Skip to main content

Reference

Scan Parameters

Example

Here is an example of a ScanParams object:

scan:
blacklist:
routes:
- path: "/a/path/to/blacklist"
method: GET
- path: "/another/path/to/blacklist"
method: POST
hotstart:
- |-
POST /register HTTP/1.1
Host: example.com
Content-Type: application/json
Content-Length: 194

{"my": "data"}
- |+
GET /users HTTP/1.1
Host: example.com
Content-Type: application/json
Content-Length: 194

profile: surface | marketing | cicd | default | deep | unrestricted
read_only: true | false
scalars:
SSET:
description: The Super Secret Example Token is internal to our company and should
never been exposed by any APIs.
examples:
- SSET-ABC12
names:
- SSET
- super_secret_example_token
- SuperSecretExampleToken
parents:
- String
patterns:
- SSET-[A-Z0-9]{5}
sensitivity: HIGH
detection: key_or_value_strict
entropy: 2

BlackListParams

PropertyTypeRequiredDescriptionReference
routesBlacklistRouteRuleFalseBlacklistRouteRule
querystringFalse
mutationstringFalse
subscriptionstringFalse
objectsstringFalse

BlacklistRouteRule

PropertyTypeRequiredDescriptionReference
methodstringFalseThe method is an HTTP method (GET, POST, PUT, DELETE, etc.).
pathstringFalseThe path is a valid OpenAPI path.

ScanParams

PropertyTypeRequiredDescriptionReference
profileScanProfileFalseThe scan profileScanProfile
read_onlybooleanFalseThe choosen mode for the tested API. Default mode is read-write and suited to development environment. The read_only mode is safe for production environments, but will reduce the number of tests performed and the scan coverage..
hotstartstringFalseRaw queries to hotstart the API exploration.
blacklistBlackListParamsFalseThe operations that will be skipped by security tests. See more in the dedicated documentation section..BlackListParams
scalarsDict[string, CustomScalarParams]FalseThe user's defined scalars.CustomScalarParams

ScanProfile

  • surface
  • marketing
  • cicd
  • default
  • deep
  • unrestricted

Client Parameters

Example

Here is an example of a ClientParams object:

client:
concurrent_connection: 64
concurrent_tasks: 8
proxy:
type: escape | http | repeater
request_timeout: 5
requests_per_minute: 50 * 60

ClientParams

PropertyTypeRequiredDescriptionReference
request_timeoutintegerFalseThe maximum timeout duration for each request (in seconds). See more in the dedicated documentation section.
concurrent_connectionintegerFalseThe maximum size of the connections pool.
concurrent_tasksintegerFalseThe maximum number of parallel tasks.
requests_per_minuteintegerFalseThe maximum number of request per minute. Which will be used on a per second window.
proxyRepeaterProxyType HTTPProxyType EscapeProxyTypeFalseThe Proxy to use for the requests. See more in the Scan Internal APIs documentation section.