Skip to content

Information Disclosure: Appspec Exposure

Identifier: appspec_exposure

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner ASM Scanner

Description

Appspec YML/YAML files made publicly accessible can expose sensitive deployment settings and secrets, potentially allowing attackers to gain insight into deployment processes and misuse exposed information.

How we test: We scan for exposed appspec.yml or appspec.yaml files and analyze responses to detect if sensitive deployment settings, secrets, or configuration details are accessible via web servers.

Configuration

Example

Example configuration:

---
security_tests:
  appspec_exposure:
    skip: false

Reference

skip

Type : boolean

Skip the test if true.