Configuration options

Artemis can be configured by setting the following variables in the .env file (in the form of VARIABLE_NAME=VARIABLE_VALUE directives, e.g. SCANNING_PACKETS_PER_SECOND=5):

Data

Autoarchiver

AUTOARCHIVER_INTERVAL_SECONDS

Default: 3600

How frequently the archive process is triggered (in seconds)

AUTOARCHIVER_MIN_AGE_SECONDS_INTERESTING

Default: 15552000

How old the task results need to be to be archived (in seconds) for tasks that have status=INTERESTING

AUTOARCHIVER_MIN_AGE_SECONDS_NOT_INTERESTING

Default: 2592000

How old the task results need to be to be archived (in seconds) for tasks that don’t have status=INTERESTING

AUTOARCHIVER_OUTPUT_PATH

Default: /opt/archived-task-results/

Where the archived task results will be saved (remember that this is a path inside the container).

AUTOARCHIVER_PACK_SIZE

Default: 2000

How many task results will go into single .json.gz archive. If there are not that many old task results, archiving will not be performed.

AUTOARCHIVER_TAG_ARCHIVE_MIN_AGE_SECONDS

Default: 0

What should be the minimum age of a tag archive request to be handled.

LEGACY_MONGODB_CONN_STR

Connection string to the MongoDB database. MongoDB is not used anymore - it is present here to seamlessly migrate data from older Artemis versions to PostgreSQL.

POSTGRES_CONN_STR

Connection string to the PostgreSQL database.

REDIS_CONN_STR

Connection string to Redis.

SAVE_LOGS_IN_DATABASE

Default: True

Whether Artemis should save task logs in the database to be viewed in the UI. Turn it off to save space in the database.

Limits

REQUESTS_PER_SECOND

Default: 0

E.g. when set to 2, Artemis will make sure no more than 2 HTTP/MySQL connect/… requests take place per second, sleeping if needed.

REQUEST_TIMEOUT_SECONDS

Default: 5

Default request timeout (for all protocols).

SCAN_SPEED_OVERRIDES_FILE

Default:

A JSON file with a dictionary mapping from IP to scan speed - use if you want to slow down scanning of particular hosts.

TASK_TIMEOUT_SECONDS

Default: 86400

What is the maximum task run time (after which it will get killed).

Locking

LOCK_SCANNED_TARGETS

Default: False

Whether Artemis should strive to make at most one module scan a target at a given time. Therefore when locking is enabled, setting e.g. REQUESTS_PER_SECOND to will cause that no IP receives 2 port scanning packets/HTTP requests/MySQL connections/… per second. Due to the way this behavior is implemented, we cannot guarantee that a host will never be scanned by more than one module.

LOCK_SLEEP_MAX_SECONDS

Default: 0.5

see LOCK_SLEEP_MIN_SECONDS.

LOCK_SLEEP_MIN_SECONDS

Default: 0.1

Requires LOCK_SCANNED_TARGETS to be enabled. When a resource is locked using artemis.resource_lock.ResourceLock, a retry will be performed in the next LOCK_SLEEP_MIN_SECONDS..LOCK_SLEEP_MAX_SECONDS seconds.

QUEUE_LOCATION_MAX_AGE_SECONDS

Default: 900

Requires LOCK_SCANNED_TARGETS to be enabled. Sometimes the task queue is very long and e.g. the first N tasks can’t be taken because they concern IPs that are already scanned. To make scanning faster, Artemis remembers the position in the task queue for the next QUEUE_LOCATION_MAX_AGE_SECONDS in order not to repeat trying to lock the first tasks in the queue.

SCAN_DESTINATION_LOCK_MAX_TRIES

Default: 2

Requires LOCK_SCANNED_TARGETS to be enabled. Amount of times module will try to get a lock on scanned destination (with sleeps inbetween) before rescheduling task for later.

Miscellaneous

ADDITIONAL_HOSTS_FILE_PATH

Default:

File that will be appended to /etc/hosts

API_TOKEN

Default: None

The token to authenticate to the API. Provide one to use the API.

