Skip to main content

Objects

AlertModel

PropertyTypeRequiredDescriptionReference
severitySEVERITYTrueSeverity of the alertSEVERITY
namestringTrueName of the alert
contextstringTrueContext of the alert
categoryCATEGORYFalseCategory of the alertCATEGORY
descriptionstringFalseDescription of the alert
remediationstringFalseRemediation of the alert
complianceComplianceFalseCompliance standards violated by this alertCompliance

Compliance

PropertyTypeRequiredDescriptionReference
owaspstringFalse
pci-dssstringFalse
gdprstringFalse
soc2stringFalse
psd2stringFalse
iso27001stringFalse
niststringFalse
fedrampstringFalse
nis2stringFalse
hipaastringFalse

CrudDetector

PropertyTypeRequiredDescriptionReference
isCRUDFalseCondition is the request is this CRUD operationCRUD
is_notCRUDFalseCondition is the request is not this CRUD operationCRUD
inCRUDFalseCondition is the request is in this list of CRUD operations (exact match)CRUD
ifConst[helpers.request.crud]FalseUse this to select against the detected CRUD operation of the request.

HTTPRAWSeeder

PropertyTypeRequiredDescriptionReference
protocolConst[http]FalseThe HTTP seeder allows you to send a request at the start of the scan.
rawstringTrueThe raw HTTP request in nuclei format.
userstringFalseThe user to use for the request. If not provided, the request is sent without authentication.

LogicalAndDetector

PropertyTypeRequiredDescriptionReference
and`ScanTypeDetectorResponseDurationDetectorRequestUserDetectorLogicalAndDetectorRequestBodyTextDetectorResponseBodyJSONDetectorLogicalNotDetectorCrudDetectorRequestIsAuthenticatedDetectorSchemaNeedAuthenticationDetectorResponseBodyTextDetectorMethodDetectorSchemaUrlDetectorResponseObjectDetectorRequestBodyJSONDetectorSchemaPathRefDetectorLogicalOrDetectorRequestHeadersDetectorResponseHeadersDetectorResponseStatusCodeDetectorRequestObjectDetectorResponseIsSuccessfulDetector`FalseLogical and on a list of detectors[ScanTypeDetectorResponseDurationDetectorRequestUserDetectorLogicalAndDetectorRequestBodyTextDetectorResponseBodyJSONDetectorLogicalNotDetectorCrudDetectorRequestIsAuthenticatedDetectorSchemaNeedAuthenticationDetectorResponseBodyTextDetectorMethodDetectorSchemaUrlDetectorResponseObjectDetectorRequestBodyJSONDetectorSchemaPathRefDetectorLogicalOrDetectorRequestHeadersDetectorResponseHeadersDetectorResponseStatusCodeDetectorRequestObjectDetectorResponseIsSuccessfulDetector](#ScanTypeDetectorResponseDurationDetectorRequestUserDetectorLogicalAndDetectorRequestBodyTextDetectorResponseBodyJSONDetectorLogicalNotDetectorCrudDetectorRequestIsAuthenticatedDetectorSchemaNeedAuthenticationDetectorResponseBodyTextDetectorMethodDetectorSchemaUrlDetectorResponseObjectDetectorRequestBodyJSONDetectorSchemaPathRefDetectorLogicalOrDetectorRequestHeadersDetectorResponseHeadersDetectorResponseStatusCodeDetectorRequestObjectDetectorResponseIsSuccessfulDetector)
ifConst[and]FalseUse this to apply a logical and on a list of detectors.

LogicalNotDetector

PropertyTypeRequiredDescriptionReference
not`ScanTypeDetectorResponseDurationDetectorRequestUserDetectorLogicalAndDetectorRequestBodyTextDetectorResponseBodyJSONDetectorLogicalNotDetectorCrudDetectorRequestIsAuthenticatedDetectorSchemaNeedAuthenticationDetectorResponseBodyTextDetectorMethodDetectorSchemaUrlDetectorResponseObjectDetectorRequestBodyJSONDetectorSchemaPathRefDetectorLogicalOrDetectorRequestHeadersDetectorResponseHeadersDetectorResponseStatusCodeDetectorRequestObjectDetectorResponseIsSuccessfulDetector`FalseLogical not of a detector[ScanTypeDetectorResponseDurationDetectorRequestUserDetectorLogicalAndDetectorRequestBodyTextDetectorResponseBodyJSONDetectorLogicalNotDetectorCrudDetectorRequestIsAuthenticatedDetectorSchemaNeedAuthenticationDetectorResponseBodyTextDetectorMethodDetectorSchemaUrlDetectorResponseObjectDetectorRequestBodyJSONDetectorSchemaPathRefDetectorLogicalOrDetectorRequestHeadersDetectorResponseHeadersDetectorResponseStatusCodeDetectorRequestObjectDetectorResponseIsSuccessfulDetector](#ScanTypeDetectorResponseDurationDetectorRequestUserDetectorLogicalAndDetectorRequestBodyTextDetectorResponseBodyJSONDetectorLogicalNotDetectorCrudDetectorRequestIsAuthenticatedDetectorSchemaNeedAuthenticationDetectorResponseBodyTextDetectorMethodDetectorSchemaUrlDetectorResponseObjectDetectorRequestBodyJSONDetectorSchemaPathRefDetectorLogicalOrDetectorRequestHeadersDetectorResponseHeadersDetectorResponseStatusCodeDetectorRequestObjectDetectorResponseIsSuccessfulDetector)
ifConst[not]FalseUse this to apply a logical not on a detector.

