Running a Scan

This command enables you to start a new scan.

Discovery options

OptionDescription
-a, --archiveA collection your app's http/websockets logs into HAR file. Usually you can use browser dev tools or our browser web extension.
--archive=fileId, -a=fileIdThe archive ID, which can be received via the archive:upload command.
--crawler=url, -c=urlSpecifies a list of specific URLs that should be included during crawler discovery.

Additional options

Option

Description

--host-filter=hostOrIp, -F=hostOrIp

The list of specific hosts to be included in the scan.

--header=headerName:headerValue, -H=headerName:headerValue

Extra headers to be passed with the archive file. It can also be used to remove a header by providing a name without content. For example, -H "Host:".

Warning: Headers set with this option override the archive headers and are set in all the requests.

--test=testName

Specifies a list of relevant tests to execute during a scan.
For the list of available tests, see the Vulnerabilities Index.

Example: bright-cli scan:run --test default_login_location xss.
Note: The usage of --bucket and --test arguments together is not allowed.

--bucket

This key allows the user to supply a list of the buckets to use it to start the scan.
For the list of available tests, see the Vulnerabilities Index.

Example: bright-cli scan:run --bucket api client_side
Note: The usage of --bucket and --test arguments together is not allowed.

--smart

Enables you to use automatic smart decisions, such as parameter skipping, detection phases, and so on to minimize scan time. When set to false (turned off), all tests are run on all parameters, which increases the coverage at the expense of scan time.

Default: --smart true

--name=scanName, -n=scanName

The name of the scan.
Required option.

--project, -p

Allows specifying the Bright project for a scan using the project ID. You can find the project ID in the Projects section in the Bright app.

--param=path/query/fragment/
header/body/artificial-fragment/artificial-query

Note: This argument can be passed multiple times in the same command.
Default: --parameter body query fragment.

--auth=authObjectID,
-o=authObjectID

Specifies the ID of the authentication object to be connect to the scan. To learn more about authentication objects, see Authentication.

--template=templateId,-tp=templateId

Template ID. Allows to import scan settings from a template. If any scan settings are specified explicitly, they will override template settings.

Examples:

  • scan:run -t apiKey -n scanName -p projectId -tp templateId – start scan with all settings imported from the template. \
  • scan:run -t apiKey -n scanName -p projectId -tp templateId --test testName – start scan will all settings but tests imported from the template.

--exclude

Enables you to manage exclusions from a scan.

If you want to ignore some of the parameter names during the tests, use exclude-param. For example, --exclude-param ID$.

--exclude-entry-point A list of JSON strings that contain patterns for entry points you would like to ignore during the tests.

Important:

  • To remove default exclusions, pass an empty string.
  • To apply patterns for all HTTP methods, you can set an empty array to “methods”. For example {“methods”: [], “patterns”: “users\\/?$”}.

--entrypoint, -e

  1. Specify Entrypoint IDs:
    Users can pass a list of entrypoint IDs to run the scan on specific entrypoints. Example: bright-cli scan:run --entrypoint <entrypoint_id1> <entrypoint_id2> <entrypoint_id3>

  2. Scan Project-Level Entrypoints:
    If a project is specified and the --entrypoint flag is added without specifying entrypoint IDs, the scan will run on the first 2000 project-level Entrypoints. Example: bright-cli scan:run --project <PROJECT_ID> --entrypoint

--concurrency

Number of maximum concurrent requests allowed to be sent to the target, can range between 1 to 50 (default: 10).