Scans Management¶
Scans are the core of Escape's security testing capabilities. Each scan executes comprehensive security tests against your applications, identifying vulnerabilities, misconfigurations, and security risks.
Understanding Scans¶
A scan represents a single execution of security tests against a configured profile. During a scan, Escape:
- Analyzes your application's API or web interface
- Tests for security vulnerabilities across multiple categories
- Generates detailed findings with reproduction steps
- Provides remediation guidance for identified issues
Scans can be triggered manually, scheduled automatically, or integrated into CI/CD pipelines.
Listing Scans¶
List all scans with flexible filtering options.
Aliases: list, ls
Filtering Options:
| Flag | Short | Description | Values |
|---|---|---|---|
--profile-id | -p | Filter by profile ID(s) | Comma-separated UUIDs |
--status | -s | Filter by scan status | STARTING, RUNNING, FINISHED, FAILED, CANCELED |
--kind | -k | Filter by scanner type | BLST_REST, BLST_GRAPHQL, FRONTEND_DAST |
--initiator | -i | Filter by initiator | MANUAL, API, SCHEDULED, CI |
--after | Show scans after date | RFC3339 format (e.g., 2025-01-01T00:00:00Z) | |
--before | Show scans before date | RFC3339 format | |
--ignored | Filter by ignored status | true, false |
Basic Example:
Advanced Filtering Examples:
# List only running scans
escape-cli scans list --status RUNNING
# List failed scans from last week
escape-cli scans list --status FAILED --after 2025-01-01T00:00:00Z
# List CI-triggered scans for multiple profiles
escape-cli scans list -p profile-1,profile-2 -i CI
# List REST API scans only
escape-cli scans list --kind BLST_REST
# Export to JSON
escape-cli scans list -o json > scans.json
Example Output:
ID CREATED AT KIND STATUS PROGRESS LINK
00000000-0000-0000-0000-000000000001 2025-02-05 08:34:47.541 +0000 UTC BLST_REST FINISHED 1.000000 https://...
00000000-0000-0000-0000-000000000002 2025-02-02 08:27:23.919 +0000 UTC BLST_GRAPHQL RUNNING 0.453000 https://...
00000000-0000-0000-0000-000000000003 2025-01-31 18:35:48.477 +0000 UTC FRONTEND_DAST FINISHED 1.000000 https://...
Scan Statuses¶
| Status | Description |
|---|---|
STARTING | Scan initialization |
RUNNING | Scan actively executing |
FINISHED | Scan completed successfully |
FAILED | Scan encountered an error |
CANCELED | Scan was manually cancelled |
Scanner Types¶
| Type | Description |
|---|---|
BLST_REST | REST API security testing |
BLST_GRAPHQL | GraphQL API security testing |
FRONTEND_DAST | Web application security testing |
Scan Initiators¶
| Initiator | Description |
|---|---|
MANUAL | Manually started via UI or CLI |
API | Started via API call |
SCHEDULED | Scheduled/cron triggered |
CI | CI/CD pipeline triggered |
Getting Scan Details¶
Retrieve detailed information about a specific scan.
Aliases: describe, show, status
Example:
Example Output:
ID STATUS CREATED AT PROGRESS
00000000-0000-0000-0000-000000000001 FINISHED 2024-11-27 08:06:59.576 +0000 UTC 1.000000
Starting a Scan¶
Initiate a new security scan against a profile.
