Global Configuration¶
Global Configuration is applied universally to all scans (ASM and DAST) across the entire platform. When both Global Configuration and Profile Configuration are defined for a scan, the configurations are merged according to a Profile-override precedence model.
Configuration Merge Behavior¶
When Global Configuration and Profile Configuration contain overlapping keys, the configurations are merged using a deep merge algorithm similar to Terraform's merge() function. The Profile Configuration takes precedence and completely overrides the Global Configuration value for that specific key. Non-overlapping keys from both configurations are preserved in the final merged configuration.
Merge Example:
Global Configuration:
Profile Configuration:
Resulting Merged Configuration:
In this example, key_a is completely replaced by the Profile Configuration value, while key_b is inherited from Global Configuration and key_c is added from Profile Configuration.
ASM Configuration¶
Most of your scan configuration already follows the global scan configuration, such as authentication, network or inference.
However, there are a few additional configurations that are specific to WebApp scans.
For example SPA and SSR applications may not be crawled the same way, and you may want to configure the crawler to crawl them differently.
Example¶
Here is an example configuration:
---
frontend_dast:
agentic_crawling:
enabled: false
instructions: ''
api_checks_during_auth: false
crawling_tuning:
max_parameterized_url_variations: 10
max_unique_fragments_per_page: 10
max_unique_values_per_query_param: 10
only_inscope_crawling_logs: true
escape_user_header: false
hotstart: []
location_id: ''
logout_detection:
agentic_detection_enabled: false
auto_reauthenticate: true
enabled: true
logged_in_indicator_regex_patterns: []
logout_redirection_url_patterns:
- /login
- /signout
- /logout
- /sign-out
- /sign-in
- /sign-out
- /sign-in
session_cookie_regex_patterns:
- (SESSION|JSESSIONID|ASPSESSIONID[A-Z0-9]+|PHPSESSID|ASP\.NET_SessionId)
max_duration: 120
mode: read_write
parallel_workers: 3
prefetch_sitemap: false
relax_cors_security: true
scope:
api_testing:
allowlist: []
blocklist: []
extend_global_scope: true
crawling:
allowlist: []
blocklist: []
extend_global_scope: false
security_checks_enabled:
- ALL
single_page_worker: false
static_crawling:
enabled: true
time_limit_seconds: 300
use_persistence: true
user_agent: null
inference:
null_is_unauthenticated: true
scalars:
my_custom_scalar:
description: API keys internal to my organization. Should not be committed or
exposed to internet.
examples:
- org_ABCDEFGHIJKLMNOPABCDEFGHIJKLMNOP
ignored_names: []
ignored_pattern: null
is_sourceable: true
names:
- org_key
- organization_key
parents: []
pattern: ^org_[A-Z]{32}$
raise_on_commit: true
raise_on_exposure: true
sensitivity: HIGH
strategy: key_or_value
network:
cancel_unhealthy_scan_after: 120
custom_headers:
my-header:
- value1
- value2
x-scanned-by:
- escape.tech
escape_user: true
parallel_requests: 10
request_timeout_s: 2
requests_per_second: 1000
sec_escape_user: true
scope:
allowlist: []
blocklist: []
use_defaults: true
Configuration reference¶
Fields¶
APITestingScopeConfig¶
Scope configuration for API testing. Only relevant types here, rest_api_path, rest_api_url, graphql_operation, ip, domain, but not web_page_url.
| Property | Type | Required | Description |
|---|---|---|---|
allowlist | List[DomainRule,GraphQLOperationRule,IPRule,RestApiEndpointUrlRule,RestApiPathRule] | * | List of rules defining REST API route targets that are allowed to be tested. |
blocklist | List[DomainRule,GraphQLOperationRule,IPRule,RestApiEndpointUrlRule,RestApiPathRule] | * | List of rules defining REST API route targets that should NOT be tested. |
extend_global_scope | boolean | Whether to extend the API testing configuration from the global scope configuration at the top level. Defaults to True. If True, domains and other in-scope assets will be added to the allow/block lists, enabling wider API testing for multiple assets used by the Web Application. If False, the scanner will only use the allow/block lists defined in this configuration. |
AgenticCrawlingConfig¶
Configuration options for agentic crawling.