BLOCKLIST_FILE

Default: None

A file that determines what should not be scanned or reported

CLEANUP_RAISE_ERROR_ON_NON_UNFINISHED_ANALYSES

Default: False

Raise error in case cleanup task did not found unfinished analyses.

CONTENT_PREFIX_SIZE

Default: 102400

In order not to overload the DB and bandwidth, this determines how long the downloaded content would be (in bytes).

CUSTOM_USER_AGENT

Default:

Custom User-Agent string used by Artemis (if not set, the library defaults will be used, different for requests, Nuclei etc.)

DEFAULT_MODULE_NUM_RETRIES

Default: 1

The number of times a module will be executed in an attempt to obtain a non-error status.

FRONTEND_PASSWORD

Default:

Password used to log in to the Artemis web interface.

FRONTEND_USERNAME

Default:

Username used to log in to the Artemis web interface.

LOGGING_FORMAT_STRING

Default: %(processName)s | [%(levelname)s] - [%(asctime)s] %(filename)s - in %(funcName)s() (line %(lineno)d): %(message)s

Logging format string (according to the syntax in https://docs.python.org/3/library/logging.html#logrecord-attributes)

LOG_LEVEL

Default: INFO

Log level (e.g. INFO or DEBUG) - for available levels browse to https://docs.python.org/3/library/logging.html#logging-levels

MAX_MODULE_TASK_PROCESSING_TIME__SECONDS

Default: 933120000

After this number of module running time, each scanning module will get restarted. This is to prevent situations such as slow memory leaks.

MAX_URLS_TO_SCAN

Default: 25

Maximum number of URLs to scan per target for modules that crawl like lfi_detector, Nuclei, sq_injection_detector, etc.

MODULES_DISABLED_BY_DEFAULT

Default: admin_panel_login_bruter,api_scanner,dangling_dns_detector,example,humble,leak_scanner,ssh_bruter,xss_scanner

Artemis modules that are disabled by default (but may easily be enabled in the UI)

NUM_DNS_RESOLVER_RETRIES

Default: 3

Number of times a DNS query will be retried if failed. This helps reduce the number of e.g. mail-related false positives, where a failed DNS query may result with a “no DMARC” message.

PASSWORD_BRUTER_ADDITIONAL_PASSWORDS

Default:

Additional passwords (besides the top10 ones) to be used in brute forcing.

REMOVE_LOGS_AFTER_DAYS

Default: 30

After what number of days the logs in karton-logs are removed.

SLOW_MODULE_NUM_RETRIES

Default: 1

The number of times a module will be executed in an attempt to obtain a non-error status for a module that tends to run for a long time.

STOP_SCANNING_MODULES_IF_FREE_DISK_SPACE_LOWER_THAN_MB

Default: 1000

If free disk space on / becomes lower than this value, scanning will stop so that we don’t end up being unable to save the results.

STRIPPED_PREFIXES

Default: www

Some password bruters extracts the site name to brute-force passwords. For example, if it observes projectname.example.com it will bruteforce projectname123, projectname2023, … This list describes what domain prefixes to strip (e.g. www) so that we bruteforce projectname123, not www123, when testing www.projectname.example.com.

SUBDOMAIN_ENUMERATION_TTL_DAYS

Default: 10

If we request a domain for subdomain enumeration, we will save that it has already been enumerated, so that e.g. if we requested crtsh enumeration on example.com and received www.example.com, crtsh enumeration on www.example.com won’t happen in SUBDOMAIN_ENUMERATION_TTL_DAYS days. This is the TTL of such markers.

VERIFY_REVDNS_IN_SCOPE

Default: True

By default, Artemis will check whether the reverse DNS lookup for an IP matches the original domain. For example, if we encounter the 1.1.1.1 ip which resolves to new.example.com, Artemis will check whether it is a subdomain of the original task domain. This is to prevent Artemis from randomly walking through the internet after encountering a misconfigured Reverse DNS record (e.g. pointing to a completely different domain). The downside of that is that when you don’t provide original domain (e.g. provide an IP to be scanned), the domain from the reverse DNS lookup won’t be scanned. Therefore this behavior is configurable and may be turned off.

