-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathconfig.example.yaml
More file actions
96 lines (89 loc) · 2.39 KB
/
Copy pathconfig.example.yaml
File metadata and controls
96 lines (89 loc) · 2.39 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# inmydata PenTest Configuration
# Copy this to config.yaml and update with your settings
target:
# Primary URL to scan
url: "https://app.example.com"
# Additional API endpoints to include
api_endpoints:
- "https://api.example.com"
# Paths to exclude from scanning (e.g. logout, destructive actions)
exclude_paths:
- "/api/admin/delete-*"
- "/auth/logout"
- "/api/dangerous-action"
# AWS Cognito authentication settings
auth:
provider: "cognito"
cognito:
region: "eu-west-2"
user_pool_id: "eu-west-2_XXXXXXXXX"
client_id: "your-app-client-id"
# Credentials can be set here or via environment variables
# COGNITO_USERNAME and COGNITO_PASSWORD
username: ""
password: ""
# OWASP ZAP settings
zap:
# Run ZAP in Docker (recommended) or connect to existing instance
docker: true
# Port for ZAP API
api_port: 8090
# API key (auto-generated if blank)
api_key: ""
# Spider settings
spider:
max_depth: 5
max_duration_minutes: 10
# Use Ajax spider for JS-heavy apps (React/Next.js)
ajax_spider: true
ajax_spider_duration_minutes: 5
# Active scan settings
active_scan:
enabled: true
# Scan policy: "default", "light", "heavy"
policy: "default"
max_duration_minutes: 30
# Thread count per host
threads: 5
# Passive scan runs automatically during spidering
# Nuclei settings
nuclei:
enabled: true
# Use Docker for Nuclei
docker: true
# Template sources
templates:
# Use community templates
community: true
# Severity filter for community templates
community_severity: "critical,high,medium"
# Path to custom inmydata templates
custom_path: "./templates/nuclei"
# Rate limiting
rate_limit: 150
bulk_size: 25
concurrency: 25
# Timeout per request in seconds
timeout: 10
# Scan mode
scan:
# "full" - spider + passive + active + nuclei
# "quick" - spider + passive + nuclei (no active scan)
# "nuclei-only" - just Nuclei templates
mode: "full"
# Report settings
report:
output_dir: "./reports"
# Include raw ZAP/Nuclei output in report
include_raw: false
# Minimum severity to include in report
min_severity: "low"
# Company branding
company_name: "inmydata"
logo_url: ""
# CI/CD settings
ci:
# Fail the pipeline if findings at or above this severity exist
fail_on_severity: "high"
# Maximum acceptable number of medium findings
max_medium_findings: 10