Skip to content

Targeting#

APHIDS supports multiple target specification methods depending on the scan type.

CLI Target Flags#

When using runbooks, attack trees, or scan executions, specify targets via CLI flags:

# Full URL (web scanning)
aphids-cli -r RUNBOOK_ID --target-url https://example.com

# Host/IP/CIDR (network scanning)
aphids-cli -r RUNBOOK_ID --target-host 10.0.0.0/24

# Domain (subdomain enumeration)
aphids-cli -r RUNBOOK_ID --target-domain example.com

# Local directory (SAST, secret scanning)
aphids-cli -o options.yaml --target-dir ./my-project

Options File Targets#

In options.yaml, targets are set per-module:

global_variables:
  target: 'https://example.com'
  domain: 'example.com'
  ip: '10.0.0.1'

modules:
  nmap-scan:
    module: nmap
    target: '##IP##'

  nuclei-scan:
    module: nuclei
    target_url: '##TARGET##'

  amass-enum:
    module: amass
    tld: '##DOMAIN##'

Target Parameters by Tool#

Parameter Used By Expects
target nmap, masscan, nikto, wapiti, whatweb, gobuster, ffuf, feroxbuster, wafw00f, dalfox, commix, testssl, hydra, corscanner, checksec, binwalk URL, IP, hostname
target_url nuclei, zap2, katana, wfuzz, smuggler, paramspider Full URL with protocol
tld amass Top-level domain
domain subfinder, dnsx, sublist3r, getallurls Domain name
target_dir semgrep, bandit, gitleaks, trufflehog, safety, trivy, grype, dependency_check Directory path

Attack Tree Scope#

When using attack trees, restrict scope with --attack-tree-scope:

aphids-cli -at TREE_ID \
  --target-domain example.com \
  --attack-tree-scope "example.com,*.example.com,10.0.0.0/24"

Supported scope formats:

  • IP address: 10.0.0.1
  • CIDR range: 10.0.0.0/24
  • Domain: example.com
  • Wildcard domain: *.example.com

Static Analysis Targets#

For SAST and secret scanning tools, mount a local directory:

# Via CLI flag
aphids-cli -o options.yaml --static-path /path/to/code

# In options.yaml
modules:
  semgrep-scan:
    module: semgrep
    target_dir: '/workspace'
    args: ['--config', 'auto']

The --static-path flag mounts the directory read-only at /workspace inside the container. Tools like Semgrep, Gitleaks, and TruffleHog operate on this mounted path.