Modules

APIScanner

API_SPEC_MAX_SIZE

Default: 5242880

Maximum size in bytes for downloading OpenAPI/Swagger specification files. The default CONTENT_PREFIX_SIZE (100KB) is too small for most real-world API specs.

ONLY_GET_REQUESTS

Default: True

If set to True, API scanner will only use GET requests to scan. If to False, a more intrusive scan can be carried out (using other HTTP methods like POST)

AdminPanelLoginBruter

ADMIN_PANEL_LOGIN_BRUTER_MAX_RECHECKS_PER_PATH

Default: 10

Maximum number of maybe-working credential pairs that we will recheck per path. This is to prevent too much time spent on rechecking in case of a large number of false positives.

ADMIN_PANEL_LOGIN_BRUTER_NUM_RECHECKS

Default: 10

How many times to recheck whether the good password works, and the bad doesn’t

Bruter

BRUTER_FALSE_POSITIVE_THRESHOLD

Default: 0.1

A threshold in case bruter finds too many files on a server and we want to skip this as a false positive. 0.1 means 10%.

BRUTER_FILE_LIST

Default: short

Possible values: ‘full’ or ‘short’. Whether a short or full file list will be used to brute- force paths.

BRUTER_FOLLOW_REDIRECTS

Default: True

If set to True, bruter will follow redirects. If to False, a redirect will be interpreted that a URL doesn’t exist, thus decreasing the number of false positives at the cost of losing some true positives.

Crawling

CRAWL_CACHE_TTL_SECONDS

Default: 86400

Redis TTL for a successful crawl result.

KATANA_CONCURRENCY

Default: 10

Katana internal concurrency (-c).

KATANA_DEPTH

Default: 2

Crawl depth passed to Katana (-d).

KATANA_MAX_URLS

Default: 50

Hard cap on URLs collected by Katana per target (passed as -mdp).

KATANA_TIMEOUT_CACHE_TTL_SECONDS

Default: 3600

Redis TTL when a crawl timed out and we are caching partial output. Shorter than full TTL so we retry sooner.

KATANA_TIMEOUT_SECONDS

Default: 180

Subprocess-level timeout for the Katana run, separate from TASK_TIMEOUT_SECONDS. On timeout, partial output is parsed and cached with KATANA_TIMEOUT_CACHE_TTL_SECONDS.

DNSScanner

ZONE_TRANSFER_SIZE_REPORTING_THRESHOLD

Default: 2

The number of domains below which zone transfer won’t be reported.

DanglingDnsDetector

DANGLING_DNS_DELAY_STEP

Default: 600

Number of seconds for incremental step for retries.

DANGLING_DNS_KNOWN_DNS_ZONE_RECORDS_TO_SKIP

Default: lync.com,microsoft.com,google.com

The list of known DNS zone records to skip. In case of those zone names we are sure that they are not claimable.

DANGLING_DNS_MAX_DELAY_RETRY

Default: 3600

Max number of delay in seconds between each retry.

DANGLING_DNS_NUMBER_OF_RETRIES_FOR_IP

Default: 20

Number of retries for dangling ip records.

DANGLING_DNS_SKIP_ROOT_DOMAIN

Default: False

If set to True, detector will not perform checks against the root domain.

DomainExpirationScanner

DOMAIN_EXPIRATION_TIMEFRAME_DAYS

Default: 30

The scanner warns if the domain’s expiration date falls within this time frame from now.

FTPBruter

FTP_BRUTER_TEST_FILE_NAME_PREFIX

Default: test-

The prefix that will be added to the name of the file the module will attempt to create (to check whether writing is possible).

Humble

HUMBLE_HEADERS_TO_REPORT

Default: Content-Security-Policy,Strict-Transport-Security,X-Content-Type-Options

The list of headers that are considered more important and will be mentioned in the generated text reports (all of the missing headers will be visible in the UI).

LFIDetector

LFI_MINIMAL_PARAMS_MAX_LEN

Default: 5

Maximum number of parameters kept after LFI parameter minimization.

LFI_STOP_ON_FIRST_MATCH

Default: True

Whether to display only the first LFI and stop scanning.