| Property | Type | Required | Description |
|---|---|---|---|
enabled | boolean | This configuration value will be auto enabled if experimental.agentic_pentesting is set to True | |
instructions | string | Instructions for the agentic crawling. Instruct the agent to explore the application, depending on the page, what it should do etc... You can describe business logic for the agent to crawl the application better, what data it should use, what to avoid. |
CrawlingTuningConfig¶
| Property | Type | Required | Description |
|---|---|---|---|
max_parameterized_url_variations | integer | The maximum number of different parameter values to test for parameterized URL patterns. The scanner detects numeric and UUID segments in URL paths and fragments (e.g., IDs, UUIDs) and replaces them with {param} to create patterns.For example, /users/123/profile and /users/456/profile both match the pattern /users/{param}/profile.This setting limits how many different parameter values will be tested for each pattern: - /users/123/profile (allowed, variation 1 of pattern)- /users/456/profile (allowed, variation 2 of pattern)- /users/789/profile (allowed, variation 3 of pattern)- ... up to 5 variations - /users/999/profile (blocked if limit reached) | |
max_unique_fragments_per_page | integer | The maximum number of different fragments (anchors) to visit for the same page path. For example, if set to 5, the scanner will visit up to 5 different fragments of /page.html:- /page.html#section1 (allowed)- /page.html#section2 (allowed)- /page.html#section3 (allowed)- /page.html#section4 (allowed)- /page.html#section5 (allowed)- /page.html#section6 (blocked)Already visited fragments can be revisited without counting against the limit. Note: Single Page Applications with route fragments (containing /) are not limited by this setting. | |
max_unique_values_per_query_param | integer | The maximum number of different values to test for each query parameter on the same page path. For example, if set to 5, for the /search page with parameter q:- /search?q=test1 (allowed)- /search?q=test2 (allowed)- /search?q=test3 (allowed)- /search?q=test4 (allowed)- /search?q=test5 (allowed)- /search?q=test6 (blocked)Already tested values can be revisited without counting against the limit. The limit applies independently to each query parameter (e.g., q, filter, page are tracked separately). | |
only_inscope_crawling_logs | boolean | If true, the frontend scan will report only in-scope URLs under the "Crawling" tab. |
CustomScalarConfig¶
| Property | Type | Required | Description |
|---|---|---|---|
description | string | The description of the scalar. | |
examples | List[string] | * | Sample values for the scalar (used in the explore phase as default values). |
ignored_names | List[string] | * | Names to ignore for the scalar. |
ignored_pattern | string | Regex to ignore for the scalar. | |
is_sourceable | boolean | Use this scalar in the Agentic Exploration of the API. If true, the scalar will be reinjected during the Agentic Exploration of the API. | |
names | List[string] | * | Possible names for the scalar. |
parents | List[ScalarParent] | * | Root type the scalar is compatible with. |
pattern | string | Potential regex-friendly values to match the scalar value. | |
raise_on_commit | boolean | Mark this scalar as non-commitable. If escape find this scalar in a git repository, an issue will be raised. | |
raise_on_exposure | boolean | Mark this scalar as non-exposable. If escape find this scalar in any HTTP requests, an issue will be raised. | |
sensitivity | ScalarSensitivity | Data sensitivity level. Values MEDIUM and HIGH will serve to raise Sensitive Data issues in Escape. | |
strategy | MatchingStrategy | The detection strategy. |
DomainRule¶
Domain target (e.g., "escape.tech", "*.escape.tech").
| Property | Type | Required | Description |
|---|---|---|---|
operation | ScopeMatchOperation | The matching operation to use. Defaults to exact match. | |
type | Const[domain] | * | |
value | string | * |
FrontendDASTConfig¶
Most of your scan configuration already follows the global scan configuration, such as authentication, network or inference.
However, there are a few additional configurations that are specific to WebApp scans.
