Skip to content

Configuration Schema

This page documents the fields of Shannon’s YAML configuration file. For a guided walkthrough, see the Configuration guide.

FieldTypeDescription
descriptionstringFree-text description of the target environment.
vuln_classeslistLimit which vulnerability classes run end-to-end: injection, xss, auth, authz, ssrf.
exploitstringSet to "false" to skip the exploitation phase.
rules_of_engagementstringFree-form rules of engagement, one per line.
authenticationobjectLogin configuration for authenticated testing.
rulesobjectavoid and focus scope rules.
reportobjectFilters applied by the report agent.
pipelineobjectRetry and concurrency tuning.
FieldDescription
login_typeLogin mechanism: form, sso, api, or basic.
login_urlURL of the login page.
credentialsUsername, password, TOTP secret, and optional email login.
login_flowOrdered list of steps describing how to log in.
success_conditionHow Shannon confirms a successful login.
FieldDescription
usernameTest account username.
passwordTest account password.
totp_secretTOTP secret used to generate $totp codes.
email_login.addressMailbox address for magic-link / email-OTP flows.
email_login.passwordMailbox password.
email_login.totp_secretMailbox TOTP secret for $email_totp.

$username, $password, $totp, $email_address, $email_password, $email_totp. See Authenticated Testing.

type is one of url_contains, element_present, url_equals_exactly, or text_contains. value is the string to match against.

success_condition:
type: url_contains
value: "/dashboard"

Contains avoid and focus lists. Each entry has a description, a type, and a value.

Supported rule types: url_path, subdomain, domain, method, header, parameter, and code_path. code_path values are repo-relative file paths or globs.

rules:
avoid:
- description: "AI should avoid testing logout functionality"
type: url_path
value: "/logout"
focus:
- description: "AI should emphasize testing API endpoints"
type: url_path
value: "/api"
FieldDescription
min_severityMinimum severity to include: low, medium, high, or critical.
min_confidenceMinimum confidence to include: low, medium, or high.
guidanceFree-text guidance describing findings to drop.
FieldDescription
retry_presetRetry strategy preset: default, or subscription to extend timeouts for Anthropic subscription rate-limit windows.
max_concurrent_pipelinesHow many vulnerability pipelines run simultaneously. Values 1 to 5, default 5.
pipeline:
retry_preset: subscription
max_concurrent_pipelines: 2
description: "Next.js e-commerce app on PostgreSQL. Local dev environment; .env files contain local-only credentials."
# vuln_classes: [injection, xss, auth, authz, ssrf]
# exploit: "false"
authentication:
login_type: form
login_url: "https://your-app.com/login"
credentials:
username: "test@example.com"
password: "yourpassword"
totp_secret: "LB2E2RX7XFHSTGCK"
login_flow:
- "Type $username into the email field"
- "Type $password into the password field"
- "Click the 'Sign In' button"
success_condition:
type: url_contains
value: "/dashboard"
rules:
avoid:
- description: "AI should avoid testing logout functionality"
type: url_path
value: "/logout"
focus:
- description: "AI should emphasize testing API endpoints"
type: url_path
value: "/api"