LogicalOrDetector

PropertyTypeRequiredDescriptionReference
or`ScanTypeDetectorResponseDurationDetectorRequestUserDetectorLogicalAndDetectorRequestBodyTextDetectorResponseBodyJSONDetectorLogicalNotDetectorCrudDetectorRequestIsAuthenticatedDetectorSchemaNeedAuthenticationDetectorResponseBodyTextDetectorMethodDetectorSchemaUrlDetectorResponseObjectDetectorRequestBodyJSONDetectorSchemaPathRefDetectorLogicalOrDetectorRequestHeadersDetectorResponseHeadersDetectorResponseStatusCodeDetectorRequestObjectDetectorResponseIsSuccessfulDetector`FalseLogical or on a list of detectors[ScanTypeDetectorResponseDurationDetectorRequestUserDetectorLogicalAndDetectorRequestBodyTextDetectorResponseBodyJSONDetectorLogicalNotDetectorCrudDetectorRequestIsAuthenticatedDetectorSchemaNeedAuthenticationDetectorResponseBodyTextDetectorMethodDetectorSchemaUrlDetectorResponseObjectDetectorRequestBodyJSONDetectorSchemaPathRefDetectorLogicalOrDetectorRequestHeadersDetectorResponseHeadersDetectorResponseStatusCodeDetectorRequestObjectDetectorResponseIsSuccessfulDetector](#ScanTypeDetectorResponseDurationDetectorRequestUserDetectorLogicalAndDetectorRequestBodyTextDetectorResponseBodyJSONDetectorLogicalNotDetectorCrudDetectorRequestIsAuthenticatedDetectorSchemaNeedAuthenticationDetectorResponseBodyTextDetectorMethodDetectorSchemaUrlDetectorResponseObjectDetectorRequestBodyJSONDetectorSchemaPathRefDetectorLogicalOrDetectorRequestHeadersDetectorResponseHeadersDetectorResponseStatusCodeDetectorRequestObjectDetectorResponseIsSuccessfulDetector)
ifConst[or]FalseUse this to apply a logical or on a list of detectors.

MethodDetector

PropertyTypeRequiredDescriptionReference
isHTTP_METHODFalseCondition is the request is this CRUD operationHTTP_METHOD
is_notHTTP_METHODFalseCondition is the request is not this CRUD operationHTTP_METHOD
inHTTP_METHODFalseCondition is the request is in this list of CRUD operations (exact match)HTTP_METHOD
ifConst[request.method]FalseUse this to select against the request HTTP method.

MethodMutator

PropertyTypeRequiredDescriptionReference
keyConst[request.method]FalseYou can use this mutator to change the HTTP method of the
valueHTTP_METHODFalseThe value to set.HTTP_METHOD
valuesHTTP_METHODFalseThe values to set, generates multiple queries.HTTP_METHOD

Middleware

PropertyTypeRequiredDescriptionReference
trigger`CrudDetectorLogicalAndDetectorLogicalNotDetectorLogicalOrDetectorMethodDetectorRequestBodyJSONDetectorRequestBodyTextDetectorRequestHeadersDetectorRequestIsAuthenticatedDetectorRequestObjectDetectorRequestUserDetectorResponseBodyJSONDetectorResponseBodyTextDetectorResponseDurationDetectorResponseHeadersDetectorResponseIsSuccessfulDetectorResponseObjectDetectorResponseStatusCodeDetectorScanTypeDetectorSchemaNeedAuthenticationDetectorSchemaPathRefDetectorSchemaUrlDetector`TrueThe detectors to trigger the transform, on the request or response. See
mutate`MethodMutatorRequestBodyJSONMutatorRequestBodyTextMutatorRequestHeadersMutatorRequestObjectMutatorRequestUserMutatorSchemaPathRefMutatorSchemaUrlMutator`TrueThe mutations to apply to the request and replay it. See Mutators

ObjectMatcher

PropertyTypeRequiredDescriptionReference
typeObjectTypeMatcherFalseObject scalar type to matchObjectTypeMatcher
nameStringMatcherFalseObject scalar name to matchStringMatcher
valueStringMatcherFalseObject scalar value to matchStringMatcher

ObjectMutate

PropertyTypeRequiredDescriptionReference
valuestringFalseThe value to set.
valuesstringFalseThe values to set, generates multiple queries.
regex_replaceRegexReplaceFalseRegex replace pattern.RegexReplace