For example SPA and SSR applications may not be crawled the same way, and you may want to configure the crawler to crawl them differently.
| Property | Type | Required | Description |
|---|---|---|---|
agentic_crawling | AgenticCrawlingConfig | * | If true, the frontend scan will use an LLM agent to intelligently explore the application by filling forms and interacting with elements to maximize API traffic generation. You can describe business logic for the agent to crawl the application better, what data it should use, what to avoid. |
api_checks_during_auth | boolean | If set to true, API checks will run during the authentication process. If set to false, API checks will only be enabled (IF included in security_checks_enabled) after authentication.API Checks can break the authentication flow! If you face problems authenticating your scan, you should disable this option. | |
crawling_tuning | CrawlingTuningConfig | * | Crawling tuning configuration for web app crawling. |
escape_user_header | boolean | If true, the frontend scan will add the x-escape-user header to the requests. If enabled, this can break CORS. Use sec_escape_user instead. | |
hotstart | List[string] | * | The list of URLs to start the scan from. In your Expert Configuration section in the settings of your scan, you can configure and add more base URLs for your scan. Base URLs is a list of URLs that the scanner should visit. You can pre-seed the scanner with a list of URLs to start the scan from and enrich the crawling process by boosting known URLs. |
location_id | string | ||
logout_detection | LogoutDetectionConfig | * | |
max_duration | integer | The maximum time in minutes that the scan will run for before stopping. Defaults to 2 hours. | |
mode | ScanMode | The chosen mode for the scan. Default mode is read-write and suited to development environment. The read-only mode is safe for production environments, but will reduce the number of tests performed and the scan coverage. | |
parallel_workers | integer | The number of parallel workers to use for frontend scans. Maximum is 5, default is 3. Recommended to lower this if you encounter stability issues. | |
prefetch_sitemap | boolean | If true, the frontend scan will prefetch any available sitemaps (robots.txt, sitemap.xml, etc) and use them as a seed for the crawler. | |
relax_cors_security | boolean | If false, the browser will send preflight requests for API calls and can block them. If true, the browser will not send any preflight requests, and the Origin header will not be included in any request.If your authentication uses headers, you should set this to true, else the browser may block all API calls if they violate cors policy. | |
scope | FrontendDASTScopeConfigV2 | * | Scope configuration for the frontend scan, including both page crawling and API testing. This is used to control which pages the scanner should crawl and interact with, by their URLs, or even the elements in the page. This is also used to control which API traffic the scanner should analyze and test. |
security_checks_enabled | List[FrontendSecurityChecksTypes] | * | The security_checks_enabled parameter allows you to precisely control which security checks to run.By default, all checks are enabled.You can mix and match depending on your needs (speed, coverage, etc). |
single_page_worker | boolean | If true, frontend scans will be performed in a single page worker. Note that will slow down the scan, as it will not be able to explore multiple pages in parallel. | |
static_crawling | StaticCrawlerConfig | * | |
use_persistence | boolean | If true, the frontend scan will use persistence to load discovered URLs from previous scans, to enhance crawling stability. | |
user_agent | string | The user agent to use for frontend scans. |
FrontendDASTScopeConfigV2¶
| Property | Type | Required | Description |
|---|---|---|---|
api_testing | APITestingScopeConfig | * | Scope configuration for API testing. This configuration is used to control which API traffic (generated by the web application) the scanner should analyze and test. The scanner observes API traffic without interfering with it - the web application continues to work normally. These settings only control what the scanner analyzes and tests for security issues. By default, the APIs tested are scoped by the global scope configuration, with the extend_global_scope option set to True. |
crawling | WebAppCrawlingScopeConfig | * | Scope configuration for crawling. This configuration is used to control which pages the scanner should crawl and interact with, by their URLs, or even the elements in the page. By default the crawling is limited to the application base URL and no other domains, to avoid out of scope testing. |
GlobalScopeConfig¶
Global scope configuration for controlling what targets scanners can cover.
Targets have different types, for dns domains, ips, web_page_url, rest_api_path, rest_api_url, graphql_operation.
The scope configuration uses allowlists and blocklists to precisely define what is in-scope for scanning. This configuration can be set at the global level and optionally extended or overridden by scanner-specific configurations.
