Skip to main content

How to customize a scan profile

Learn how to create custom scan profiles to adjust and fine-tune scans for your targets.

Ana Pascoal avatar
Written by Ana Pascoal
Updated over 2 weeks ago

Snyk API & Web provides a variety of built-in scan profiles to choose from and define how your targets are scanned. Each of these built-in scan profiles is, in fact, a group of scanning conditions that are pre-configured by Snyk API & Web to provide certain pre-defined scanning behaviors.

Snyk API & Web also allows the customization of scan profiles if you need to adjust and fine-tune the scans for your targets.

Watch this video for an overall view of Custom Scan Profiles.

Customize a Scan Profile

In the Snyk API & Web app, customize a scan profile as follows:

  1. Open the Settings dropdown menu on the bottom-left corner of the navigation bar and click on Scan Profiles.

  2. On the Scan Profiles screen, you have three options to customize a scan profile:

    1. Add - Click on the ADD CUSTOM PROFILE button to create a new custom scan profile starting from a blank configuration.

    2. Clone - Click on the Clone button of a scan profile in the list to create a new custom scan profile based on an existing configuration and adjust it to your needs.

    3. Edit - Click on the Edit button of a scan profile in the list to adjust its configuration. This option is unavailable for built-in scan profiles, which can only be cloned.

  3. In the form that follows, configure the custom scan profile:

    1. Type the name.

    2. Type a description (optional).

    3. Customize the scanning behavior, divided into three sections:

      1. GLOBAL

        1. Target type - Choose the type of target for which this scan profile is available: Web applications or standalone APIs.

        2. HTTP methods - Choose the type of HTTP methods to be used in scanning requests. It will allow the choice of an ideal set of methods for targets with websites or applications that are in production.

        3. Scan Speed - Choose the throughput of scanning requests regarding the target’s response time to avoid overloading the target with too many requests and optimizing the resources consumed by a scan.
          Regardless of the scan speed, if Snyk API & Web detects that the target is not able to handle the requests throughput during a scan, the scanner will automatically throttle down to attain the optimal performance.

        4. Request Delay - Set the time delay (in milliseconds) between requests for each scanning thread. It is an approximate value and is more accurate for slower Scan speed settings.

          The maximum delay allowed is 5000ms. If not defined, there is no delay between requests.

        5. Limit scan duration - Set the maximum time the scan is allowed to run. If not set, there is no limit. The usage of this setting might cause the scan to miss vulnerabilities.

      2. CRAWLER

        1. Crawler deduplication - Snyk API & Web uses a Simhash algorithm to detect similar pages and scan only a few of them. A page is considered similar if it shares the same HTML element structure.

          This feature is enabled by default. Unticking the checkbox turns it off and can increase the scan duration significantly.

        2. URL pattern detection - Snyk API & Web detects patterns in URLs identifying similar pages and scans only a few of them. For instance, pages like /2023-10-08-probely-scanner-finds-another and /2022-03-18-cibersecurity-is-important share the pattern /YYYY-MM-DD- followed by several words separated by a hyphen. This feature is enabled by default. Unticking the checkbox turns it off and can increase the scan duration significantly.

        3. Maximum URLs crawled - Set the maximum number of URLs the crawler visits.

          The maximum value available is 50.000. The default is 5.000, a good compromise between coverage and scan time.

      3. SCANNER

        1. Scanner Payloads - Choose the diversity of payloads and headers used for testing vulnerabilities to fine-tune the number of scanning requests made to each URL of the target.
          Regardless of the scanner payloads, the vulnerabilities considered for testing are the same.

        2. Vulnerabilities - Choose the vulnerabilities to be verified by the scanner: all or a specific subset.

  4. Click on SAVE to finish the customization of the scan profile.

Once created, custom scan profiles are available in the list of profiles in the target settings. You only have to switch the scan profile of the target to the desired custom scan profile.

Finally, you can delete a custom scan profile by clicking the Delete button on the list of scan profiles, and Snyk API & Web will prompt you to confirm your action. If one or more targets still use the profile to be deleted, Snyk API & Web also indicates which will be the replacement scan profile to set in those targets.

Did this answer your question?