ObjectTypeMatcher

PropertyTypeRequiredDescriptionReference
isOBJECT_TYPEFalseObject type is exactly this typeOBJECT_TYPE
is_notOBJECT_TYPEFalseObject type is any this type except this oneOBJECT_TYPE
inOBJECT_TYPEFalseObject type is in the following listOBJECT_TYPE

RESTSeeder

PropertyTypeRequiredDescriptionReference
protocolConst[rest]FalseThe REST seeder allows you to send a request that adapts to the host of your current scan.
userstringFalseThe user to use for the request. If not provided, the request is sent without authentication.
pathstringFalse
methodHTTP_METHODFalseHTTP_METHOD
headersDict[string, string]False
bodystringFalse
paramsDict[string, string]False

RegexReplace

PropertyTypeRequiredDescriptionReference
patternstringTrueThe regex pattern to match.
replacementstringTrueThe replacement, use \1, \2, ... to refer capture groups.

RequestBodyJSONDetector

PropertyTypeRequiredDescriptionReference
isDict[string, None]FalseCondition is this exact JSON
is_notDict[string, None]FalseCondition is not this exact JSON
inDict[string, None]FalseCondition is in this list of JSON
jqstringFalseJQ query to match and use as boolean
ifConst[request.body.json]FalseUse this to select and compare the request body when detected as JSON, using jq-like syntax.

RequestBodyJSONMutator

PropertyTypeRequiredDescriptionReference
keyConst[request.body.json]FalseYou can use this mutator to change the JSON body of the request before resending it.
jqstringFalseJQ query to apply to the JSON body. Seestedolan.github.io

RequestBodyTextDetector

PropertyTypeRequiredDescriptionReference
isstringFalseCondition is this exact string
is_notstringFalseCondition is not this exact string
instringFalseCondition is in this list (exact match)
containsstringFalseContains this string
regexstringFalseCondition is matched on this regex with fullmatch
ifConst[request.body.text]FalseUse this to select and compare the request body as text, using string compare.

RequestBodyTextMutator

PropertyTypeRequiredDescriptionReference
valuestringFalseThe value to set.
valuesstringFalseThe values to set, generates multiple queries.
regex_replaceRegexReplaceFalseRegex replace pattern.RegexReplace
keyConst[request.body.text]FalseYou can use this mutator to change the body (as text) of the request before resending it.

RequestHeadersDetector

PropertyTypeRequiredDescriptionReference
keyStringMatcherFalseKey to matchStringMatcher
valueStringMatcherFalseValue to matchStringMatcher
ifConst[request.headers]FalseUse that to select and compare the request headers in a key value dictionary.

RequestHeadersMutator

PropertyTypeRequiredDescriptionReference
valuestringFalseThe value to set.
valuesstringFalseThe values to set, generates multiple queries.
regex_replaceRegexReplaceFalseRegex replace pattern.RegexReplace
keyConst[request.headers]FalseYou can use this mutator to change the headers of the request before resending it.
namestringTrueThe header name to match, supports regex.
deletebooleanFalseDelete the matched headers.

RequestIsAuthenticatedDetector

PropertyTypeRequiredDescriptionReference
isbooleanFalseCondition is true
is_notbooleanFalseCondition is false
ifConst[request.is_authenticated]FalseUse this to select whether or not whether the request is authenticated.

RequestObjectDetector

PropertyTypeRequiredDescriptionReference
typeObjectTypeMatcherFalseObject scalar type to matchObjectTypeMatcher
nameStringMatcherFalseObject scalar name to matchStringMatcher
valueStringMatcherFalseObject scalar value to matchStringMatcher
ifConst[request.object]FalseUse this to select and compare the detected object scalars (including custom scalars) in the request, with their kind, name and value.

RequestObjectMutator

PropertyTypeRequiredDescriptionReference
keyConst[request.object]FalseThe detected object scalars (including custom scalars) in the request, with their kind, name and value.
selectObjectMatcherTrueObjectMatcher
mutateObjectMutateTrueObjectMutate

RequestUserDetector

PropertyTypeRequiredDescriptionReference
isstringFalseCondition is this exact string
is_notstringFalseCondition is not this exact string
instringFalseCondition is in this list (exact match)
containsstringFalseContains this string
regexstringFalseCondition is matched on this regex with fullmatch
ifConst[request.user]FalseUse this to string compare the configured user for the request.

RequestUserMutator

PropertyTypeRequiredDescriptionReference
valuestringFalseThe value to set.
valuesstringFalseThe values to set, generates multiple queries.
regex_replaceRegexReplaceFalseRegex replace pattern.RegexReplace
keyConst[request.user]FalseYou can use this mutator to change the user of the request before resending it.
drop_userbooleanFalseRemove the user authentication from the request.

ResponseBodyJSONDetector

PropertyTypeRequiredDescriptionReference
isDict[string, None]FalseCondition is this exact JSON
is_notDict[string, None]FalseCondition is not this exact JSON
inDict[string, None]FalseCondition is in this list of JSON
jqstringFalseJQ query to match and use as boolean
ifConst[response.body.json]FalseUse this to select and compare the response body when detected as JSON, using jq-like syntax.