Precedence rules:
- Blocklist takes precedence over allowlist (if a target matches both, it's blocked)
- More specific rules take precedence over general rules
- Profile-level scope can extend or override global scope based on extend_global_scope setting
| Property | Type | Required | Description |
|---|---|---|---|
allowlist | List[DomainRule,GraphQLOperationRule,IPRule,RestApiEndpointUrlRule,RestApiPathRule,WebPageElementSelectorRule,WebPageUrlRule] | * | List of rules defining assets and targets that are allowed to be scanned. If empty, all targets are allowed (subject to blocklist), depending on the use_defaults setting. If use_default is True, setting anything manually in this list will extend the scope configuration with your ASM scope configuration. Targets must match at least one allowlist rule to be in scope. |
blocklist | List[DomainRule,GraphQLOperationRule,IPRule,RestApiEndpointUrlRule,RestApiPathRule,WebPageElementSelectorRule,WebPageUrlRule] | * | List of rules defining assets and targets that should NOT be scanned. If use_default is True, setting anything manually in this list will extend the scope configuration with your ASM scope configuration. Blocklist rules take precedence over allowlist rules. |
use_defaults | boolean | Whether to auto-inject your scope configuration, for in-scope and out-of-scope assets. This enables you to configure your ASM scope configuration once and it will be automatically injected into all scanners ensuring that an out of scope asset (domain, ip, etc.) will not be scanned. This also ensure that in-scope assets will be automatically tested for vulnerabilities, enhancing coverage and discovery. |
GraphQLOperationRule¶
GraphQL operation target (e.g., "query.users", "mutation.createUser").
| Property | Type | Required | Description |
|---|---|---|---|
operation | ScopeMatchOperation | The matching operation to use. Defaults to exact match. | |
type | Const[graphql_operation] | * | |
value | string | * |
IPRule¶
IP address target (e.g., "192.168.1.1", "10.0.0.0/24").
| Property | Type | Required | Description |
|---|---|---|---|
operation | ScopeMatchOperation | The matching operation to use. Defaults to exact match. | |
type | Const[ip] | * | |
value | string | * |
InferenceConfig¶
Inference configures how escape will detect secrets exposed by the API or in files.
The inference is also used to reinject IDs in the DAST scanners.
| Property | Type | Required | Description |
|---|---|---|---|
null_is_unauthenticated | boolean | Consider empty API responses as unauthenticated. To improve error inference, if your API always returns a response but without data when the user is unauthenticated, set this to true. | |
scalars | Dict[CustomScalarConfig] | The user's defined scalars. |
LogoutDetectionConfig¶
Configuration options for logout detection.
Enabled by default with default values. It will analyze all pages content and response redirections to detect if the user is logged out. If you want to disable it, set enabled to False.
| Property | Type | Required | Description |
|---|---|---|---|
agentic_detection_enabled | boolean | If true, the frontend scan will use an LLM agent to detect if the user is logged out. | |
auto_reauthenticate | boolean | If true, automatically re-authenticate when frontend session expires. | |
enabled | boolean | If true, the frontend scan will detect when the user is logged out. | |
logged_in_indicator_regex_patterns | List[string] | * | Regex patterns to detect if user is logged in. If set, at least one pattern must match. Empty by default. |
logout_redirection_url_patterns | List[string] | * | Regex patterns to detect if user is logged out. If set, at least one pattern must match. Will default to some common patterns if not set. |
session_cookie_regex_patterns | List[string] | * | Regex patterns to identify session cookies. If set, at least one pattern must match. Will default to some common patterns if not set. |
NetworkConfig¶
| Property | Type | Required | Description |
|---|---|---|---|
cancel_unhealthy_scan_after | integer | The maximum time in seconds to wait for the scan to be healthy before canceling it. | |
custom_headers | Dict[string, List[string]] | Custom headers to add to the requests. | |
escape_user | boolean | Add the X-Escape-User header to the requests. Legacy attribute, keeping it for backward compatibility. | |
parallel_requests | integer | The maximum number of parallel requests to send. | |
request_timeout_s | integer | The maximum timeout duration for each request (in seconds). | |
requests_per_second | integer | The maximum number of request per second (on API level, not crawling level). | |
sec_escape_user | boolean | Add the Sec-Escape-User header to the requests. New attribute, used to enable the Sec-Escape-User header for the scan. |
RestApiEndpointUrlRule¶
REST API full URL endpoint target (e.g., "app.escape.tech) with optional HTTP method (e.g., "GET", "POST", "PUT", "DELETE").
