Configuration Schema
This page documents the fields of Shannon’s YAML configuration file. For a guided walkthrough, see the Configuration guide.
Top-level fields
Section titled “Top-level fields”| Field | Type | Description |
|---|---|---|
description | string | Free-text description of the target environment. |
vuln_classes | list | Limit which vulnerability classes run end-to-end: injection, xss, auth, authz, ssrf. |
exploit | string | Set to "false" to skip the exploitation phase. |
rules_of_engagement | string | Free-form rules of engagement, one per line. |
authentication | object | Login configuration for authenticated testing. |
rules | object | avoid and focus scope rules. |
report | object | Filters applied by the report agent. |
pipeline | object | Retry and concurrency tuning. |
authentication
Section titled “authentication”| Field | Description |
|---|---|
login_type | Login mechanism: form, sso, api, or basic. |
login_url | URL of the login page. |
credentials | Username, password, TOTP secret, and optional email login. |
login_flow | Ordered list of steps describing how to log in. |
success_condition | How Shannon confirms a successful login. |
credentials
Section titled “credentials”| Field | Description |
|---|---|
username | Test account username. |
password | Test account password. |
totp_secret | TOTP secret used to generate $totp codes. |
email_login.address | Mailbox address for magic-link / email-OTP flows. |
email_login.password | Mailbox password. |
email_login.totp_secret | Mailbox TOTP secret for $email_totp. |
Login flow placeholders
Section titled “Login flow placeholders”$username, $password, $totp, $email_address, $email_password, $email_totp. See Authenticated Testing.
success_condition
Section titled “success_condition”type is one of url_contains, element_present, url_equals_exactly, or text_contains. value is the string to match against.
success_condition: type: url_contains value: "/dashboard"Contains avoid and focus lists. Each entry has a description, a type, and a value.
Supported rule types: url_path, subdomain, domain, method, header, parameter, and code_path. code_path values are repo-relative file paths or globs.
rules: avoid: - description: "AI should avoid testing logout functionality" type: url_path value: "/logout" focus: - description: "AI should emphasize testing API endpoints" type: url_path value: "/api"report
Section titled “report”| Field | Description |
|---|---|
min_severity | Minimum severity to include: low, medium, high, or critical. |
min_confidence | Minimum confidence to include: low, medium, or high. |
guidance | Free-text guidance describing findings to drop. |
pipeline
Section titled “pipeline”| Field | Description |
|---|---|
retry_preset | Retry strategy preset: default, or subscription to extend timeouts for Anthropic subscription rate-limit windows. |
max_concurrent_pipelines | How many vulnerability pipelines run simultaneously. Values 1 to 5, default 5. |
pipeline: retry_preset: subscription max_concurrent_pipelines: 2Full example
Section titled “Full example”description: "Next.js e-commerce app on PostgreSQL. Local dev environment; .env files contain local-only credentials."
# vuln_classes: [injection, xss, auth, authz, ssrf]# exploit: "false"
authentication: login_type: form login_url: "https://your-app.com/login" credentials: username: "test@example.com" password: "yourpassword" totp_secret: "LB2E2RX7XFHSTGCK" login_flow: - "Type $username into the email field" - "Type $password into the password field" - "Click the 'Sign In' button" success_condition: type: url_contains value: "/dashboard"
rules: avoid: - description: "AI should avoid testing logout functionality" type: url_path value: "/logout" focus: - description: "AI should emphasize testing API endpoints" type: url_path value: "/api"