Basic Usage¶
Example:
The command returns the scan ID. Save it to monitor progress:
Start and Watch¶
Monitor the scan in real-time by adding the --watch flag:
Short form:
Including Commit Metadata¶
When running scans from CI/CD pipelines, include commit information for better traceability:
escape-cli scans start <profile-id> \
--commit-hash "a1b2c3d4" \
--commit-branch "feature/security-improvements" \
--commit-author "john.doe@example.com" \
--commit-link "https://github.com/org/repo/commit/a1b2c3d4" \
--profile-picture "https://github.com/johndoe.png"
Available commit metadata flags:
| Flag | Description | Example |
|---|---|---|
--commit-hash | Git commit SHA | a1b2c3d4 |
--commit-branch | Branch name | main, feature/auth |
--commit-author | Author email | dev@example.com |
--commit-link | Commit URL | Full GitHub/GitLab URL |
--profile-picture | Author avatar URL | Avatar image URL |
CI/CD Auto-Detection¶
The CLI automatically detects and uses commit information from CI/CD environments:
GitHub Actions:
- Auto-detects:
GITHUB_SHA,GITHUB_REF_NAME,GITHUB_ACTOR,GITHUB_ACTOR_ID - Automatically builds commit link from repository info
GitLab CI:
- Auto-detects:
CI_COMMIT_SHA,CI_COMMIT_REF_NAME,GITLAB_USER_EMAIL - Automatically builds commit link from
CI_PROJECT_URL
CircleCI:
- Auto-detects:
CIRCLE_SHA1,CIRCLE_BRANCH,CIRCLE_USERNAME
Generic/Local:
- Uses:
COMMIT_HASH,COMMIT_LINK,COMMIT_BRANCH,COMMIT_AUTHOR
When running in these environments, commit metadata is populated automatically - no flags needed!
Configuration Overrides¶
Override scan configuration using JSON:
Short form:
Common override examples:
# Run scan in read-only mode (no mutations)
--override '{"scan": {"read_only": true}}'
# Set custom timeout (in seconds)
--override '{"scan": {"timeout": 3600}}'
# Limit scan depth
--override '{"scan": {"max_depth": 5}}'
Watching Scan Progress¶
Monitor a running scan in real-time.
This command:
- Connects to the scan in progress
- Streams real-time events and progress updates
- Displays findings as they're discovered
- Blocks until the scan completes
- Returns exit code 0 on success, non-zero on failure
Example:
# Start a scan and save the ID
SCAN_ID=$(escape-cli scans start <profile-id> -o json | jq -r '.id')
# Watch the scan progress
escape-cli scans watch $SCAN_ID
Typical output:
Scan 00000000-0000-0000-0000-000000000001
Status: RUNNING
Progress: 25%
Tests completed: 150/600
Finding: SQL Injection vulnerability detected
Severity: HIGH
Endpoint: POST /api/users/search
...
Retrieving Scan Issues¶
List all security findings from a completed scan.
Aliases: issues, results, res, result, iss
Example:
Example Output:
ID SEVERITY TYPE CATEGORY NAME IGNORED URL
00000000-0000-0000-0000-000000000001 HIGH API INJECTION SQL Injection false https://app.escape.tech/scan/xxx/issues/xxx/overview/
00000000-0000-0000-0000-000000000002 MEDIUM API PROTOCOL Insecure Security Policy header false https://app.escape.tech/scan/xxx/issues/xxx/overview/
00000000-0000-0000-0000-000000000003 LOW API INFORMATION_DISCLOSURE Debug mode enabled false https://app.escape.tech/scan/xxx/issues/xxx/overview/
Filtering Issues¶
Get specific issue details:
# Get issues in JSON format for parsing
escape-cli scans issues <scan-id> -o json
# Filter high severity issues
escape-cli scans issues <scan-id> -o json | jq '.[] | select(.severity=="HIGH")'
# Count issues by severity
escape-cli scans issues <scan-id> -o json | jq 'group_by(.severity) | map({severity: .[0].severity, count: length})'
Cancelling a Scan¶
Stop a running scan before it completes.
Example:
When to Cancel Scans
- The scan is taking longer than expected
- You need to update the profile configuration
- Resources are needed for higher priority scans
- The wrong profile or configuration was used
Ignoring a Scan¶
Mark a scan as ignored, excluding it from reports and metrics.
Example:
Use cases for ignoring scans:
- Test runs during configuration
- Failed scans due to temporary issues
- Scans with incorrect settings
- Historical scans that should be excluded from metrics
Complete Scan Workflow¶
Here's a typical end-to-end scan workflow:
#!/bin/bash
set -e
# Configuration
PROFILE_ID="00000000-0000-0000-0000-000000000001"
# Start the scan and capture ID
echo "Starting security scan..."