| Property | Type | Required | Description |
|---|---|---|---|
method | HTTPMethod | Optional HTTP method (only applicable for REST API routes). If not provided, the path will be checked on all HTTP methods. | |
operation | ScopeMatchOperation | The matching operation to use. Defaults to exact match. | |
type | Const[rest_api_url] | * | |
value | string | * |
RestApiPathRule¶
REST API path target (e.g., "/api/v1/users") with optional domain and optional HTTP method (e.g., "GET", "POST", "PUT", "DELETE").
| Property | Type | Required | Description |
|---|---|---|---|
domain | string | Optional domain to exactly match(only applicable for REST API routes). If not provided, the path will be checked on all domains. | |
method | HTTPMethod | Optional HTTP method (only applicable for REST API routes). If not provided, the path will be checked on all HTTP methods. | |
operation | ScopeMatchOperation | The matching operation to use. Defaults to exact match. | |
type | Const[rest_api_path] | * | |
value | string | * |
StaticCrawlerConfig¶
Configuration options for static crawler.
Disabled by default. It will run a static crawled to extract & seed URLs to the scanner. This should not be enabled when using single page worker.
| Property | Type | Required | Description |
|---|---|---|---|
enabled | boolean | If true, the frontend scan will run a static crawler to extract & seed URLs. | |
time_limit_seconds | integer | Time limit for static crawling in seconds. |
WebAppCrawlingScopeConfig¶
Scope configuration for web app crawling. Only relevant types here, web_page_url, domain, but not api_route.
| Property | Type | Required | Description |
|---|---|---|---|
allowlist | List[DomainRule,IPRule,WebPageElementSelectorRule,WebPageUrlRule] | * | List of rules defining targets that are allowed to be crawled. |
blocklist | List[DomainRule,IPRule,WebPageElementSelectorRule,WebPageUrlRule] | * | List of rules defining targets that should NOT be crawled. |
extend_global_scope | boolean | Whether to extend the scanner-specific crawling configuration from the global scope configuration at the top level. Defaults to False for safety, to avoid unintended scanning of assets and stay on the main asset being scanned. If True, domains and other targets will be added to the allow/block lists, which may cause the scanner to crawl more targets than intended. |
WebPageElementSelectorRule¶
CSS selector target (e.g., "button.logout", "a[href='/logout']").
| Property | Type | Required | Description |
|---|---|---|---|
operation | ScopeMatchOperation | The matching operation to use. Defaults to exact match. | |
type | Const[web_page_element_selector] | * | |
value | string | * |
WebPageUrlRule¶
Web page URL target (e.g., "app.escape.tech.)
| Property | Type | Required | Description |
|---|---|---|---|
operation | ScopeMatchOperation | The matching operation to use. Defaults to exact match. | |
type | Const[web_page_url] | * | |
value | string | * |
FrontendDASTConfig¶
| Property | Type | Required | Description |
|---|---|---|---|
frontend_dast | FrontendDASTConfig | * | |
inference | InferenceConfig | * | |
network | NetworkConfig | * | |
scope | GlobalScopeConfig | * | Global scope configuration for controlling what resources scanners can access. This configuration defines allowlists and blocklists that apply to all scanners. Individual scanner configurations can extend or override these rules. |
Enums¶
FrontendSecurityChecksTypes¶
| Value |
|---|
ALL |
NONE |
API_CHECKS |
ACTIVE_PAGE_CHECKS |
PASSIVE_PAGE_CHECKS |
NETWORK_CHECKS |
HTTPMethod¶
| Value |
|---|
CONNECT |
DELETE |
GET |
HEAD |
OPTIONS |
PATCH |
POST |
PUT |
TRACE |
MatchingStrategy¶
| Value |
|---|
key |
key_strict |
value |
value_strict |
key_or_value |
key_or_value_strict |
key_strict_or_value |
key_and_value_strict |
ScalarParent¶
| Value |
|---|
String |
Int |
Float |
Boolean |
ScalarSensitivity¶
| Value |
|---|
NONE |
LOW |
MEDIUM |
HIGH |
ScanMode¶
| Value |
|---|
read_only |
read_write |
ScopeMatchOperation¶
| Value |
|---|
equals |
starts_with |
ends_with |
contains |
regex |
wildcard |