Global Configuration¶
Global Configuration is applied universally to all scans (ASM and DAST) across the entire platform. When both Global Configuration and Profile Configuration are defined for a scan, the configurations are merged according to a Profile-override precedence model.
Configuration Merge Behavior¶
When Global Configuration and Profile Configuration contain overlapping keys, the configurations are merged using a deep merge algorithm similar to Terraform's merge() function. The Profile Configuration takes precedence and completely overrides the Global Configuration value for that specific key. Non-overlapping keys from both configurations are preserved in the final merged configuration.
Merge Example:
Global Configuration:
Profile Configuration:
Resulting Merged Configuration:
In this example, key_a is completely replaced by the Profile Configuration value, while key_b is inherited from Global Configuration and key_c is added from Profile Configuration.
ASM Configuration¶
Configure the REST API DAST.
Example¶
Here is an example configuration:
---
argument_generation:
agentic_autofix_preprompt: ''
max_agentic_autofixes: 10
max_generated_depth: 5
skip_generating_unspecified_enum_values: false
validation_errors_agentic_autofix: false
inference:
null_is_unauthenticated: true
scalars:
my_custom_scalar:
description: API keys internal to my organization. Should not be committed or
exposed to internet.
examples:
- org_ABCDEFGHIJKLMNOPABCDEFGHIJKLMNOP
ignored_names: []
ignored_pattern: null
is_sourceable: true
names:
- org_key
- organization_key
parents: []
pattern: ^org_[A-Z]{32}$
raise_on_commit: true
raise_on_exposure: true
sensitivity: HIGH
strategy: key_or_value
network:
cancel_unhealthy_scan_after: 120
custom_headers:
my-header:
- value1
- value2
x-scanned-by:
- escape.tech
escape_user: true
parallel_requests: 10
request_timeout_s: 2
requests_per_second: 1000
sec_escape_user: true
rest_api_dast:
additional_schema_s3_keys: []
blocklist: []
hotstart: []
hotstart_only: false
location_id: ''
max_duration: 120
mode: read_write
profile: default
schema_s3_key: ''
scope:
allowlist: []
blocklist: []
Configuration reference¶
Fields¶
ArgumentGenerationConfig¶
Configure how Escape will generate arguments.
| Property | Type | Required | Description |
|---|---|---|---|
agentic_autofix_preprompt | string | A custom preprompt to use for the agentic autofix. | |
max_agentic_autofixes | integer | The maximum number of agentic autofixes to perform on validation errors. | |
max_generated_depth | integer | The maximum depth of the generated arguments. If your API has a very deep structure, you can increase this value to generate more arguments but it will slow down the scan. If you have a very big schema, you may want to decrease this value to reduce the number of generated arguments. | |
skip_generating_unspecified_enum_values | boolean | If true, the generator will skip generating unspecified enum values. | |
validation_errors_agentic_autofix | boolean | If true, the argument generator will try to automatically fix validation errors in the arguments by resending queries with the fixed arguments. |
CustomScalarConfig¶
| Property | Type | Required | Description |
|---|---|---|---|
description | string | The description of the scalar. | |
examples | List[string] | * | Sample values for the scalar (used in the explore phase as default values). |
ignored_names | List[string] | * | Names to ignore for the scalar. |
ignored_pattern | string | Regex to ignore for the scalar. | |
is_sourceable | boolean | Use this scalar in the Agentic Exploration of the API. If true, the scalar will be reinjected during the Agentic Exploration of the API. | |
names | List[string] | * | Possible names for the scalar. |
parents | List[ScalarParent] | * | Root type the scalar is compatible with. |
pattern | string | Potential regex-friendly values to match the scalar value. | |
raise_on_commit | boolean | Mark this scalar as non-commitable. If escape find this scalar in a git repository, an issue will be raised. | |
raise_on_exposure | boolean | Mark this scalar as non-exposable. If escape find this scalar in any HTTP requests, an issue will be raised. | |
sensitivity | ScalarSensitivity | Data sensitivity level. Values MEDIUM and HIGH will serve to raise Sensitive Data issues in Escape. | |
strategy | MatchingStrategy | The detection strategy. |
InferenceConfig¶
Inference configures how escape will detect secrets exposed by the API or in files.
The inference is also used to reinject IDs in the DAST scanners.
| Property | Type | Required | Description |
|---|---|---|---|
null_is_unauthenticated | boolean | Consider empty API responses as unauthenticated. To improve error inference, if your API always returns a response but without data when the user is unauthenticated, set this to true. | |
scalars | Dict[CustomScalarConfig] | The user's defined scalars. |
NetworkConfig¶
| Property | Type | Required | Description |
|---|---|---|---|
cancel_unhealthy_scan_after | integer | The maximum time in seconds to wait for the scan to be healthy before canceling it. | |
custom_headers | Dict[string, List[string]] | Custom headers to add to the requests. | |
escape_user | boolean | Add the X-Escape-User header to the requests. Legacy attribute, keeping it for backward compatibility. | |
parallel_requests | integer | The maximum number of parallel requests to send. | |
request_timeout_s | integer | The maximum timeout duration for each request (in seconds). | |
requests_per_second | integer | The maximum number of request per second (on API level, not crawling level). | |
sec_escape_user | boolean | Add the Sec-Escape-User header to the requests. New attribute, used to enable the Sec-Escape-User header for the scan. |
RestApiDASTConfig¶
Configure the REST API DAST.
| Property | Type | Required | Description |
|---|---|---|---|
additional_schema_s3_keys | List[string] | * | List of additional schema S3 keys to use for the scan. |
blocklist | List[RouteRule] | * | List of routes to block from the scan. |
hotstart | List[string] | * | List of cURLs to use as a starting point for the scan. |
hotstart_only | boolean | If true, the scan will only use the hotstart queries. | |
location_id | string | ||
max_duration | integer | The maximum time in minutes that the scan will run for before stopping. Defaults to 2 hours. | |
mode | ScanMode | The chosen mode for the scan. Default mode is read-write and suited to development environment. The read-only mode is safe for production environments, but will reduce the number of tests performed and the scan coverage. | |
profile | ScanProfile | The scan profile. | |
schema_s3_key | string | ||
scope | RestScopeConfig | * |
RestScopeConfig¶
Configuration for controlling the scope of the REST API DAST.
| Property | Type | Required | Description |
|---|---|---|---|
allowlist | List[RouteRule] | * | List of routes to allow from the scan. |
blocklist | List[RouteRule] | * | List of routes to block from the scan. |
RouteRule¶
| Property | Type | Required | Description |
|---|---|---|---|
method | Method | HTTP method to block (none to select all methods). | |
path | string | Path to select (.* to select all paths). |
RestApiDASTConfig¶
| Property | Type | Required | Description |
|---|---|---|---|
argument_generation | ArgumentGenerationConfig | * | |
inference | InferenceConfig | * | |
network | NetworkConfig | * | |
rest_api_dast | RestApiDASTConfig | * |
Enums¶
MatchingStrategy¶
| Value |
|---|
key |
key_strict |
value |
value_strict |
key_or_value |
key_or_value_strict |
key_strict_or_value |
key_and_value_strict |
Method¶
| Value |
|---|
GET |
POST |
PUT |
DELETE |
PATCH |
ScalarParent¶
| Value |
|---|
String |
Int |
Float |
Boolean |
ScalarSensitivity¶
| Value |
|---|
NONE |
LOW |
MEDIUM |
HIGH |
ScanMode¶
| Value |
|---|
read_only |
read_write |
ScanProfile¶
| Value |
|---|
surface |
cicd |
default |
deep |
unrestricted |