|
| 1 | +# stackhawk configuration for api-impl-demo |
| 2 | +app: |
| 3 | + # An applicationId obtained from the StackHawk platform. |
| 4 | + applicationId: 478e9286-2f66-407f-b383-0ab174c4331a # (required) |
| 5 | + # The environment for the applicationId defined in the StackHawk platform. |
| 6 | + env: Pre-Production # (required) |
| 7 | + # The url of your application to scan |
| 8 | + host: http://172.17.0.1:8080 # (required) |
| 9 | + # The names of your session tokens aka: cookie names |
| 10 | +# sessionTokens: # (optional) |
| 11 | +# - "_toy_app_session" |
| 12 | +# # The name of your anti csrf parameter |
| 13 | +# antiCsrfParam: authenticity_token # (optional) |
| 14 | +# |
| 15 | + # Authentication configuration for scanning as a user. |
| 16 | + # Enabling will force the scanner to scan as an |
| 17 | + # authenticated user of your app. |
| 18 | +# authentication: |
| 19 | +# # A regex to match against http responses to determine if the scan user is |
| 20 | +# # still logged in to your app |
| 21 | +# loggedInIndicator: "\\QLog out\\E" # (required) |
| 22 | +# # A regex to match against http responses to determine if the scan user is |
| 23 | +# # logged out of your app |
| 24 | +# loggedOutIndicator: "\\QLog in\\E" # (required) |
| 25 | +# # Username password based authentication method. |
| 26 | +# usernamePassword: |
| 27 | +# # POST authentication credentials as application/x-www-form-urlencoded |
| 28 | +# # Set type to JSON to POST as application/json. |
| 29 | +# type: FORM |
| 30 | +# # The route to POST credentials to authenticate as a user |
| 31 | +# loginPath: /login # (required) |
| 32 | +# # The route that serves the login form. The anti-csrf parameter |
| 33 | +# # returned from a GET request will be extracted from the response. |
| 34 | +# loginPagePath: /login # (optional) |
| 35 | +# # The username field name in your authentication payload. |
| 36 | +# usernameField: session[email] # (required) |
| 37 | +# # The password field name in your authentication payload. |
| 38 | +# passwordField: session[password] # (required) |
| 39 | +# # The username to authenticate as when scanning |
| 40 | +# scanUsername: ${SCAN_USERNAME} # (required) |
| 41 | +# # The password of the scanUsername |
| 42 | +# scanPassword: ${SCAN_PASSWORD} # (required) |
| 43 | +# # Other request parameters that may be required by your log in payload |
| 44 | +# otherParams: # (optional) |
| 45 | +# - name: utf8 |
| 46 | +# val: "✓" |
| 47 | +# - name: "session[remember_me]" |
| 48 | +# val: "0" |
| 49 | +# # Maintain authorized session via cookie. |
| 50 | +# cookieAuthorization: |
| 51 | +# # Names of cookies used to track a user's session |
| 52 | +# cookieNames: |
| 53 | +# - "_toy_app_session" |
| 54 | +# # A path and criteria for asserting authentication is working correctly. |
| 55 | +# # The path should be a protected route that can only be accessed |
| 56 | +# # by an authenticated user. Before running a scan this path will be |
| 57 | +# # requested to verify authenticated access is working correctly. |
| 58 | +# testPath: |
| 59 | +# # Match criteria against the HEADERs. Set to BODY to match against |
| 60 | +# # response body instead. |
| 61 | +# type: HEADER |
| 62 | +# # The protected path to issue a GET request to. |
| 63 | +# path: /profile |
| 64 | +# # A regex to match against that will indicate a successful authorized |
| 65 | +# # request. Configure fail criteria to match against a failed |
| 66 | +# # authorized request. Example: fail:".*302.*Location.*/login.*" |
| 67 | +# success: ".*200.*" |
| 68 | +# # Externally supplied authorization token. |
| 69 | +# # Use as an alternative to usernamePassword authentication |
| 70 | +# external: |
| 71 | +# # A token type external credential. |
| 72 | +# # Set to COOKIE to supply an externally sourced cookie |
| 73 | +# type: TOKEN |
| 74 | +# # The value of the token passed as an environment variable at runtime. |
| 75 | +# # When type=COOKIE the value format should be <cookie-name>=<cookie-value> |
| 76 | +# value: ${AUTH_TOKEN} |
| 77 | +# # Describe how to extract your apps authorization token. |
| 78 | +# # This should only be used with tokenAuthorization |
| 79 | +# tokenExtraction: |
| 80 | +# # The type of extraction to use. TOKEN_PATH is the path to the token in |
| 81 | +# # the JSON payload returned from usernamePassword authenticsation. |
| 82 | +# # Set to HEADER if your authorization token is returned as a response header. |
| 83 | +# type: TOKEN_PATH |
| 84 | +# # The path to the token or name of the header. |
| 85 | +# value: "auth.token" |
| 86 | +# # Use token based authorization instead of cookie based. |
| 87 | +# # Tokens are passed on all requests to maintain authorized access |
| 88 | +# # to your application |
| 89 | +# tokenAuthorization: |
| 90 | +# # The way to pass the token on requests. Set to QUERY_PARAM |
| 91 | +# # to pass your token as part of the query string instead of a header. |
| 92 | +# type: HEADER |
| 93 | +# # The name of the header or query param. |
| 94 | +# value: Authorization |
| 95 | +# # The token type which will be prepended to your authorization header. |
| 96 | +# # ie: Authorization: Bearer <token> |
| 97 | +# # Leave undefined if not applicable. |
| 98 | +# tokenType: Bearer |
| 99 | +# # Path to openapi 2 spec file or inline openapi 2 spec yaml |
| 100 | + api: "/api-impl-demo/v1/openapi" # (optional) |
| 101 | +hawk: |
| 102 | +# # Web crawler / spider configuration |
| 103 | + spider: |
| 104 | + # Enable the base spider for discovering your app's routes |
| 105 | + base: true # (default) |
| 106 | +# # Enable the ajax spider for discovering your single page app |
| 107 | +# ajax: false # (default) |
| 108 | +# # Maximum time for spider to discover routes in your app |
| 109 | +# maxDurationMinutes: 2 # (default) |
| 110 | +# # Maximum time to wait for the scanner to start up |
| 111 | +# startupTimeoutMinutes: 5 # (default) |
0 commit comments