api_type | ApiType | null | |
blocklist | BlockListParams | null | The operations that will be skipped by security tests. See more in the dedicated documentation section.. |
force_full_scan | boolean | null | Will perform a full scan, without listening your API health and timeout. It may degrade your results quality but will unsure that all your operations are checked. |
frontend_allowed_url_patterns | List[string] | null | The list of URL patterns to allow for the frontend scan.This is a list of regexes that will be used to filter the URLs that are allowed to be visited.If not set, all URLs will be allowed, as long as their domain exactly matches one of the frontend_in_scope_domains.For example, if frontend_in_scope_domains is ["app.escape.tech"], test.app.escape.tech and escape.tech will not be allowed. |
frontend_blocklisted_element_selectors | List[string] | null | The list of element selectors to block interactions with during the frontend scan. Things like logouts, lock buttons, help, chat, etc. |
frontend_crawling_only | boolean | | If true, only frontend crawling will be performed, while still doing security checks on API traffic (see frontend_send_api_traffic_to_checks to disable this). |
frontend_escape_user_header | boolean | false | If true, the frontend scan will add the x-escape-user header to the requests. |
frontend_in_scope_domains | List[string] | null | Used by API traffic extraction during frontend scans. Includes the frontend domain by default. If not set, the organization domains will be automatically added to cover wider API traffic. Set it to "self" to allow the current frontend domain only. |
frontend_integrated_authentication | boolean | | If true, frontend scans will directly authenticate via the engine. Recommended for Frontend scans. This can help with complex authentication that does not rely purely on cookies, local/session storage, and the context cannot be copied. |
frontend_max_fragments_visits | integer | null | The maximum number of visits to a page with the same fragment. |
frontend_max_parameter_occurence | integer | null | The maximum number of occurrences of a parameter in a URL. |
frontend_max_query_params_visits | integer | null | The maximum number of visits to a page with the same query parameters. |
frontend_parallel_workers | integer | 3 | The number of parallel workers to use for frontend scans. Maximum is 5, default is 3. Recommended to lower this if you encounter stability issues. |
frontend_prefetch_sitemap | boolean | true | If true, the frontend scan will prefetch any available sitemaps (robots.txt, sitemap.xml, etc) and use them as a seed for the crawler. |
frontend_security_checks_enabled * | List[ FrontendSecurityChecksTypes] | | The list of security checks to enable for the frontend scan. You can mix and match depending on your needs (speed, coverage, etc).- API checks: will check the API traffic for security issues, just like API DAST scans, using your web application's traffic without a specification. You can further restrict which APIs are checked by using frontend_in_scope_domains.- Active page checks: security checks on inputs, url parameters, etc... by fuzzing them.- Passive page checks: security checks on the DOM, and browser storage.- Network checks: security checks based more on all requests and responses, including loaded javascript and other resources.By default, all checks are enabled. |
frontend_single_page_worker | boolean | | If true, frontend scans will be performed in a single page worker. |
frontend_use_persistence | boolean | true | If true, the frontend scan will use persistence to load discovered URLs from previous scans, to enhance crawling stability. |
frontend_user_agent | string | null | The user agent to use for frontend scans. |
hotstart | List[string] | null | Depending on your scan type (Frontend or API): List of URLs to visit, or raw queries (GraphQL, cURL, or raw HTTP) to hotstart the API exploration. |
hotstart_only | boolean | null | If true, the scan will only perform the hotstart phase and stop after. |
max_duration | integer | null | The maximum time in minutes that the scan will run for before stopping. Defaults to 2 hours for frontend scans. |
null_is_unauthenticated | boolean | null | In order to improve error inference, on some scans we want to be able to consider that a null aswerimplies that the request should have been authenticated |
profile | ScanProfile | default | The scan profile |
read_only | boolean | null | The choosen mode for the tested API. Default mode is read-write and suited to development environment. The read_only mode is safe for production environments, but will reduce the number of tests performed and the scan coverage. |
scalars | Dict[ CustomScalarParams] | null | The user's defined scalars. |