Scan Configuration

Use spectral.yaml to set the configuration for a specific asset if this is a file-based asset.

Code Security enables you to set the configuration on all assets of the same type.

To set the configuration for your account:

Navigate to Code Security > Settings > Scan configuration. Select the type of asset to which you apply the configuration.
Set the configuration in the input as YAML (in the same format and structure as in spectral.yaml).

Note - You can disable this configuration for an asset by adding the --ignore-remote-config flag while executing your scan. For example, spectral scan --ignore-remote-config.

Fallback

In the Fallback section, set the behavior of the scanner if misconfiguration or hardening settings affect the validity of the scan. Select one of these:

Setting	Behavior	Use Case
Strict	If the scan detects any misconfiguration, the scan stops and shows an error code. This is the default setting.	This mode is ideal for users who need a high level of confidence that their configurations are correct before proceeding with the scan.
Warn and proceed	The scan finishes and shows the fallback actions it took. If the scanner detects a misconfiguration, the scanner reverts the configuration to the default value and continues the scan. These are examples of misconfigurations Invalid `spectra.yaml` configuration file Invalid custom rules Invalid tags	This mode is beneficial for users who wish to continue scanning despite minor configuration issues and are comfortable with default values being applied for any misconfigured flags.

Setting

Behavior

Use Case

Strict

If the scan detects any misconfiguration, the scan stops and shows an error code. This is the default setting.

This mode is ideal for users who need a high level of confidence that their configurations are correct before proceeding with the scan.

Warn and proceed

The scan finishes and shows the fallback actions it took. If the scanner detects a misconfiguration, the scanner reverts the configuration to the default value and continues the scan. These are examples of misconfigurations

Invalid spectra.yaml configuration file
Invalid custom rules
Invalid tags

This mode is beneficial for users who wish to continue scanning despite minor configuration issues and are comfortable with default values being applied for any misconfigured flags.

Hardening

Select actions to Allow or Restrict Spectral to do in assets for your organization:

Configuration	Source
OK	CLI, Local Configuration File
Exclude Tags	CLI, Local Configuration File
Exclude	CLI, Local Configuration File
Include	CLI, Local Configuration File
Ignores	Local Configuration File
Ignores Options	Local Configuration File, Inline Ignores
Fail on Error	CLI
Fail on Critical	CLI
Ignore Remote Config	CLI
Since	CLI
Max Size	CLI
Show Match	CLI
Send Local Ignores	Local Configuration File, Inline Ignores

Combining Configurations

match_ignores - If a spectral.yaml file exists locally, its match_ignores section is merged with the asset type match_ignores section. This means that the list of ignores contain ignores configured locally in spectral.yaml, and also ignores defined per asset type.
projects - If a spectral.yaml exists locally, the projects configuration of the asset type does not occur, and the local projects configuration is applied if it exists in spectral.yaml.

Asset Type Configuration Usage Indication

To know if an asset scan used asset type configuration, check if the scan banner named remote_cfg shows the value Yes.

Secrets Scanning

Use Secrets Scanning to avoid hardcoding and sharing secrets in your assets. Secrets Scanning user more than 2,500 built-in rules to scan for certificates, PEM files, API keys, passwords, and other sensitive information.

To do a Secrets Scan, run:

Copy

spectral scan

To see more results, run::

Copy

spectral scan --include-tags base,audit,audit3

Key Validation

When Spectral finds a token (for example: a valid GitHub token), it can test if the token is valid. Valid tokens in assets are a more serious security risk than invalid tokens.

Use the --validate flag to test the validity of tokens that Spectral finds in a scan. Run:

Copy

spectral scan --validate

Infrastructure as Code

Spectral Infrastucture as Code (IaC) scans your IaC files and notifies you about misconfigurations.IaC supports AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services., Google, Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®., Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. and other platforms. Scan results show the misconfigured resource and give remediation suggestions.

Use the --engines iac flag to test the validity of tokens that Spectral finds in a scan: Run::

Copy

spectral scan --engines iac