ResponseBodyTextDetector

PropertyTypeRequiredDescriptionReference
isstringFalseCondition is this exact string
is_notstringFalseCondition is not this exact string
instringFalseCondition is in this list (exact match)
containsstringFalseContains this string
regexstringFalseCondition is matched on this regex with fullmatch
ifConst[response.body.text]FalseUse this to select and compare the response body as text, using string compare.

ResponseDurationDetector

PropertyTypeRequiredDescriptionReference
isintegerFalseCondition is this exact integer
is_notintegerFalseCondition is not this exact integer
inintegerFalseCondition is in this list of integers (exact match)
gtintegerFalseCondition is greater than this integer
ltintegerFalseCondition is less than this integer
ifConst[response.duration_ms]FalseUse this to compare the duration of the request in milliseconds.

ResponseHeadersDetector

PropertyTypeRequiredDescriptionReference
keyStringMatcherFalseKey to matchStringMatcher
valueStringMatcherFalseValue to matchStringMatcher
ifConst[response.headers]FalseUse that to select and compare the response headers in a key value dictionary.

ResponseIsSuccessfulDetector

PropertyTypeRequiredDescriptionReference
isbooleanFalseCondition is true
is_notbooleanFalseCondition is false
ifConst[helpers.response.is_successful]FalseUse this to check whether the response is successful.

ResponseObjectDetector

PropertyTypeRequiredDescriptionReference
typeObjectTypeMatcherFalseObject scalar type to matchObjectTypeMatcher
nameStringMatcherFalseObject scalar name to matchStringMatcher
valueStringMatcherFalseObject scalar value to matchStringMatcher
ifConst[response.object]FalseUse this to select and compare the detected object scalars (including custom scalars) in the response, with their kind, name and value.

ResponseStatusCodeDetector

PropertyTypeRequiredDescriptionReference
isintegerFalseCondition is this exact integer
is_notintegerFalseCondition is not this exact integer
inintegerFalseCondition is in this list of integers (exact match)
gtintegerFalseCondition is greater than this integer
ltintegerFalseCondition is less than this integer
ifConst[response.status_code]FalseUse this to compare the HTTP status code as an integer.

ScanTypeDetector

PropertyTypeRequiredDescriptionReference
isSCAN_TYPEFalseThe scan type is exactly thisSCAN_TYPE
is_notSCAN_TYPEFalseThe scan type is not this typeSCAN_TYPE
inSCAN_TYPEFalseThe scan type is in this listSCAN_TYPE
ifConst[scan.type]FalseUse this to select against the type of the scan.

SchemaNeedAuthenticationDetector

PropertyTypeRequiredDescriptionReference
isbooleanFalseCondition is true
is_notbooleanFalseCondition is false
ifConst[schema.need_authentication]FalseUse this to select whether or not the schema requires authentication.

SchemaPathRefDetector

PropertyTypeRequiredDescriptionReference
isstringFalseCondition is this exact string
is_notstringFalseCondition is not this exact string
instringFalseCondition is in this list (exact match)
containsstringFalseContains this string
regexstringFalseCondition is matched on this regex with fullmatch
ifConst[schema.path_ref]FalseUse this to string compare the operation name in GraphQL or the path in REST.

SchemaPathRefMutator

PropertyTypeRequiredDescriptionReference
valuestringFalseThe value to set.
valuesstringFalseThe values to set, generates multiple queries.
regex_replaceRegexReplaceFalseRegex replace pattern.RegexReplace
keyConst[schema.path_ref]FalseYou can use this mutator to change the operation name in GraphQL or the path in REST (keeping the domain) before resending it.

SchemaUrlDetector

PropertyTypeRequiredDescriptionReference
isstringFalseCondition is this exact string
is_notstringFalseCondition is not this exact string
instringFalseCondition is in this list (exact match)
containsstringFalseContains this string
regexstringFalseCondition is matched on this regex with fullmatch
ifConst[schema.url]FalseUse this to string compare the URL of the request.

SchemaUrlMutator

PropertyTypeRequiredDescriptionReference
valuestringFalseThe value to set.
valuesstringFalseThe values to set, generates multiple queries.
regex_replaceRegexReplaceFalseRegex replace pattern.RegexReplace
keyConst[schema.url]FalseYou can use this mutator to change the URL of the request before resending it.