SCAN_ID=$(escape-cli scans start "${PROFILE_ID}" -o json | jq -r '.id')
echo "Scan ID: ${SCAN_ID}"
# Watch the scan progress
echo "Monitoring scan progress..."
escape-cli scans watch "${SCAN_ID}"
# Retrieve results
echo "Fetching scan results..."
escape-cli scans issues "${SCAN_ID}" -o json > scan-results.json
# Check for high severity issues
HIGH_ISSUES=$(jq '[.[] | select(.severity=="HIGH" or .severity=="CRITICAL")] | length' scan-results.json)
if [ "$HIGH_ISSUES" -gt 0 ]; then
echo "ERROR: Found $HIGH_ISSUES high/critical severity issues"
jq '.[] | select(.severity=="HIGH" or .severity=="CRITICAL") | {severity, name, category}' scan-results.json
exit 1
else
echo "SUCCESS: No high/critical severity issues found"
exit 0
fi
CI/CD Integration¶
GitHub Actions Example¶
name: Security Scan
on: [push, pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Install Escape CLI
run: |
curl -sf https://raw.githubusercontent.com/Escape-Technologies/cli/refs/heads/main/scripts/install.sh | sudo bash
- name: Run Security Scan
env:
ESCAPE_API_KEY: ${{ secrets.ESCAPE_API_KEY }}
run: |
SCAN_ID=$(escape-cli scans start ${{ vars.PROFILE_ID }} \
--commit-hash ${{ github.sha }} \
--commit-branch ${{ github.ref_name }} \
--commit-author ${{ github.actor }} \
--commit-link ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }} \
-o json | jq -r '.id')
escape-cli scans watch $SCAN_ID
escape-cli scans issues $SCAN_ID -o json > results.json
- name: Upload Results
uses: actions/upload-artifact@v3
with:
name: security-scan-results
path: results.json
See CI/CD Integration for more examples.
Scan Scheduling¶
While the CLI allows on-demand scan execution, you can configure recurring scans through the Escape web interface:
- Navigate to your profile settings
- Configure the scan schedule (cron expression)
- Set scan parameters and notification preferences
Scheduled scans run automatically without CLI intervention.
Best Practices¶
Scan Frequency¶
- Production: Weekly or bi-weekly scheduled scans
- Staging: After each deployment
- Development: On-demand or per pull request
- Critical APIs: Daily scans for high-value targets
Resource Management¶
- Cancel stale or stuck scans to free resources
- Monitor scan duration and optimize configurations
- Stagger scheduled scans to avoid resource contention
Result Management¶
- Archive scan results for compliance and auditing
- Track security trends over time
- Automate issue creation in bug tracking systems
Error Handling¶
Always check scan status and handle failures:
if escape-cli scans start <profile-id>; then
echo "Scan started successfully"
else
echo "Failed to start scan"
exit 1
fi
Troubleshooting¶
Scan Stuck in QUEUED¶
If a scan remains queued:
- Check location health:
escape-cli locations list - Verify the location is enabled and running
- Cancel and restart the scan if necessary
Scan Fails Immediately¶
Common causes:
- Target application is unreachable
- Authentication credentials are invalid
- Network connectivity issues
- Configuration errors in the profile
Check scan details for error messages:
No Issues Returned¶
If a scan completes but shows no issues:
- Verify the scan completed successfully
- Check the scan didn't run in read-only mode accidentally
- Review scan configuration for scope limitations
Performance Issues¶
If scans take too long:
- Review scan configuration for unnecessary depth
- Enable read-only mode for faster passive scanning
- Consider splitting into multiple focused profiles
Next Steps¶
- Issues Management - Learn to manage and triage security findings
- Locations Management - Configure scan execution locations
- Scan Problems - Troubleshoot scan failures
- Practical Recipes - Complete scan automation examples
- CI/CD Integration - Integrate scans into your pipeline