Global Configuration¶
Global Configuration is applied universally to all scans (ASM and DAST) across the entire platform. When both Global Configuration and Profile Configuration are defined for a scan, the configurations are merged according to a Profile-override precedence model.
Configuration Merge Behavior¶
When Global Configuration and Profile Configuration contain overlapping keys, the configurations are merged using a deep merge algorithm similar to Terraform's merge() function. The Profile Configuration takes precedence and completely overrides the Global Configuration value for that specific key. Non-overlapping keys from both configurations are preserved in the final merged configuration.
Merge Example:
Global Configuration:
Profile Configuration:
Resulting Merged Configuration:
In this example, key_a is completely replaced by the Profile Configuration value, while key_b is inherited from Global Configuration and key_c is added from Profile Configuration.
ASM Configuration¶
Configure the REST API DAST.
Example¶
Here is an example configuration:
---
argument_generation:
agentic_autofix_preprompt: ''
max_agentic_autofixes: 10
max_generated_depth: 5
skip_generating_unspecified_enum_values: false
validation_errors_agentic_autofix: false
inference:
null_is_unauthenticated: true
scalars:
my_custom_scalar:
description: API keys internal to my organization. Should not be committed or
exposed to internet.
examples:
- org_ABCDEFGHIJKLMNOPABCDEFGHIJKLMNOP
ignored_names: []
ignored_pattern: null
is_sourceable: true
names:
- org_key
- organization_key
parents: []
pattern: ^org_[A-Z]{32}$
raise_on_commit: true
raise_on_exposure: true
sensitivity: HIGH
strategy: key_or_value
network:
cancel_unhealthy_scan_after: 120
custom_headers:
my-header:
- value1
- value2
x-scanned-by:
- escape.tech
escape_user: true
parallel_requests: 10
request_timeout_s: 2
requests_per_second: 1000
sec_escape_user: true
rest_api_dast:
additional_schema_s3_keys: []
hotstart: []
hotstart_only: false
location_id: ''
max_duration: 120
mode: read_write
profile: default
schema_s3_key: ''
scope:
allowlist: []
blocklist: []
extend_global_scope: true
scope:
allowlist: []
blocklist: []
use_defaults: true
Configuration reference¶
Fields¶
ArgumentGenerationConfig¶
Configure how Escape will generate arguments.
| Property | Type | Required | Description |
|---|---|---|---|
agentic_autofix_preprompt | string | A custom preprompt to use for the agentic autofix. | |
max_agentic_autofixes | integer | The maximum number of agentic autofixes to perform on validation errors. | |
max_generated_depth | integer | The maximum depth of the generated arguments. If your API has a very deep structure, you can increase this value to generate more arguments but it will slow down the scan. If you have a very big schema, you may want to decrease this value to reduce the number of generated arguments. | |
skip_generating_unspecified_enum_values | boolean | If true, the generator will skip generating unspecified enum values. | |
validation_errors_agentic_autofix | boolean | If true, the argument generator will try to automatically fix validation errors in the arguments by resending queries with the fixed arguments. |
CustomScalarConfig¶
| Property | Type | Required | Description |
|---|---|---|---|
description | string | The description of the scalar. | |
examples | List[string] | * | Sample values for the scalar (used in the explore phase as default values). |
ignored_names | List[string] | * | Names to ignore for the scalar. |
ignored_pattern | string | Regex to ignore for the scalar. | |
is_sourceable | boolean | Use this scalar in the Agentic Exploration of the API. If true, the scalar will be reinjected during the Agentic Exploration of the API. | |
names | List[string] | * | Possible names for the scalar. |
parents | List[ScalarParent] | * | Root type the scalar is compatible with. |
pattern | string | Potential regex-friendly values to match the scalar value. | |
raise_on_commit | boolean | Mark this scalar as non-commitable. If escape find this scalar in a git repository, an issue will be raised. | |
raise_on_exposure | boolean | Mark this scalar as non-exposable. If escape find this scalar in any HTTP requests, an issue will be raised. | |
sensitivity | ScalarSensitivity | Data sensitivity level. Values MEDIUM and HIGH will serve to raise Sensitive Data issues in Escape. | |
strategy | MatchingStrategy | The detection strategy. |
DomainRule¶
Domain target (e.g., "escape.tech", "*.escape.tech").
| Property | Type | Required | Description |
|---|---|---|---|
operation | ScopeMatchOperation | The matching operation to use. Defaults to exact match. | |
type | Const[domain] | * | |
value | string | * |
GlobalScopeConfig¶
Global scope configuration for controlling what targets scanners can cover.