StringMatcher

PropertyTypeRequiredDescriptionReference
isstringFalseCondition is this exact string
is_notstringFalseCondition is not this exact string
instringFalseCondition is in this list (exact match)
containsstringFalseContains this string
regexstringFalseCondition is matched on this regex with fullmatch

Enums

CATEGORY

  • ACCESS_CONTROL

  • CONFIGURATION

  • INFORMATION_DISCLOSURE

  • INJECTION

  • PROTOCOL

  • REQUEST_FORGERY

  • RESOURCE_LIMITATION

  • SCHEMA

  • CUSTOM

CRUD

  • CREATE

  • READ

  • UPDATE

  • DELETE

HTTP_METHOD

  • GET

  • POST

  • PUT

  • DELETE

  • HEAD

  • PATCH

  • OPTIONS

  • TRACE

  • CONNECT

OBJECT_TYPE

  • abbysale

  • abstract

  • abuseipdb

  • accuweather

  • adafruit_api_key

  • adobe_client_id

  • adobe_client_secret

  • adzuna_private

  • adzuna_public

  • aeroworkflow_client

  • aeroworkflow_private

  • age_secret_key

  • agora

  • airbrakeproject_private_key

  • airbrakeproject_pub_key

  • airbrakeuserkey

  • airship_private

  • airtable_api_key

  • airvisual

  • alconost

  • alegra

  • aletheiaapi

  • algolia_api_key

  • algoliaadminkey

  • alibaba_access_key_id

  • alibaba_secret_key

  • alienvault

  • allsports

  • amadeus

  • ambee

  • amount

  • amplitudeapikey

  • anypoint

  • apacta

  • api2cart

  • apideck_secret

  • apideck_user

  • apiflash

  • apifonica

  • apify

  • apimatic

  • apiscience

  • apollo

  • appcues

  • appfollow

  • application

  • appsynergy

  • apptivo

  • area_code

  • artifactory_secret

  • artsy

  • asana_client_id

  • asana_client_secret

  • asanaoauth

  • asanapersonalaccesstoken

  • assemblyai

  • atlassian_api_token

  • audd

  • auth0managementapitoken

  • authentication

  • author

  • authorization_code

  • authress_service_client_access_key

  • autodesk

  • autoklose

  • autopilot

  • avazapersonalaccesstoken

  • aviationstack

  • aws_access_token

  • aws_client_id

  • aws_mws_id

  • aws_secret_key

  • axonaut

  • aylien

  • ayrshare

  • bank

  • bank_account

  • bank_card

  • bannerbear

  • baremetrics

  • base64

  • baseapiio

  • bcrypt

  • beamer_api_token

  • beebole

  • besttime

  • billomat

  • bitbar

  • bitbucket_client_id

  • bitbucket_client_secret

  • bitcoin

  • bitcoinaverage

  • bitfinex

  • bitlyaccesstoken

  • bitmex

  • bittrex_access_key

  • bittrex_secret_key

  • blazemeter

  • blitapp

  • blogger

  • body_type

  • bombbomb

  • boolean

  • boolean_wannabe

  • boostnote

  • borgbase

  • brandfetch

  • browshot

  • buddyns

  • bugherd

  • bugsnag

  • building

  • buildkite

  • bulbul

  • business_type

  • buttercms

  • caflou

  • calendarific

  • calendlyapikey

  • calorieninja

  • campayn

  • cannyio

  • capsulecrm

  • captaindata

  • carboninterface

  • card_type

  • carrier

  • cashboard

  • caspio

  • category

  • censys

  • centralstationcrm

  • cexio

  • chatfule

  • checio

  • checklyhq

  • checkvist

  • cicero

  • circleci

  • city

  • clearbit

  • clickhelp

  • cliengo

  • clinchpad

  • clockify

  • clockworksms

  • clojars_api_token

  • closecrm

  • cloudelements

  • cloudflareapitoken

  • cloudflarecakey

  • cloudflareglobalapikey

  • cloudimage

  • cloudmersive

  • cloudplan

  • cloverly

  • cloze

  • clustdoc

  • codacy

  • codecov_access_token

  • coinapi

  • coinbase_access_token

  • coinlayer

  • coinlib

  • column

  • command

  • commercejs

  • commit_hash

  • commodities

  • companyhub

  • confirmation_code

  • confluent_access_token

  • confluent_secret_key

  • content_type

  • contentful_delivery_api_token

  • contentfulpersonalaccesstoken

  • convertkit

  • convier

  • country

  • country_code

  • countrylayer

  • county

  • coupon_code

  • courier

  • coveralls

  • credit_card_number

  • crowdin

  • cryptocompare

  • cuid

  • currency_code

  • currencycloud

  • currencyfreaks

  • currencylayer

  • currencyscoop

  • currentsapi

  • customerguru

  • customerio

  • cvv

  • d7network

  • dailyco

  • dandelion

  • dash

  • databricks_api_token

  • datadog_access_token

  • datadogtoken

  • datafire

  • datagov

  • date

  • datetime

  • debounce

  • deepai

  • deepgram

  • defined_networking_api_token

