Skip to main content

Providing Authentication for Tests

Most API endpoints require some form of user/client authentication. Effective security testing requires providing valid authentication credentials to Levo's autogenerated Test Plans.

This information can be provided in a secure, and structured manner via an environment.yml file.

How do I use environment.yml file?

The environment.yml file is autogenerated per Test Plan, and needs to be completed with appropriate authentication information, prior to the execution of the Test Plan.

The completed file is provided as an argument to the CLI. The CLI uses the credentials to access the target APIs and evaluate their security posture.

Are my secrets sent to Levo SaaS?

The environment.yml file contains secrets and is never sent to, or stored in Levo SaaS. This file is solely consumed by the CLI, and Levo SaaS does not have access to your secrets.

Please treat this file securely, and take all precautions necessary for handling secrets.

What is the structure of this autogenerated file?

This section covers authentication for standard security tests. For test plans that involve Horizontal Authorization Abuse, and Vertical Authorization Abuse test cases, please refer to the Providing Authorization Info section.

If the API endpoints you are testing have no role/scope information (used for granular authorization), and/or not susceptible to Horizontal Authorization Abuse, then autogenerated file will have the below structure.

# Environment file that contains users, roles and their Authentication
# mechanisms that will be used by the API endpoints.
iam:
  users:
  - name: user_1
    default: true # This user's credentials will be used to access all API endpoints requiring AuthN
    bearer_tokens:
    - name: bearerAuth
      value: <Enter the bearer token>

The default authentication mechanism used by Levo is Bearer Authentication. You are required to provide valid bearer tokens for the user above (user_1).

The default: true for user_1 specifies that this user's credentials will be used to access all API endpoints that require authentication.

Does Levo support other authentication methods?

The next section describes support for various standard and custom authentication methods.