Configuration keys
Keys
The following is a detailed explanation of what each key in the configuration file represents.
All the keys are optional to be personalized for each analysis needs. There should be no issues with the tool if any of them are not included in the configuration file.
namespace
An arbitrary name for the analysis. Normally the name of the repository to be analyzed.
namespace: my_app
working_dir
Used as the path to the repository you want to analyze. With this key, the paths you configure in the dast, sca and apk keys will be relative paths to this directory.
working_dir: /absolute/path/to/directory
commit
Used to run Machine using a specific commit of its source repo. For this you have to pass the commit sha of the version you want to use. You can see the list of commits here
commit: e59607b9de3ef4c13d292705fg3da1ff0c67eb38
language
Language used to generate reports, valid values are: EN
, ES
.
If not present, defaults to EN (English).
language: ES
output
By default, the vulnerabilities that Machine finds in your code will appear in the terminal. However, you can modify this configuring this key with the two attributes:
file_path
: Defines where you want to store the outputformat
: Defines the format of the output; valid values areCSV
orSARIF
output:
- file_path: relative/path/to/file
- format: CSV
checks
This configuration key specifies which findings are run. Each finding represents a type of vulnerability. The complete list of findings supported by Machine can be found here and a detailed description of each finding can be found here
If the key is not present, all the findings supported by Machine are run. As a user, we recommend you not to use this key, to ensure your repo is checked against ALL currently supported findings.
checks:
- F011
- F393
strict
With this option you can run the scanner in strict mode, which means that it will fail the execution (with an exit code 1) if it finds at least one vulnerability in your targets.
Ideal for using the scanner as a CI/CD job.
strict: true
file size limit
We restrict the size of files processed to prevent extended analysis times.
If crucial files are omitted as a result, you can remove this restriction
by setting it to false
.
file_size_limit: false
SAST
With this key you activate the Security Analysis and Static Testing (SAST) for your source code. This key has three configuration options:
include
key (Mandatory): Specify the paths to the files or directories that you want to analyze.exclude
key (Optional): As the name implies, specify any files or directories you want to exclude from the analysis.recursion-limit
key (Optional): Use this key if your SAST execution is taking a long time (>1h) or if any memory/recursion errors show up. It must be set to an integer (The recommended value is 1000)
sast:
include:
- /relative/path/to/file
- relative/path/to/directory/
# Optional keys
exclude:
- glob(**/node_modules/)
recursion-limit: 1000
Read the Format section for information about the path format recognized by Machine.
SCA
With this key you activate the Software Composition Analysis (SCA) for your source code. This key has two configuration options, similar to SAST.
include
key (Mandatory): Specify the paths to the files or directories that you want to analyze.exclude
key (Optional): As the name implies, specify any files or directories you want to exclude from the analysis.
sca:
include:
- /relative/path/to/file
- relative/path/to/directory/
# Optional keys
exclude:
- glob(**/test/)
APK
To activate the reverse engineering checks for Android APKs, you need to use this key.
This key has two configuration options, similar to SAST.
include
key (Mandatory): Specify the paths to the files or directories that you want to analyze.exclude
key (Optional): As the name implies, specify any files or directories you want to exclude from the analysis.
apk:
include:
- /relative/path/to/file
- relative/path/to/directory/
# Optional keys
exclude:
- glob(src/**/test*.apk)
DAST
With this key you activate the Dynamic Application Security Testing (DAST) for your endpoints.
This key has three configuration options:
urls
key (Mandatory): List all urls that you want the scanner to analyze.http_checks
key (Optional): This can disable http checks for your urls.ssl_checks
key (Optional): This can disable ssl checks for your urls.
These last two keys expect a value either false
or true
and by default they are set to true.
dast:
urls:
- https://my-app.com
- http://localhost.com
# Optional keys
http_checks: true
ssl_checks: false
CSPM
With this key you activate the Cloud Security Posture Management (CSPM) for your cloud environments. To ensure that it works correctly, you should provide the credentials used to access each one of them as follows.
Every sub-key (aws, azure and gcp credentials) is optional, however, when you include one, you must include at least one set of credentials.
namespace: namespace
cspm:
# For AWS
aws_credentials:
# Access Keys
- access_key_id: "000f"
secret_access_key: "000f"
# Using Session Token
- access_key_id: "000e"
secret_access_key: "000e"
session_token: "000e"
# Using Custom Trust Policy
- role: "000d"
external_id: "000d"
# For Azure
azure_credentials:
- client_id: "000f"
client_secret: "000f"
tenant_id: "0000f"
subscription_id: "000f"
# For GCP
gcp_credentials:
- private_key: "000f"
- private_key: "000e"
debug
This key can be used to run the scanner under a debug mode. Currently, this mode is only available for sast checks, and it enables the scanner to generate two svg files in the ./skims directory of the home directory.
This is useful for developers, when adding sast checks. As a user, it is not recommended that you run the scanner using this option.
For more details, please check the development docs
Example
A highly personalized configuration file is shown below
namespace: my_app
working_dir: /path/to/your/repository
commit: sha_of_the_commit of the scanner's source repo
language: EN
output:
file_path: /path/to/results.csv
format: CSV
checks:
- F052
strict: false
file_size_limit: false
sast:
include:
- ./relative/path/to/file/or/dir
- src/main/java/org/test/Test.java
- glob(*)
- glob(**.java)
- glob(src/**/test*.py)
sca:
include:
- .
apk:
include:
- ./relative/path/to/build/awesome-app-v1.0.apk
- build/awesome-app-v1.0.apk
cspm:
aws_credentials:
- access_key_id: "000f"
secret_access_key: "000f"
dast:
urls:
- https://localhost.com
- https://localhost.com:443
ssl_checks: true
http_checks: true
debug: true