  • delighted

  • delivery_method

  • department_name

  • detectlanguage

  • device_name

  • device_type

  • dfuse

  • did

  • diffbot

  • digitalocean_access_token

  • digitalocean_pat

  • digitalocean_refresh_token

  • digitaloceantoken

  • directory

  • discord_api_token

  • discord_bot_token

  • discord_client_id

  • discord_client_secret

  • discord_webhook_url

  • discordbottoken

  • discordwebhook

  • discount

  • ditto

  • dnscheck

  • document_type

  • documo

  • domain

  • doppler_api_token

  • dotmailer

  • dovico

  • driving_license

  • dronahq

  • droneci_access_token

  • dropbox_api_token

  • dropbox_long_lived_api_token

  • dropbox_short_lived_api_token

  • duffel_api_token

  • duration

  • dwolla

  • dynalist

  • dynatrace_api_token

  • dyspatch

  • e_commerce_indicator

  • eagleeyenetworks

  • easyinsight

  • easypost_api_token

  • easypost_test_api_token

  • edamam

  • edenai

  • eightxeight

  • elasticemail

  • email

  • enablex

  • enigma

  • environment

  • ethereum

  • ethplorer

  • etsy_access_token

  • etsyapikey

  • event_type

  • everhour

  • exchangerateapi

  • exchangeratesapi

  • facebook

  • facebookoauth

  • faceplusplus

  • fakejson

  • fastforex

  • fastly_api_token

  • fastlypersonaltoken

  • fee

  • feedier

  • fetchrss

  • figmapersonalaccesstoken

  • file

  • fileio

  • finage

  • financialmodelingprep

  • findl

  • finicity_api_token

  • finicity_client_secret

  • finnhub_access_token

  • fixerio

  • flatio

  • fleetbase

  • flickr_access_token

  • flightapi

  • flightstats

  • float

  • flowflu

  • flutterwave_encryption_key

  • flutterwave_public_key

  • flutterwave_secret_key

  • fmfw

  • form

  • formbucket

  • formio

  • foursquare

  • frameio_api_token

  • french_phone

  • freshbooks_access_token

  • freshdesk

  • front

  • fulcrum

  • fullstory

  • func

  • fusebill

  • fxmarket

  • gcp_api_key

  • geckoboard

  • gender

  • generic_api_key

  • gengo

  • geoapify

  • geocode

  • geocodify

  • geocodio

  • geoipifi

  • getemail

  • getemails

  • getgeoapi

  • getgist

  • getsandbox

  • github_app_token

  • github_fine_grained_pat

  • github_oauth

  • github_pat

  • github_refresh_token

  • githubapp

  • gitlab_pat

  • gitlab_ptt

  • gitlab_rrt

  • gitlabv2

  • gitter_access_token

  • glassnode

  • gocanvas

  • gocardless_api_token

  • goodday

  • google_api_public_key

  • grafana_api_key

  • grafana_cloud_api_token

  • grafana_service_account_token

  • graphcms

  • graphhopper

  • groovehq

  • guardianapi

  • guru

  • gyazo

  • happi

  • happyscribe

  • harvest

  • hash

  • hashicorp_tf_api_token

  • hashicorp_tf_password

  • hellosign

  • helpcrunch

  • helpscout

  • hereapi

  • heroku_api_key

  • hex_color_code

  • hexadecimal

  • hive

  • hiveage

  • holidayapi

  • host

  • house_number

  • hsl

  • hsla

  • html2pdf

  • html_body

  • http_method

  • hubspot_api_key

  • hubspotapikey

  • huggingface_access_token

  • huggingface_organization_api_token

  • humanity

  • hunter

  • hypertrack

  • ibmclouduserkey

  • iconfinder

  • id

  • identity_number

  • iexcloud

  • imagekit

  • imagga

  • impala

  • infracost_api_token

  • injection

  • insightly

  • instagram_oauth

  • integer

  • integer32

  • integer64

  • integromat

  • intercom_api_key

  • intrinio

  • invoiceocean

  • ipapi

  • ipc_patent

  • ipgeolocation

  • ipify

  • ipinfodb

  • ipquality

  • ipstack_token

  • ipv4

  • ipv6

  • isbn

  • item

  • jdbc

  • jfrog_api_key

  • jfrog_identity_token

  • jiratoken

  • join

  • jotform

  • json

  • jumpcloud

  • juro

  • jwt

  • jwt_base64

  • kanban

  • karmacrm

  • keenio

  • key_kms

  • kickbox

  • klipfolio

  • kontent

  • kraken_access_token

  • kucoin_access_token

  • kucoin_secret_key

  • kylas

  • language_iso_639_1

  • language_iso_639_2

  • languagelayer

  • lastfm

  • latitude

  • launchdarkly_access_token

  • leadfeeder

  • legal_name

  • lendflow

  • lessannoyingcrm

  • lexigram

  • limit

  • linear_api_key

  • linear_client_secret

  • linearapi

  • linemessaging

  • linenotify

  • linkedin_client_id

  • linkedin_client_secret

  • liveagent

