- Checkmarx Documentation
- Checkmarx DAST
- Configuration File
- Configuration File Structure
- Jobs Supported
- activescan
activescan
Description
This job runs the active scanner. This actively attacks your applications and should therefore only be used on applications that you have permission to test.
By default, this job will actively scan the first context defined in the environment and so none of the parameters are mandatory.
Job Structure
- parameters: {}
policyDefinition:
rules: []
name: "activeScan"
type: "activeScan"Possible parameters
- addQueryParam: <bool> (Default - false)
If set will add an extra query parameter to requests that do not have one.
- context: <string> (Default - first context)
Name of the context to attack.
- defaultPolicy: <string> (Default - default policy)
The name of the default scan policy to use.
- defaultStrength: <string>
The default Attack Strength for all rules is either Low, Medium, High or Insane (not recommended).
- defaultThreshold: <string> (Default - Medium)
The default Alert Threshold for all rules, is either Off, Low, Medium, or High.
- delayInMs: <int> (Default - 0)
The delay in milliseconds between each request, used to reduce the strain on the target.
- handleAntiCSRFTokens: <bool> (Default - false)
If set, automatically handles anti-CSRF tokens.
- id: <int>
The rule id as per https://www.zaproxy.org/docs/alerts/.
- injectPluginIdInHeader: <bool>
If set, the relevant rule ID will be injected into the X-ZAP-Scan-ID header of each request.
- maxRuleDurationInMins: <int> (Default - 0 unlimited)
The max time in minutes any individual rule will be allowed to run for.
- maxScanDurationInMins: <int> (Default - 0 unlimited)
The max time in minutes the active scanner will be allowed to run for.
- name: <string>
The name of the rule for documentation purposes - this is not required nor actually used.
- policyDefinition:
The policy definition - is only used if the 'policy' is not set.
- policy: <string> (Default - default policy)
Name of the scan policy to be used.
- rules:
A list of one or more active scan rules and associated settings which override the defaults.
- scanHeadersAllRequests: <bool> (Default - false)
If set then the headers of requests that do not include any parameters will be scanned.
- strength: <string> (Default - Medium)
The Attack Strength for this rule is either Low, Medium, High, or Insane.
- threadPerHost: <int> (Default - 2)
The max number of threads per host.
- threshold: <string> (Default - Medium)
The Alert Threshold for this rule, is either Off, Low, Medium, or High.
- user: <string>
An optional user to use for authentication, must be defined in the environment.
Name | Description | Type / Default |
|---|---|---|
context: | String: Name of the context to attack | String, default: first context |
user: | String: An optional user to use for authentication, must be defined in the environment | String |
policy: | String: Name of the scan policy to be used | String, default: Default Policy |
maxRuleDurationInMins: | Int: The max time in minutes any individual rule will be allowed to run for | Int, default: 0 unlimited |
maxScanDurationInMins: | Int: The max time in minutes the active scanner will be allowed to run for | Int, default: 0 unlimited |
addQueryParam: | Bool: If set will add an extra query parameter to requests that do not have one | Bool, default: false |
defaultPolicy: | String: The name of the default scan policy to use. | String, default: Default Policy |
delayInMs: | Int: The delay in milliseconds between each request, used to reduce the strain on the target | Int, default 0 |
handleAntiCSRFTokens: | Bool: If set, automatically handles anti-CSRF tokens | Bool, default: false |
injectPluginIdInHeader: | If set, the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, | Bool |
scanHeadersAllRequests: | Bool: If set then the headers of requests that do not include any parameters will be scanned, | Bool, default: false |
threadPerHost: | Int: The max number of threads per host | Int, default: 2 |
policyDefinition: | The policy definition - is only used if the 'policy' is not set | |
defaultStrength: | The default Attack Strength for all rules is either Low, Medium, High, or Insane (not recommended). | String |
defaultThreshold: | String: The default Alert Threshold for all rules, is either Off, Low, Medium, or High. | String, default: Medium |
rules: | A list of one or more active scan rules and associated settings which override the defaults. | |
id: | Int: The rule id as per https://www.zaproxy.org/docs/alerts/ | |
name: | String: The name of the rule for documentation purposes - this is not required nor actually used. | String |
strength: | The Attack Strength for this rule is either Low, Medium, High, or Insane. | String, default: Medium |
threshold: | The Alert Threshold for this rule, is either Off, Low, Medium, or High. | String, default: Medium |