Targets have different types, for dns domains, ips, web_page_url, rest_api_path, rest_api_url, graphql_operation.
The scope configuration uses allowlists and blocklists to precisely define what is in-scope for scanning. This configuration can be set at the global level and optionally extended or overridden by scanner-specific configurations.
Precedence rules:
- Blocklist takes precedence over allowlist (if a target matches both, it's blocked)
- More specific rules take precedence over general rules
- Profile-level scope can extend or override global scope based on extend_global_scope setting
| Property | Type | Required | Description |
|---|---|---|---|
allowlist | List[DomainRule,GraphQLOperationRule,IPRule,RestApiEndpointUrlRule,RestApiPathRule,WebPageElementSelectorRule,WebPageUrlRule] | * | List of rules defining assets and targets that are allowed to be scanned. If empty, all targets are allowed (subject to blocklist), depending on the use_defaults setting. If use_default is True, setting anything manually in this list will extend the scope configuration with your ASM scope configuration. Targets must match at least one allowlist rule to be in scope. |
blocklist | List[DomainRule,GraphQLOperationRule,IPRule,RestApiEndpointUrlRule,RestApiPathRule,WebPageElementSelectorRule,WebPageUrlRule] | * | List of rules defining assets and targets that should NOT be scanned. If use_default is True, setting anything manually in this list will extend the scope configuration with your ASM scope configuration. Blocklist rules take precedence over allowlist rules. |
use_defaults | boolean | Whether to auto-inject your scope configuration, for in-scope and out-of-scope assets. This enables you to configure your ASM scope configuration once and it will be automatically injected into all scanners ensuring that an out of scope asset (domain, ip, etc.) will not be scanned. This also ensure that in-scope assets will be automatically tested for vulnerabilities, enhancing coverage and discovery. |
GraphQLOperationRule¶
GraphQL operation target (e.g., "query.users", "mutation.createUser").
| Property | Type | Required | Description |
|---|---|---|---|
operation | ScopeMatchOperation | The matching operation to use. Defaults to exact match. | |
type | Const[graphql_operation] | * | |
value | string | * |
IPRule¶
IP address target (e.g., "192.168.1.1", "10.0.0.0/24").
| Property | Type | Required | Description |
|---|---|---|---|
operation | ScopeMatchOperation | The matching operation to use. Defaults to exact match. | |
type | Const[ip] | * | |
value | string | * |
InferenceConfig¶
Inference configures how escape will detect secrets exposed by the API or in files.
The inference is also used to reinject IDs in the DAST scanners.
| Property | Type | Required | Description |
|---|---|---|---|
null_is_unauthenticated | boolean | Consider empty API responses as unauthenticated. To improve error inference, if your API always returns a response but without data when the user is unauthenticated, set this to true. | |
scalars | Dict[CustomScalarConfig] | The user's defined scalars. |
NetworkConfig¶
| Property | Type | Required | Description |
|---|---|---|---|
cancel_unhealthy_scan_after | integer | The maximum time in seconds to wait for the scan to be healthy before canceling it. | |
custom_headers | Dict[string, List[string]] | Custom headers to add to the requests. | |
escape_user | boolean | Add the X-Escape-User header to the requests. Legacy attribute, keeping it for backward compatibility. | |
parallel_requests | integer | The maximum number of parallel requests to send. | |
request_timeout_s | integer | The maximum timeout duration for each request (in seconds). | |
requests_per_second | integer | The maximum number of request per second (on API level, not crawling level). | |
sec_escape_user | boolean | Add the Sec-Escape-User header to the requests. New attribute, used to enable the Sec-Escape-User header for the scan. |
RestApiDASTConfig¶
Configure the REST API DAST.
| Property | Type | Required | Description |
|---|---|---|---|
additional_schema_s3_keys | List[string] | * | List of additional schema S3 keys to use for the scan. |
hotstart | List[string] | * | List of cURLs to use as a starting point for the scan. |
hotstart_only | boolean | If true, the scan will only use the hotstart queries. | |
location_id | string | ||
max_duration | integer | The maximum time in minutes that the scan will run for before stopping. Defaults to 2 hours. | |
mode | ScanMode | The chosen mode for the scan. Default mode is read-write and suited to development environment. The read-only mode is safe for production environments, but will reduce the number of tests performed and the scan coverage. | |
profile | ScanProfile | The scan profile. | |
schema_s3_key | string | ||
scope | ScannerScopeConfig | * | Scope configuration for the REST API DAST. Supports both allowlist and blocklist |
RestApiEndpointUrlRule¶
REST API full URL endpoint target (e.g., "app.escape.tech) with optional HTTP method (e.g., "GET", "POST", "PUT", "DELETE").