  • livestorm

  • lob_api_key

  • lob_pub_api_key

  • locale

  • location

  • locationiq

  • loginradius

  • lokalisetoken

  • long

  • longitude

  • loyverse

  • luno

  • m3o

  • mac

  • macaddress

  • madkudu

  • magnetic

  • mailboxlayer

  • mailchimp_api_key

  • mailerlite

  • mailgun_private_api_token

  • mailgun_pub_key

  • mailgun_signing_key

  • mailjetbasicauth

  • mailjetsms

  • mailmodo

  • mailsac

  • mandrill

  • manifest

  • mapbox_api_token

  • mapquest

  • marketstack

  • mask

  • mattermost_access_token

  • mattermostpersonaltoken

  • mavenlink

  • maxmindlicense

  • md5

  • meaningcloud

  • mediastack

  • meistertask

  • merchant

  • mesibo

  • messagebird_api_token

  • messagebird_client_id

  • metaapi

  • metrilo

  • microsoft_teams_webhook

  • microsoftteamswebhook

  • midise

  • mime_type

  • mindmeister

  • mite

  • mixmax

  • mixpanel

  • moderation

  • monday

  • monero

  • mongo_db_object_id

  • month

  • moonclerck

  • moonclerk

  • moosend

  • mrticktock

  • myfreshworks

  • myintervals

  • nasdaqdatalink

  • navigation

  • nethunt

  • netlify_access_token

  • neutrinoapi

  • new_relic_browser_api_token

  • new_relic_user_api_id

  • new_relic_user_api_key

  • newrelicpersonalapikey

  • newsapi

  • newscatcher

  • nexmoapikey

  • nftport

  • nicereply

  • nimble

  • nitro

  • noticeable

  • notion

  • nozbeteams

  • npm_access_token

  • numverify

  • nutritionix

  • nylas

  • nytimes_access_token

  • oanda

  • offset

  • okta_access_token

  • omnisend

  • onedesk

  • onelogin

  • onepagecrm

  • onwaterio

  • oopspam

  • openai_api_key

  • opencagedata

  • opengraphr

  • openuv

  • openweather

  • optimizely

  • organization

  • owlbot

  • pagerdutyapikey

  • pandadoc

  • pandascore

  • paralleldots

  • partnerstack

  • passbase

  • passport

  • password

  • pastebin

  • paymoapp

  • paymongo

  • paypaloauth

  • paystack

  • pdflayer

  • pdfshift

  • peopledatalabs

  • pepipost

  • permission

  • phone

  • pin_code

  • pipedream

  • pipedrive

  • pivotaltracker

  • pixabay

  • plaid_api_token

  • plaid_client_id

  • plaid_secret_key

  • plaidkey

  • plan

  • planetscale_api_token

  • planetscale_oauth_token

  • planetscale_password

  • planviewleankit

  • planyo

  • plivo

  • policy

  • poloniex

  • polygon

  • port

  • position

  • positionstack

  • postageapp

  • posthog

  • postman_api_token

  • postmark

  • powrbot

  • prefect_api_token

  • price

  • private_key

  • privatekey

  • prospectcrm

  • prospectio

  • protocol

  • protocolsio

  • proxycrawl

  • pubnubpublishkey

  • pulumi_api_token

  • purestake

  • pushbulletapikey

  • pusherchannelkey

  • pypi_upload_token

  • qualaroo

  • qubole

  • quickmetrics

  • rapidapi_access_token

  • raven

  • rawg

  • razorpay

  • readme_api_token

  • reallysimplesystems

  • reason_code

  • rebrandly

  • reference

  • refiner

  • region

  • repairshopr

  • restpack

  • restpackhtmltopdfapi

  • restpackscreenshotapi

  • return_type

  • rev

  • revampcrm

  • rgb

  • rgba

  • ringcentral

  • ritekit

  • roaring

  • rocketreach

  • role

  • roninapp

  • room

  • route4me

  • rownd

  • rubygems_api_token

  • runrunit

  • salesblink

  • salescookie

  • salesflare

  • satismeterprojectkey

  • satismeterwritekey

  • saucelabs

  • scalewaykey

  • scalingo_api_token

  • scrapeowl

  • scraperapi

  • scraperbox

  • scrapersite

  • scrapestack

  • scrapfly

  • scrapingant

  • scrapingbee

  • screenshotapi

  • screenshotlayer

  • search

  • secret

  • securitytrails

  • segmentapikey

  • selectpdf

  • semaphore

  • sendbird_access_id

  • sendbird_access_token

  • sendbirdorganizationapi

  • sendgrid_api_token

  • sendinblue_api_token

  • sendinbluev2

  • sentiment

  • sentry_access_token

  • sentrytoken

  • serial_number

  • serphouse

  • serpstack

  • sha1

  • sha256

  • sheety

  • sherpadesk

  • shipday

  • shipping_method

  • shippo_api_token

  • shodankey

  • shopify_access_token

  • shopify_custom_access_token

  • shopify_private_app_access_token

  • shopify_shared_secret

  • shortcut

  • shotstack

  • shutterstock

  • shutterstockoauth