Nuclei

NUCLEI_ADDITIONAL_TEMPLATES

Default: http/exposures/configs/phpinfo-files.yaml,http/exposures/configs/dompdf-config.yaml,http/exposures/configs/ftp-credentials-exposure.yaml,http/exposures/configs/prometheus-metrics.yaml,http/exposures/files/core-dump.yaml,http/exposures/files/ds-store-file.yaml,http/exposures/logs/roundcube-log-disclosure.yaml,network/detection/rtsp-detect.yaml,http/miscellaneous/defaced-website-detect.yaml,http/misconfiguration/directory-listing-no-host-header.yaml,http/misconfiguration/django-debug-detect.yaml,http/misconfiguration/mixed-active-content.yaml,http/misconfiguration/mysql-history.yaml,http/misconfiguration/elasticsearch.yaml,http/misconfiguration/proxy/open-proxy-external.yaml,http/misconfiguration/server-status-localhost.yaml,http/misconfiguration/server-status.yaml,http/misconfiguration/shell-history.yaml,http/misconfiguration/springboot/springboot-auditevents.yaml,http/misconfiguration/springboot/springboot-dump.yaml,http/misconfiguration/springboot/springboot-env.yaml,http/misconfiguration/springboot/springboot-httptrace.yaml,http/misconfiguration/springboot/springboot-logfile.yaml,http/misconfiguration/springboot/springboot-threaddump.yaml,http/misconfiguration/springboot/springboot-trace.yaml,http/vulnerabilities/generic/basic-xss-prober.yaml,http/vulnerabilities/generic/xss-fuzz.yaml

A comma-separated list of Nuclei templates to be used besides the standard list. vulnerabilities/generic/crlf-injection.yaml was present here but is not anymore due to a significant number of false positives.

NUCLEI_CHECK_TEMPLATE_LIST

Default: True

Whether to check that the downloaded Nuclei template list is not empty (may fail e.g. on Github CI when the Github API rate limits are spent).

NUCLEI_CHUNK_SIZE

Default: 200

How big are the chunks to split the template/workflow list. E.g. if the template list contains 600 templates and NUCLEI_CHUNK_SIZE is 200, three calls will be made with 200 templates each.

NUCLEI_INTERACTSH_SERVER

Default: None

Which interactsh server to use. if None, uses the default.

NUCLEI_MAX_BATCH_SIZE

Default: 10

How many sites to scan at once. This is the maximum batch size - we will try to obtain NUCLEI_MAX_BATCH_SIZE sites to scan from the queue, but if per-IP locking is enabled, then we will filter ones that are already scanned by other modules.

NUCLEI_MAX_NUM_LINKS_TO_PROCESS

Default: 20

Maximum number of links to be checked with the templates provided in NUCLEI_TEMPLATES_TO_RUN_ON_HOMEPAGE_LINKS (if more are seen, random NUCLEI_MAX_NUM_LINKS_TO_PROCESS are chosen).

NUCLEI_MAX_SECONDS_PER_REQUEST_ON_RETRY

Default: 2.0

Set to positive value to enable. When retrying due to ‘context deadline exceeded’, each request will take min(max(2 * SECONDS_PER_REQUEST, NUCLEI_SECONDS_PER_REQUEST_ON_RETRY), NUCLEI_MAX_SECONDS_PER_REQUEST_ON_RETRY) if enabled.

NUCLEI_SECONDS_PER_REQUEST_ON_RETRY

Default: 0.1

When retrying due to ‘context deadline exceeded’, each request will take at least max(2 * SECONDS_PER_REQUEST, NUCLEI_SECONDS_PER_REQUEST_ON_RETRY). See NUCLEI_MAX_SECONDS_PER_REQUEST_ON_RETRY config to set a limit

NUCLEI_SEVERITY_THRESHOLD

Default: high_and_above

The minimum severity level to include when scanning. Options: CRITICAL_ONLY (only critical findings), HIGH_AND_ABOVE (critical and high), MEDIUM_AND_ABOVE (critical, high, and medium), LOW_AND_ABOVE (critical, high, medium, and low), ALL (all severity levels including info and unknown).

