Configuration
Configure DAST Scanner using environment variables and command-line options.
Levo Platform Configuration
Authenticate with environment variables
The simplest way to scan and report findings is to pass credentials directly as environment variables on each run — no persistent state, no login step:
export LEVOAI_AUTH_KEY=<your-auth-key>
export LEVOAI_ORG_ID=<your-org-id>
export LEVOAI_ENV_ID=<your-env-id>
docker run --rm -it --shm-size=1g \
-e LEVOAI_AUTH_KEY -e LEVOAI_ORG_ID -e LEVOAI_ENV_ID \
-e LEVOAI_BASE_URL=https://api.levo.ai \
levoai/levoai-shadownet:stable \
scan https://example.com --send-issues
The bare -e VAR form forwards the value from your shell, so secrets stay out of the command line.
Persistent login (optional)
For repeated runs you can authenticate once and persist the session under /home/levo/.config/configstore:
docker run --rm -it \
-v $HOME/.config/configstore:/home/levo/.config/configstore:rw \
-e LEVOAI_BASE_URL=https://api.levo.ai \
levoai/levoai-shadownet:stable \
login -k <your-auth-key> -o <your-org-id>
Subsequent scan calls only need the same -v $HOME/.config/configstore:/home/levo/.config/configstore:rw mount — no -e LEVOAI_AUTH_KEY.
Get Your Credentials
- Log in to Levo
- Go to Settings → API Keys
- Copy your Auth Key (refresh token)
- Copy your Organization ID
- Go to Environments and get your Environment ID
Environment Variables
Set these when running Docker to configure DAST Scanner:
Levo Platform
| Variable | Required | Example | Description |
|---|---|---|---|
LEVOAI_AUTH_KEY | No | Your refresh token | Authentication key for Levo |
LEVOAI_ORG_ID | No | Your organization ID | Organization identifier |
LEVOAI_BASE_URL | No | https://api.levo.ai | Levo API endpoint (default) |
LLM Integration (AI Crawling)
| Variable | Provider | Example | Description |
|---|---|---|---|
OPENAI_API_KEY | OpenAI | sk-... | API key for GPT models |
ANTHROPIC_API_KEY | Anthropic | sk-ant-... | API key for Claude models |
Use one of these for AI-guided crawling:
docker run --rm -it --shm-size=1g \
-e OPENAI_API_KEY=sk-... \
levoai/levoai-shadownet:stable \
scan https://example.com --crawl-mode ai
Network & Proxy
| Variable | Purpose | Example |
|---|---|---|
HTTP_PROXY | HTTP proxy | http://proxy.example.com:8080 |
HTTPS_PROXY | HTTPS proxy | https://proxy.example.com:8443 |
NO_PROXY | Proxy bypass list | localhost,127.0.0.1 |
export HTTPS_PROXY=http://proxy.example.com:8080
docker run --rm -it --shm-size=1g \
-e HTTPS_PROXY \
levoai/levoai-shadownet:stable \
scan https://example.com
Docker Configuration
Required Flags
Always use these when running DAST Scanner:
docker run --rm -it --shm-size=1g \
levoai/levoai-shadownet:stable \
scan <target>
| Flag | Purpose |
|---|---|
--rm | Remove container after execution |
-it | Interactive terminal (shows output) |
--shm-size=1g | Required - Allocate 1GB shared memory for Chromium |
Volume Mounting
Mount directories to save results locally:
docker run --rm -it --shm-size=1g \
-v $(pwd)/results:/app/reports \
levoai/levoai-shadownet:stable \
scan https://example.com \
--output json \
--output-file /app/reports/scan-results.json
Results save to ./results/scan-results.json on your host.
Credentials Persistence
After running login (see Persistent login above), mount the same configstore directory on subsequent scans so the saved session is reused:
docker run --rm -it --shm-size=1g \
-v $HOME/.config/configstore:/home/levo/.config/configstore:rw \
levoai/levoai-shadownet:stable \
scan https://example.com --send-issues --env-id <env-id>
On rootless Podman, change the trailing :rw to :U (or :U,Z on SELinux hosts).
Common Configuration Scenarios
Scan with Form Authentication
docker run --rm -it --shm-size=1g \
levoai/levoai-shadownet:stable \
scan https://example.com \
--auth form \
--username $USERNAME \
--password $PASSWORD \
--login-url https://example.com/login
Scan with Bearer Token
docker run --rm -it --shm-size=1g \
levoai/levoai-shadownet:stable \
scan https://api.example.com \
--auth token \
--token "Bearer $(cat token.txt)"
Disable Specific Vulnerability Categories
Skip certain tests:
docker run --rm -it --shm-size=1g \
levoai/levoai-shadownet:stable \
scan https://example.com \
--disable-categories "XSS,CORS,CSRF"
Custom Injection Locations
Test only specific parameter types:
docker run --rm -it --shm-size=1g \
levoai/levoai-shadownet:stable \
scan https://example.com \
--inject-locations "query,body,header"
Domain Filtering
Limit crawling to specific domains:
docker run --rm -it --shm-size=1g \
levoai/levoai-shadownet:stable \
scan https://example.com \
--capture-domains "example.com,api.example.com" \
--exclude-domains "cdn.example.com,analytics.example.com"
Best Practices
- Never hardcode credentials - Use environment variables
- Use
--shm-size=1g- Required for Chromium to work properly - Mount volumes for results - Save outputs outside the container
- Set appropriate timeouts - Adjust
--timeoutfor large apps (and the granular--crawl-timeout/--test-timeout/--probe-timeoutflags if you need phase-level limits) - Test locally first - Run a quick scan before scheduling production scans
Troubleshooting
"Chromium not found" or "Shared memory error"
Add --shm-size=1g flag:
docker run --rm -it --shm-size=1g ...
"Authorization failed"
Verify credentials:
echo $LEVOAI_AUTH_KEY
echo $LEVOAI_ORG_ID
"Connection refused"
Check:
- Target URL is reachable from your network
- No firewall blocking the connection
- Credentials are valid (for authenticated scans)
Results not saving to volume
Verify mount path:
docker run --rm -it --shm-size=1g \
-v $(pwd)/results:/app/reports \
levoai/levoai-shadownet:stable \
scan https://example.com \
--output json \
--output-file /app/reports/results.json
Check that /app/reports is writable in the container.
Next Steps
- Docker Quickstart - Complete Docker setup guide
- CLI Reference - Full command documentation
- levo-dast.yml - Commit scan config to version control
- CI/CD Integration - Automate in your pipeline
- Levo Dashboard - Report findings to dashboard