Troubleshooting

Runtime issues when running DAST from the CLI, Docker, Kubernetes, or levo-dast.yml.

For dashboard-UI-specific problems (scan stuck on the list page, Logs tab empty, findings not appearing), see Dashboard troubleshooting.

Scan won't start

CLI: `shadownet scan` exits immediately

Error: LEVOAI_AUTH_KEY not set

Run shadownet login -k $AUTH_KEY -o $ORG_ID, or export LEVOAI_AUTH_KEY and LEVOAI_ORG_ID before running.
See Configuration → Levo Platform Configuration.

Authentication failures

Wrong Login URL — point at the page that hosts the form, not the form action.
App requires a CSRF token you haven't passed — add it as a Pre-Auth Cookie / Pre-Auth Header.
MFA or CAPTCHA is enforced — switch to AI-driven auth or disable MFA for the scan account.
Scan account is locked after repeated attempts — rotate the password.

401 on every request (token auth)

Token is expired or malformed.
Your API expects a prefix other than Bearer — include it in the token value (e.g., Token abc123).

403 on most requests

Token is valid but the scan account lacks permissions. Grant the account the same role as a normal user.

Docker

`permission denied` writing reports

Docker writes as UID 0 inside the container. Mount a world-writable output dir, or pass --user $(id -u):$(id -g):

docker run --rm --user $(id -u):$(id -g) \
  -v "$PWD:/work" -w /work \
  ghcr.io/levoai/levoai-shadownet:latest scan ...

`Could not resolve host`

DNS inside the container can't see your target. If the target is on a VPN or private network, run the Kubernetes worker on the same network.

YAML config errors

`unknown field 'scann' at top level`

Typo — the loader uses extra = "forbid". Fix the key (scan: in this case).

`value 'insane' is not a valid enum`

A field like scan.attack_strength accepts only its enum values (low, medium, high). See the schema reference.

`field 'password' is not allowed — use --password or SCAN_PASSWORD`

Secrets never live in levo-dast.yml. Move the value to a CLI flag or environment variable. Full list: secrets policy.

Network & proxy

Behind a corporate proxy, set HTTPS_PROXY / HTTP_PROXY in the environment (or the env: block of your Docker / Kubernetes runner).
To scan a target behind your firewall, use the Levo Satellite or the Kubernetes worker.

Performance

Scan runs for hours

Lower crawl.max_pages and crawl.max_depth.
Switch scan.depth from thorough to smart.
Disable cve.js / cve.dom unless you specifically need them.

Too many findings

Raise reporting.severity to medium or high.
Disable noisy categories under scan.active_testing_categories that don't apply to your stack.
Enable scan.tech_aware: true so tests for technologies you don't use are skipped.

Getting help

Include the scan ID (dashboard URL) or the run ID from the CLI log.
Attach the SARIF / JSON report if you have one.
Email support@levo.ai or open a chat from the dashboard.

Was this page helpful?

Scan won't start​

CLI: shadownet scan exits immediately​

Authentication failures​

Login fails (form auth)​

401 on every request (token auth)​

403 on most requests​

Docker​

permission denied writing reports​

Could not resolve host​

YAML config errors​

unknown field 'scann' at top level​

value 'insane' is not a valid enum​

field 'password' is not allowed — use --password or SCAN_PASSWORD​

Network & proxy​

Performance​

Scan runs for hours​

Too many findings​

Getting help​