Options File#
The options.yaml file defines your scan modules, targets, and operational parameters.
Structure#
global_variables:
target: 'https://example.com'
domain: 'example.com'
configuration:
online: enabled
network: public
scan_group: my-scan-group
team: users
engagements:
- My Engagement
modules:
nmap-scan:
module: nmap
target: '##TARGET##'
args:
- '-sV'
- '-T4'
timeout: 600
Global Variables#
Define variables once, reference them anywhere with ##VARNAME##:
Reference in modules (always UPPERCASE):
modules:
nmap-scan:
module: nmap
target: '##TARGET##' # Resolves to https://www.example.com
amass-enum:
module: amass
tld: '##DOMAIN##' # Resolves to example.com
Note
Variables are defined in lowercase but referenced in UPPERCASE.
Configuration Section#
configuration:
online: enabled # REQUIRED: enabled | disabled
network: public # REQUIRED: public | private-network-name
scan_group: my-group # OPTIONAL: Group scans for tracking
team: users # OPTIONAL: Team on multiuser license
engagements: # OPTIONAL: Link scans to engagements
- My Engagement Name
| Field | Required | Values | Description |
|---|---|---|---|
online |
Yes | enabled / disabled |
Online sends results to Hive; offline writes locally |
network |
Yes | public / name |
Name private networks to prevent IP collision |
scan_group |
No | string | Group scan modules together in Hive |
team |
No | string | Team identifier for multiuser licenses |
engagements |
No | list | Engagement names to link scans to |
Modules Section#
Each module defines a tool to run, its target, and arguments:
modules:
module-name: # Arbitrary name (your choice)
module: tool_name # REQUIRED: Must match a supported tool
target: 'value' # REQUIRED: Target specification (varies by tool)
args: # OPTIONAL: Tool-specific arguments
- '-flag'
- 'value'
timeout: 1800 # OPTIONAL: Timeout in seconds (default: 30 min)
parse_only: false # OPTIONAL: Parse existing output instead of scanning
filename: output.json # OPTIONAL: File to parse (with parse_only)
Target Types#
Different tools use different target parameter names:
| Parameter | Tools | Example |
|---|---|---|
target |
nmap, nikto, wapiti, gobuster, whatweb | https://example.com or 10.0.0.1 |
target_url |
nuclei, zap2 | https://example.com |
tld |
amass | example.com |
domain |
subfinder, dnsx, sublist3r | example.com |
Timeouts#
Configure per-tool timeouts (in seconds):
modules:
long-nmap-scan:
module: nmap
target: '10.0.0.0/16'
args: ['-sV', '-sC', '-A']
timeout: 7200 # 2 hours for large network scans
Default timeout is 1800 seconds (30 minutes). Maximum is 7200 seconds (2 hours).
Complete Example#
global_variables:
target: 'https://www.example.com'
domain: 'example.com'
ip: '203.0.113.50'
configuration:
online: enabled
network: public
scan_group: full-assessment
engagements:
- Q1 External Pentest
modules:
# Port scanning
nmap-service-enum:
module: nmap
target: '##IP##'
args: ['-sV', '-sC', '-T4', '-p-']
timeout: 3600
# Web fingerprinting
whatweb-fingerprint:
module: whatweb
target: '##TARGET##'
args: ['-a', '3']
# Vulnerability scanning
nuclei-full:
module: nuclei
target_url: '##TARGET##'
args: []
# Web application testing
zap-quickscan:
module: zap2
target_url: '##TARGET##'
quickscan: 'true'
# Subdomain enumeration
amass-passive:
module: amass
tld: '##DOMAIN##'
args: ['-passive']
subfinder-enum:
module: subfinder
domain: '##DOMAIN##'
# Directory brute-force
gobuster-dirs:
module: gobuster
target: '##TARGET##'
type: dir
args: ['-k']
# WAF detection
wafw00f-detect:
module: wafw00f
target: '##TARGET##'
# Secret scanning (static analysis)
gitleaks-scan:
module: gitleaks
target_dir: '/workspace'
args: ['--no-git']
# SAST
semgrep-scan:
module: semgrep
target_dir: '/workspace'
args: ['--config', 'auto']
Parse-Only Mode#
Run offline first, upload results later:
Step 1: Run offline
Step 2: Re-run in parse mode
configuration:
online: enabled
modules:
nmap-results:
module: nmap
target: www.example.com # Still required
parse_only: true
filename: aphids-nmap-output-0000000000.xml
This is useful for air-gapped environments or when you need to scan first and upload later.