-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathstackhawk-auth-external-token.yml
37 lines (37 loc) · 2.2 KB
/
stackhawk-auth-external-token.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# Externally authenticate to your application w/ token based authorization.
app:
applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
env: Development
host: ${APP_HOST:http://localhost:9000}
# How should the scanner authenticate to your application when performing a scan.
authentication:
loggedInIndicator: "\\QMy profile\\E"
loggedOutIndicator: "\\QUsername: \\E"
# External authentication allows you to perform authentication in any manner you choose.
# This may be required if your app as a non-standard or multi-step authentication process.
external:
# The authorization type expected from your auth process.
# TOKEN and COOKIE and are currently supported.
type: TOKEN
# The value of the token received from a successful authentication.
# Your authorization token should be passed in via a runtime environment variable
# As it will likely need to be performed at time of scan. eg: docker run -e AUTH_TOKEN=<mytoken>
value: ${AUTH_TOKEN}
# Token based authorization. If your app doesn't use cookies to maintain session/authorization state then
# you'll likely need to pass the token on every request to the authenticated routes of your application.
tokenAuthorization:
# The type described how to pass the authentication token on each request toa an authenticated
# route in your application. QUERY_PARAM and HEADER are currently supported.
# In this case QUERY_PARAM will be http://localhost:9000/profile?cnjrd=<AUTH_TOKEN>
type: QUERY_PARAM
# The name of parameter that your application expects the authorization token to be pass as.
value: cnjrd
# The testPath configuration is used to confirm scanning as an authenticated user is configured successfully.
testPath:
# The type is either HEADER or BODY and informs the success or fail regex of what part of the response to match against.
type: HEADER
# A path to validate that authentication was successful. This path should be only accessible to authenticated users.
path: /profile
# Success criteria regex pattern.
# A successful match indicates that the response from the path specified was successful
success: ".*200.*"