-
Notifications
You must be signed in to change notification settings - Fork 208
Expand file tree
/
Copy path.env.example
More file actions
60 lines (51 loc) · 2.46 KB
/
Copy path.env.example
File metadata and controls
60 lines (51 loc) · 2.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# SecuScan Environment Configuration
# Copy this file to `.env` and adjust values for your local setup.
# Backend Settings
SECUSCAN_DEBUG=true
SECUSCAN_LOG_LEVEL=INFO
SECUSCAN_BIND_ADDRESS=127.0.0.1
SECUSCAN_BIND_PORT=8000
# Storage and Cache
# SECUSCAN_DATABASE_PATH=backend/data/secuscan.db
# SECUSCAN_REDIS_URL=redis://127.0.0.1:6379/0
# SECUSCAN_CACHE_TTL_SECONDS=30
# Docker Support
SECUSCAN_DOCKER_ENABLED=false
# Docker sandbox network (auto-created if absent; ICC disabled for isolation)
SECUSCAN_DOCKER_NETWORK=restricted
# Security Defaults
SECUSCAN_SAFE_MODE_DEFAULT=true
SECUSCAN_REQUIRE_CONSENT=true
SECUSCAN_ALLOW_LOOPBACK_SCANS=true
# SECUSCAN_ALLOWED_NETWORKS=127.0.0.1,192.168.*.*,10.*.*.*,172.16.*.*
# SECUSCAN_CORS_ALLOWED_ORIGINS=http://127.0.0.1:5173,http://localhost:5173
# Network Policy & Admin Authentication
# See docs/SECURE_DEPLOYMENT.md → "Environment Variable Matrix" for defaults and impact.
# SECUSCAN_NETWORK_ALLOWLIST=
# Default denylist (blocks cloud-metadata, RFC1918, CGNAT, and IPv6 ULA/link-local/loopback):
# SECUSCAN_NETWORK_DENYLIST=169.254.169.254/32,169.254.0.0/16,127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10,fc00::/7,fe80::/10,::1/128
# SECUSCAN_ENFORCE_NETWORK_POLICY=true
# SECUSCAN_NETWORK_POLICY_FAILURE_MODE=block
# SECUSCAN_ADMIN_API_KEY=replace-with-a-secure-admin-token
# Credential Vault — REQUIRED before first run
# Generate with: python -c "import secrets; print(secrets.token_hex(32))"
# The server refuses to start the vault if this is unset.
SECUSCAN_VAULT_KEY=replace-with-output-of-secrets.token_hex-32
# Plugin Security
# SECUSCAN_PLUGIN_SIGNATURE_KEY=replace-with-your-signing-key
# SECUSCAN_ENFORCE_PLUGIN_SIGNATURES=false
# Plugin Capability Policy
# Comma-separated list of capabilities to deny across all plugins.
# Plugins that require any denied capability will fail before execution.
# Supported values: network, filesystem, docker, credentials, intrusive, exploit
# Example: deny all exploitation and credential-accessing plugins:
# SECUSCAN_DENIED_CAPABILITIES=exploit,credentials
# Parser Sandbox Limits
# Plugin parser.py files run in isolated subprocesses. Adjust these if you have
# plugins that produce very large output or need more time to parse.
# SECUSCAN_PARSER_SANDBOX_TIMEOUT_SECONDS=30
# SECUSCAN_PARSER_SANDBOX_MAX_OUTPUT_BYTES=8388608
# Frontend Overrides
# Leave these unset for the default local dev flow.
# VITE_API_PROXY_TARGET=http://127.0.0.1:8000
# VITE_API_BASE=http://127.0.0.1:8000/api/v1