  • sidekiq_secret

  • sidekiq_sensitive_url

  • signalwire

  • signaturit

  • signupgenius

  • sigopt

  • simplesat

  • simplynoted

  • simvoly

  • sinchmessage

  • sirv

  • siteleaf

  • skrappio

  • skybiometry

  • slack_app_token

  • slack_bot_token

  • slack_config_access_token

  • slack_config_refresh_token

  • slack_legacy_bot_token

  • slack_legacy_token

  • slack_legacy_workspace_token

  • slack_user_token

  • slack_webhook_url

  • slackwebhook

  • slug

  • smartsheets

  • smartystreets

  • smooch

  • snipcart

  • snyk_api_token

  • snykkey

  • social_security_number

  • software_component

  • sparkpost

  • splunkobservabilitytoken

  • spoonacular

  • sportsmonk

  • spotifykey

  • square_access_token

  • squareapp

  • squarespace_access_token

  • squareup

  • ssh_url

  • sslmate

  • status

  • status_code

  • status_message

  • stitchdata

  • stockdata

  • storecove

  • stormglass

  • storyblok

  • storychief

  • strava

  • streak

  • street_address

  • string

  • stripe_access_token

  • stripe_public_access_token

  • stytch

  • sugester

  • sumologic_access_id

  • sumologic_access_token

  • sumologickey

  • supernotesapi

  • surveyanyplace

  • surveybot

  • surveysparrow

  • survicate

  • swell

  • swiftype

  • tallyfy

  • tatumio

  • taxjar

  • teamgate

  • teamworkcrm

  • teamworkdesk

  • teamworkspaces

  • technicalanalysisapi

  • telegram_bot_api_token

  • telegrambottoken

  • telnyx

  • terraformcloudpersonaltoken

  • text2data

  • textmagic

  • theoddsapi

  • thinkific

  • thousandeyes

  • ticketmaster

  • tiingo

  • time

  • timestamp

  • timezoneapi

  • title

  • tmetric

  • todoist

  • toggltrack

  • tomorrowio

  • tomtom

  • tradier

  • travelpayouts

  • travisci_access_token

  • trelloapikey

  • tru

  • twelvedata

  • twilio_api_key

  • twitch_api_token

  • twitter_access_secret

  • twitter_access_token

  • twitter_api_key

  • twitter_api_secret

  • twitter_bearer_token

  • tyntec

  • typeform_api_token

  • ubidots

  • unifyid

  • unplugg

  • unsanitized_payload

  • unsplash

  • upcdatabase

  • uplead

  • uploadcare

  • upwave

  • uri

  • url

  • urlscan

  • us_bank_account_number

  • us_bank_routing_number

  • us_zip_code

  • user_agent

  • username

  • userstack

  • uuid

  • vatlayer

  • vault_batch_token

  • vault_service_token

  • vehicle_type

  • vercel

  • verifier

  • verimail

  • version

  • versioneye

  • view

  • viewneo

  • virustotal

  • visualcrossing

  • voicegain

  • vouchery

  • vpnapi

  • vultrapikey

  • vyte

  • walkscore

  • weatherbit

  • weatherstack

  • webex

  • webflow

  • webscraper

  • webscraping

  • website

  • wepay

  • whoxy

  • worksnaps

  • workstack

  • worldcoinindex

  • worldweather

  • wrike

  • yandex_access_token

  • yandex_api_key

  • yandex_aws_access_token

  • year

  • youneedabudget

  • yousign

  • youtubeapikey

  • zapierwebhook

  • zendesk_secret_key

  • zendeskapi

  • zenkitapi

  • zenscrape

  • zenserp

  • zeplin

  • zerobounce

  • zip_code

  • zipapi

  • zipbooks

  • zipcodeapi

  • zonkafeedback

SCAN_TYPE

  • GRAPHQL

  • REST

SEVERITY

  • HIGH

  • MEDIUM

  • LOW

  • INFO

  • AlertModel
  • Compliance
  • CrudDetector
  • HTTPRAWSeeder
  • LogicalAndDetector
  • LogicalNotDetector
  • LogicalOrDetector
  • MethodDetector
  • MethodMutator
  • Middleware
  • ObjectMatcher
  • ObjectMutate
  • ObjectTypeMatcher
  • RESTSeeder
  • RegexReplace
  • RequestBodyJSONDetector
  • RequestBodyJSONMutator
  • RequestBodyTextDetector
  • RequestBodyTextMutator
  • RequestHeadersDetector
  • RequestHeadersMutator
  • RequestIsAuthenticatedDetector
  • RequestObjectDetector
  • RequestObjectMutator
  • RequestUserDetector
  • RequestUserMutator
  • ResponseBodyJSONDetector
  • ResponseBodyTextDetector
  • ResponseDurationDetector
  • ResponseHeadersDetector
  • ResponseIsSuccessfulDetector
  • ResponseObjectDetector
  • ResponseStatusCodeDetector
  • ScanTypeDetector
  • SchemaNeedAuthenticationDetector
  • SchemaPathRefDetector
  • SchemaPathRefMutator
  • SchemaUrlDetector
  • SchemaUrlMutator
  • StringMatcher
  • CATEGORY
  • CRUD
  • HTTP_METHOD
  • OBJECT_TYPE
  • SCAN_TYPE
  • SEVERITY