Scan an application with a configuration file

2022/9/29 |

While Lucent Sky AVM offers a wide variety of scan options, setting up a scan with these advanced options can be laborious. With configuration as code, scan settings can be stored in a configuration file along with the code base. When a scan starts, settings in the configuration file will be used to configure the scan.

This article describes how to use configuration as code to scan an application with advanced options.

In this article, you will learn how to:

  • Create a YAML configuration file
  • Scan an application using settings in the configuration file

At the end, you will be able to create a YAML configuration file and scan an application with settings in the configuration file.

Create a YAML configuration file

The configuration file supports the following scan settings, AnalysisTarget, Arguments, WeaknessPolicies, and Vectors.

Each of the scan setting is represented as a string tag. If a tag does not exist in the configuration file or has null as its value, existing settings will be used. To explicitly set an empty string as the value of a setting, use a pair of single quotes.

The valid values for each of the scan settings are identical as those accepted by the CLI. To learn more about scan settings, view the following article in the Lucent Sky Knowledge Base:
Lucent Sky AVM CLI Reference

  1. Create an empty text file in the root of the application with the name lucent-sky-avm-config.yaml.
  2. Insert the following content to the file:

     AnalysisTarget: 'ContosoWeb\ContosoWeb.csproj'
     Arguments: ''
     WeaknessPolicies: 'CWE330,0'

    The above example sets the analysis target to ContosoWeb\ContosoWeb.csproj, clears existing scan arguments, sets the weakness policies to CWE330,0, and uses existing setting for vectors.

  3. Create a .zip file containing the application, with the configuration file in the root of the archive file.

Scan an application using settings in the configuration file

  1. Use the Web UI to create a new scan.
  2. In the scan settings, make sure Analysis Target and Weakness Policies are empty, insert MsBuild,12 to Scan Arguments, and uncheck Client from Vectors.
  3. Upload the source code archive with the configuration file to start the scan.
  4. Once the scan is completed, go to the scan details page and confirm the following:

    • Analysis Target shows ContosoWeb\ContosoWeb.csproj as set in the configuration file
    • Scan Arguments shows Default as set in the configuration file
    • Weakness Policies shows CWE330,0 as set in the configuration file
    • Vectors does not include Client as the configuration file did not set Vectors and the settings when creating the scan were used

To prevent a scan from using settings in the configuration file, set the IgnoreConfigFile scan argument to True.