Configuration

Configure DAST Scanner using environment variables and command-line options.

Levo Platform Configuration

Before running scans that report to Levo, set your credentials:

docker run --rm -it \
  -e LEVOAI_BASE_URL=https://api.levo.ai \
  ghcr.io/levoai/levoai-shadownet:latest \
  login -k <your-auth-key> -o <your-org-id>

Or set credentials via environment variables for scripting:

export LEVOAI_AUTH_KEY=<your-auth-key>
export LEVOAI_ORG_ID=<your-org-id>

Get Your Credentials

Log in to Levo
Go to Settings → API Keys
Copy your Auth Key (refresh token)
Copy your Organization ID
Go to Environments and get your Environment ID

Environment Variables

Set these when running Docker to configure DAST Scanner:

Levo Platform

Variable	Required	Example	Description
`LEVOAI_AUTH_KEY`	No	Your refresh token	Authentication key for Levo
`LEVOAI_ORG_ID`	No	Your organization ID	Organization identifier
`LEVOAI_BASE_URL`	No	`https://api.levo.ai`	Levo API endpoint (default)

LLM Integration (AI Crawling)

Variable	Provider	Example	Description
`OPENAI_API_KEY`	OpenAI	`sk-...`	API key for GPT models
`ANTHROPIC_API_KEY`	Anthropic	`sk-ant-...`	API key for Claude models

Use one of these for AI-guided crawling:

docker run --rm -it --shm-size=1g \
  -e OPENAI_API_KEY=sk-... \
  ghcr.io/levoai/levoai-shadownet:latest \
  scan https://example.com --crawl-mode ai

Network & Proxy

Variable	Purpose	Example
`HTTP_PROXY`	HTTP proxy	`http://proxy.example.com:8080`
`HTTPS_PROXY`	HTTPS proxy	`https://proxy.example.com:8443`
`NO_PROXY`	Proxy bypass list	`localhost,127.0.0.1`

export HTTPS_PROXY=http://proxy.example.com:8080
docker run --rm -it --shm-size=1g \
  -e HTTPS_PROXY \
  ghcr.io/levoai/levoai-shadownet:latest \
  scan https://example.com

Docker Configuration

Required Flags

Always use these when running DAST Scanner:

docker run --rm -it --shm-size=1g \
  ghcr.io/levoai/levoai-shadownet:latest \
  scan <target>

Flag	Purpose
`--rm`	Remove container after execution
`-it`	Interactive terminal (shows output)
`--shm-size=1g`	Required - Allocate 1GB shared memory for Chromium

Volume Mounting

Mount directories to save results locally:

docker run --rm -it --shm-size=1g \
  -v $(pwd)/results:/app/reports \
  ghcr.io/levoai/levoai-shadownet:latest \
  scan https://example.com \
    --output json \
    --output-file /app/reports/scan-results.json

Results save to ./results/scan-results.json on your host.

Credentials Persistence

Mount a volume to persist Levo credentials:

mkdir -p ~/.levo

docker run --rm -it --shm-size=1g \
  -e LEVOAI_BASE_URL=https://api.levo.ai \
  -v ~/.levo:/home/dast/.config/configstore:rw \
  ghcr.io/levoai/levoai-shadownet:latest \
  scan https://example.com --send-issues --env-id <env-id>

Common Configuration Scenarios

Scan with Form Authentication

docker run --rm -it --shm-size=1g \
  ghcr.io/levoai/levoai-shadownet:latest \
  scan https://example.com \
    --auth form \
    --username $USERNAME \
    --password $PASSWORD \
    --login-url https://example.com/login

Scan with Bearer Token

docker run --rm -it --shm-size=1g \
  ghcr.io/levoai/levoai-shadownet:latest \
  scan https://api.example.com \
    --auth token \
    --token "Bearer $(cat token.txt)"

Disable Specific Vulnerability Categories

Skip certain tests:

docker run --rm -it --shm-size=1g \
  ghcr.io/levoai/levoai-shadownet:latest \
  scan https://example.com \
    --disable-categories "XSS,CORS,CSRF"

Custom Injection Locations

Test only specific parameter types:

docker run --rm -it --shm-size=1g \
  ghcr.io/levoai/levoai-shadownet:latest \
  scan https://example.com \
    --inject-locations "query,body,header"

Domain Filtering

Limit crawling to specific domains:

docker run --rm -it --shm-size=1g \
  ghcr.io/levoai/levoai-shadownet:latest \
  scan https://example.com \
    --capture-domains "example.com,api.example.com" \
    --exclude-domains "cdn.example.com,analytics.example.com"

Best Practices

Never hardcode credentials - Use environment variables
Use --shm-size=1g - Required for Chromium to work properly
Mount volumes for results - Save outputs outside the container
Set appropriate timeouts - Adjust --timeout-seconds for large apps
Test locally first - Run a quick scan before scheduling production scans

Troubleshooting

"Chromium not found" or "Shared memory error"

Add --shm-size=1g flag:

docker run --rm -it --shm-size=1g ...

"Authorization failed"

Verify credentials:

echo $LEVOAI_AUTH_KEY
echo $LEVOAI_ORG_ID

"Connection refused"

Check:

Target URL is reachable from your network
No firewall blocking the connection
Credentials are valid (for authenticated scans)

Results not saving to volume

Verify mount path:

docker run --rm -it --shm-size=1g \
  -v $(pwd)/results:/app/reports \
  ghcr.io/levoai/levoai-shadownet:latest \
  scan https://example.com \
    --output json \
    --output-file /app/reports/results.json

Check that /app/reports is writable in the container.

Next Steps

Docker Quickstart - Complete Docker setup guide
CLI Reference - Full command documentation
levo-dast.yml - Commit scan config to version control
CI/CD Integration - Automate in your pipeline
Levo Dashboard - Report findings to dashboard

Was this page helpful?

Levo Platform Configuration​

Login with Docker​

Get Your Credentials​

Environment Variables​

Levo Platform​

LLM Integration (AI Crawling)​

Network & Proxy​

Docker Configuration​

Required Flags​

Volume Mounting​

Credentials Persistence​

Common Configuration Scenarios​

Scan with Form Authentication​

Scan with Bearer Token​

Disable Specific Vulnerability Categories​

Custom Injection Locations​

Domain Filtering​

Best Practices​

Troubleshooting​

"Chromium not found" or "Shared memory error"​

"Authorization failed"​

"Connection refused"​

Results not saving to volume​

Next Steps​