Skip to content

Configuring Scanner Behavior#

You can specify the scanner's behavior in the configuration file (config.toml).

Configuration on Linux#

In FutureVuls, the following settings can be configured during the scanner installation.

Setting Variable Name Description
Scan Mode VULS_SCAN_MODE Controls whether the scan requires root privileges
Offline Scan VULS_SCAN_OFFLINE Whether an internet connection is required during the scan
Automatic Scanner Update AUTO_REFRESH_BINARY Whether to update the scanner during each scan
Proxy Settings VULS_PROXY Proxy server settings for environments behind a proxy

Scan Mode#

Select whether root privileges are required to run the scan. We recommend scanning with fast-root, which can acquire information useful for triage, such as the status of running processes.

Scan Mode Description
Fast-Root Scan (Default) A mode that requires root privileges to run the scanner program
Fast Scan A mode with limitations on the information that can be acquired, but does not require root privileges to run the scanner program

When Fast mode is selected, the following information cannot be acquired:

  • The running status of processes related to packages and the status of listening ports: "Software tab" > "Running Processes" column
  • The latest version of packages: "Task Details" tab > "Related Software" > "Update" column
    • However, on some OSes (such as AlmaLinux and Rocky Linux), this can still be acquired when scanning in fast mode.
  • Whether a process restart is required: "Software tab" > "Process Restart Required" column

The scan mode can be configured via scanMode in config.toml.

#For Fast-Root scan
scanMode = ["fast-root"]

#For Fast scan
scanMode = ["fast"]

If you use Fast scan mode, the configuration for /etc/sudoers.d/vuls-saas is not necessary and should be deleted.

Offline Scan#

By specifying offline, you can scan even in environments where the target server cannot connect to the internet. This is supported on some OSes. For details on supported systems, please refer to the "OSS Documentation".

The offline scan setting can be configured via scanMode in config.toml.

# To use offline scan mode, add it as follows (the same applies to Fast scan mode)
scanMode = ["fast-root", "offline"]

Note that in offline mode, some information cannot be acquired. Typical examples of information that cannot be acquired are as follows:

  • The latest version of packages: "Task Details" tab > "Related Software" > "Update" column
  • Whether a process restart is required: "Software tab" > "Process Restart Required"
    • However, if the OS is Debian, this can be acquired as an exception even when scanning in offline mode.

Scan Modules#

You can customize the scanner's behavior to suit your environment and purpose. For example:

  • Detect WordPress vulnerabilities without scanning OS packages.
  • Only detect vulnerabilities in libraries deployed on the server.
  • Skip the port connection check.

The following values can be specified for scanModules:

scanModules = ["ospkg", "wordpress", "lockfile", "port"]
Name Description
ospkg Collects the list of OS packages
lockfile Collects lockfiles for programming language libraries. Details
wordpress Collects the list of WordPress Core, Plugins, and Themes. Details
port Checks the connection from the Scanner to the ports the server is listening on

By default, scanModules is omitted, and in this case, all four modules (ospkg, wordpress, lockfile, and port) are enabled. However, scans for wordpress and lockfile are only performed if the corresponding settings (e.g., WordPress configuration path, Lockfile path) are specified in config.toml.

If the settings do not exist, the corresponding scan will not actually run even if the module is enabled.

For information on how to configure the respective paths, please refer to the following:

Configuration with Trivy#

For the standard Trivy scan, options can be specified in the /opt/vuls-trivy-saas/config.toml file.

For Container Images#

Item Description Required
Inside [] images.<name> (the value of <name> does not need to match <imageName>:<tag>)
imageName The name of the container image to be scanned
tag The tag of the container image to be scanned
uuid A UUID generated by uuidgen or similar tools

For Libraries#

Item Description Required
Inside [] libraries.<name> (the value of <name> does not need to match targetPath)
targetPath The path to the target directory or lockfile
uuid A UUID generated by uuidgen or similar tools

Example of config.toml#

[saas]
  GroupID = XXX
  Token = "xxxxxxxx"
  Proxy = 'http://name:pass@proxy:port'

[scanner]
  refreshScanner = true

  [images.myApp:latest]
    imageName = "myApp"
    tag = "latest"
    uuid = "xxxxxxxx"

  [libraries./xxx/xxx]
    targetPath = "/xxx/xxx"
    uuid = "xxxxxxxx"

Notes on Library Scanning#

Behavior when multiple lockfiles exist under a directory#

If multiple lockfiles exist under the directory specified by targetPath, those lockfiles will be registered together as a single server.

If you want to manage each lockfile individually, please specify the path for each lockfile separately in targetPath as shown below. Also, specify a different uuid for each lockfile.

[libraries.single_react_lib]
    targetPath = "/path/to/package-lock.json"
    uuid = "xxx"
[libraries.single_rails_lib]
    targetPath = "/path/to/Gemfile.lock"
    uuid = "yyy"