguments.
skip_generating_unspecified_enum_values¶
Type : boolean
If true, the generator will skip generating unspecified enum values.
CustomScalarConfig¶
description¶
Type : string
The description of the scalar.
examples¶
Type : List[string]*
Sample values for the scalar (used in the explore phase as default values).
ignored_names¶
Type : List[string]*
Names to ignore for the scalar.
ignored_pattern¶
Type : string
Regex to ignore for the scalar.
is_sourceable¶
Type : boolean
Use this scalar in the Agentic Exploration of the API.
If true, the scalar will be reinjected during the Agentic Exploration of the API.
names¶
Type : List[string]*
Possible names for the scalar.
parents¶
Type : List[ScalarParent]*
Root type the scalar is compatible with.
pattern¶
Type : string
Potential regex-friendly values to match the scalar value.
raise_on_commit¶
Type : boolean
Mark this scalar as non-commitable.
If escape find this scalar in a git repository, an issue will be raised.
raise_on_exposure¶
Type : boolean
Mark this scalar as non-exposable.
If escape find this scalar in any HTTP requests, an issue will be raised.
sensitivity¶
Type : ScalarSensitivity
Data sensitivity level.
Values MEDIUM and HIGH will serve to raise Sensitive Data issues in Escape.
strategy¶
Type : MatchingStrategy
The detection strategy.
GraphQLApiDASTConfig¶
Configure the GraphQL DAST.
blocklist¶
Type : GraphQLBlocklist*
ff_request_sender_next¶
Type : boolean
If true, the scan will use the new request sender (WIP).
hotstart¶
Type : List[string]*
List of GraphQL queries to use as a starting point for the scan.
hotstart_only¶
Type : boolean
If true, the scan will only use the hotstart queries.
location_id¶
Type : string
max_duration¶
Type : integer
The maximum time in minutes that the scan will run for before stopping.
Defaults to 2 hours.
max_generated_depth¶
Type : integer
The maximum depth of the generated graphql queries.
mode¶
Type : ScanMode
The choosen mode for the scan.
Default mode is read-write and suited to development environment. The read-only mode is safe for production environments, but will reduce the number of tests performed and the scan coverage.
no_operation_name¶
Type : boolean
Disable the "operationName" field in the generated graphql queries.
In the GraphQL specification, the operationName is a field that can be send alongside the query field to identify the operation to execute. This parameter allows you to disable this field if your API does not support it.
profile¶
Type : ScanProfile
The scan profile.
schema_s3_key¶
Type : string
GraphQLBlocklist¶
mutation¶
Type : List[string]*
List of GraphQL mutations to block.
query¶
Type : List[string]*
List of GraphQL queries to block.
InferenceConfig¶
Inference configures how escape will detect secrets exposed by the API or in files.
The inference is also used to reinject IDs in the DAST scanners.
null_is_unauthenticated¶
Type : boolean
Consider empty API responses as unauthenticated.
To improve error inference, if your API always returns a response but without data when the user is unauthenticated, set this to true.
scalars¶
Type : Dict[CustomScalarConfig]
The user's defined scalars.
NetworkConfig¶
cancel_unhealthy_scan_after¶
Type : integer
The maximum time in seconds to wait for the scan to be healthy before canceling it.
custom_headers¶
Type : Dict[string, List[string]]
Custom headers to add to the requests.
escape_user¶
Type : boolean
Add the X-Escape-User header to the requests.
request_timeout_s¶
Type : integer
The maximum timeout duration for each request (in seconds).
requests_per_second¶
Type : integer
The maximum number of request per second.
Enums¶
MatchingStrategy¶
| Value |
|---|
key |
key_strict |
value |
value_strict |
key_or_value |
key_or_value_strict |
key_strict_or_value |
key_and_value_strict |
ScalarParent¶
| Value |
|---|
String |
Int |
Float |
Boolean |
ScalarSensitivity¶
| Value |
|---|
NONE |
LOW |
MEDIUM |
HIGH |
ScanMode¶
| Value |
|---|
read_only |
read_write |
ScanProfile¶
| Value |
|---|
surface |
cicd |
default |
deep |
unrestricted |