| Property | Type | Required | Description |
|---|---|---|---|
method | HTTPMethod | Optional HTTP method (only applicable for REST API routes). If not provided, the path will be checked on all HTTP methods. | |
operation | ScopeMatchOperation | The matching operation to use. Defaults to exact match. | |
type | Const[rest_api_url] | * | |
value | string | * |
RestApiPathRule¶
REST API path target (e.g., "/api/v1/users") with optional domain and optional HTTP method (e.g., "GET", "POST", "PUT", "DELETE").
| Property | Type | Required | Description |
|---|---|---|---|
domain | string | Optional domain to exactly match(only applicable for REST API routes). If not provided, the path will be checked on all domains. | |
method | HTTPMethod | Optional HTTP method (only applicable for REST API routes). If not provided, the path will be checked on all HTTP methods. | |
operation | ScopeMatchOperation | The matching operation to use. Defaults to exact match. | |
type | Const[rest_api_path] | * | |
value | string | * |
ScannerScopeConfig¶
Scope configuration that is used inside a scanner configuration to define what targets are allowed to be scanned.
This configuration can extend or override the global scope configuration, or be used independently.
| Property | Type | Required | Description |
|---|---|---|---|
allowlist | List[DomainRule,GraphQLOperationRule,IPRule,RestApiEndpointUrlRule,RestApiPathRule,WebPageElementSelectorRule,WebPageUrlRule] | * | List of rules defining targets that are allowed to be scanned. |
blocklist | List[DomainRule,GraphQLOperationRule,IPRule,RestApiEndpointUrlRule,RestApiPathRule,WebPageElementSelectorRule,WebPageUrlRule] | * | List of rules defining targets that should NOT be scanned. |
extend_global_scope | boolean | Whether to extend the scanner-specific scope configuration from the global scope configuration at the top level. Defaults to True. If True, domains, endpoints and other targets will be added to the allow/block lists, allowing you to define wide lists of targets to scan/not scan. If False, the scanner will only use the allow/block lists defined in this configuration, allowing you to make the configuration specific to this scan. |
WebPageElementSelectorRule¶
CSS selector target (e.g., "button.logout", "a[href='/logout']").
| Property | Type | Required | Description |
|---|---|---|---|
operation | ScopeMatchOperation | The matching operation to use. Defaults to exact match. | |
type | Const[web_page_element_selector] | * | |
value | string | * |
WebPageUrlRule¶
Web page URL target (e.g., "app.escape.tech.)
| Property | Type | Required | Description |
|---|---|---|---|
operation | ScopeMatchOperation | The matching operation to use. Defaults to exact match. | |
type | Const[web_page_url] | * | |
value | string | * |
RestApiDASTConfig¶
| Property | Type | Required | Description |
|---|---|---|---|
argument_generation | ArgumentGenerationConfig | * | |
inference | InferenceConfig | * | |
network | NetworkConfig | * | |
rest_api_dast | RestApiDASTConfig | * | |
scope | GlobalScopeConfig | * | Global scope configuration for controlling what resources scanners can access. This configuration defines allowlists and blocklists that apply to all scanners. Individual scanner configurations can extend or override these rules. |
Enums¶
HTTPMethod¶
| Value |
|---|
CONNECT |
DELETE |
GET |
HEAD |
OPTIONS |
PATCH |
POST |
PUT |
TRACE |
MatchingStrategy¶
| Value |
|---|
key |
key_strict |
value |
value_strict |
key_or_value |
key_or_value_strict |
key_strict_or_value |
key_and_value_strict |
ScalarParent¶
| Value |
|---|
String |
Int |
Float |
Boolean |
ScalarSensitivity¶
| Value |
|---|
NONE |
LOW |
MEDIUM |
HIGH |
ScanMode¶
| Value |
|---|
read_only |
read_write |
ScanProfile¶
| Value |
|---|
surface |
cicd |
default |
deep |
unrestricted |
ScopeMatchOperation¶
| Value |
|---|
equals |
starts_with |
ends_with |
contains |
regex |
wildcard |