Introduction
Skims uses a configuration file in YAML syntax.
The general schema is shown and described below:
namespace: repository
working_dir: /path/to/your/repository
commit: sha_of_the_commit of the scanner's source repo
language: EN
output:
file_path: /path/to/results.csv
format: CSV
checks:
- F052
sast:
include:
- /path/to/file/or/dir
- src/main/java/org/test/Test.java
- glob(*)
- glob(**.java)
- glob(src/**/test*.py)
sca:
include:
- .
apk:
include:
- /path/to/build/awesome-app-v1.0.apk
- build/awesome-app-v1.0.apk
cspm:
aws_credentials:
- access_key_id: "000f"
secret_access_key: "000f"
dast:
urls:
- https://localhost.com
- https://localhost.com:443
ssl_checks: true
http_checks: true
debug: true
strict: false
file_size_limit: false
Configuration keys
The following is a detailed explanation of what each key in the configuration file represents.
All the keys are optional to be personalized for each analysis needs. There should be no issues with the tool if any of them are not included in the configuration file.
namespace
An arbitrary name for the analysis. Normally the name of the repository to be analyzed.
working_dir
Used as the path to the repository. With this key, the paths you configure in the dast and apk keys could be relative paths to this directory.
commit
Used to run Machine using a specific commit of its source repo. For this you have to pass the commit sha of the version you want to use. You can see the list of commits here
language
Language used to generate reports, valid values are: EN, ES.
If not present, defaults to EN (English).
output
By default, the vulnerabilities that Machine finds in your code will appear in the terminal. However, you can modify this configuring this key with the two attributes:
file_path: Defines where you want to store the outputformat: Defines the format of the output; valid values areCSVorSARIF
checks
This configuration key specifies which findings are run. Each finding represents a type of vulnerability. The complete list of findings supported by machine can be found here and a detailed description of each finding can be found here
If the key is not present, all the findings supported by machine are run. As a user, we recommend you not to use this key, to ensure your repo is checked against ALL currently supported findings.
apk, cspm, dast and sast
SAST refers to Static Application Security Testing, this enables the scanner to check code files in any of the supported languages.
CSPM refers to Cloud Security Posture Management, this enables the scanner to identify misconfiguration issues and compliance risks in cloud environments like Aws, Gcp or Azure.
DAST refers to Dynamic Application Security Testing, this enables the scanner to check vulnerabilities in dynamic environments like urls
APK enables the scanner to perform reverse engineering in APK files to search for vulnerabilities.
Each of these keys will be described thoroughly in its respective section.
debug
This key can be used to run the scanner under a debug mode. Currently, this mode is only available for sast checks, and it enables the scanner to generate two svg files in the ./skims folder of the home directory.
This is useful for developers, when adding sast checks. As a user, it is not recommended that you run the scanner using this option.
For more details, please check the development docs
strict
With this option you can run the scanner in strict mode, which means that it will fail the execution (with an exit code 1) if it finds at least one vulnerability in your targets.
Ideal for using the scanner as a CI/CD job.
file size limit
We restrict the size of files processed to prevent extended analysis times.
If crucial files are omitted as a result,
you can remove this restriction by setting file_size_limit to false.