NUCLEI_SUSPICIOUS_TEMPLATES

Default: custom:xss-inside-tag-top-params,custom:error-based-sql-injection,http/miscellaneous/defaced-website-detect.yaml,http/misconfiguration/google/insecure-firebase-database.yaml,custom:CVE-2024-4836,custom:CVE-2024-35286,http/cnvd/2020/CNVD-2020-23735.yaml,http/vulnerabilities/other/ecshop-sqli.yaml,group:sql-injection,custom:CVE-2019-18935,http/cves/2005/CVE-2005-4385.yaml,http/cves/2007/CVE-2007-0885.yaml,http/cves/2008/CVE-2008-2398.yaml,http/cves/2009/CVE-2009-1872.yaml,http/cves/2010/CVE-2010-2307.yaml,http/cves/2010/CVE-2010-4231.yaml,http/cves/2011/CVE-2011-5106.yaml,http/cves/2012/CVE-2012-4547.yaml,http/cves/2012/CVE-2012-4889.yaml,http/cves/2014/CVE-2014-2908.yaml,http/cves/2014/CVE-2014-9444.yaml,http/cves/2015/CVE-2015-3035.yaml,http/cves/2015/CVE-2015-5354.yaml,http/cves/2018/CVE-2018-6184.yaml,http/cves/2015/CVE-2015-8349.yaml,http/cves/2016/CVE-2016-7981.yaml,http/cves/2016/CVE-2016-8527.yaml,http/cves/2017/CVE-2017-12794.yaml,http/cves/2018/CVE-2018-8006.yaml,http/cves/2018/CVE-2018-10956.yaml,http/cves/2018/CVE-2018-11709.yaml,http/cves/2018/CVE-2018-12095.yaml,http/cves/2018/CVE-2018-12998.yaml,http/cves/2018/CVE-2018-13380.yaml,http/cves/2018/CVE-2018-14013.yaml,http/cves/2018/CVE-2018-16836.yaml,http/cves/2018/CVE-2018-18570.yaml,http/cves/2019/CVE-2019-10098.yaml,http/cves/2019/CVE-2019-18922.yaml,http/cves/2019/CVE-2019-3911.yaml,http/cves/2019/CVE-2019-7219.yaml,http/cves/2019/CVE-2019-7315.yaml,http/cves/2019/CVE-2019-7543.yaml,http/cves/2019/CVE-2019-10475.yaml,http/cves/2019/CVE-2019-11510.yaml,http/cves/2019/CVE-2019-12461.yaml,http/cves/2019/CVE-2019-13392.yaml,http/cves/2020/CVE-2020-1943.yaml,http/cves/2020/CVE-2020-2140.yaml,http/cves/2020/CVE-2020-6171.yaml,http/cves/2020/CVE-2020-15500.yaml,http/cves/2020/CVE-2020-19282.yaml,http/cves/2020/CVE-2020-19283.yaml,http/cves/2020/CVE-2020-27982.yaml,http/cves/2020/CVE-2020-35774.yaml,http/cves/2020/CVE-2020-35848.yaml,http/cves/2021/CVE-2021-3654.yaml,http/cves/2021/CVE-2021-24288.yaml,http/cves/2021/CVE-2021-24389.yaml,http/cves/2021/CVE-2021-24838.yaml,http/cves/2021/CVE-2021-26702.yaml,http/cves/2021/CVE-2021-26710.yaml,http/cves/2021/CVE-2021-26723.yaml,http/cves/2021/CVE-2021-29625.yaml,http/cves/2021/CVE-2021-30049.yaml,http/cves/2021/CVE-2021-30213.yaml,http/cves/2021/CVE-2021-31250.yaml,http/cves/2021/CVE-2021-38702.yaml,http/cves/2021/CVE-2021-40868.yaml,http/cves/2021/CVE-2021-40960.yaml,http/cves/2021/CVE-2021-40978.yaml,http/cves/2021/CVE-2021-41467.yaml,http/cves/2021/CVE-2021-41773.yaml,http/cves/2021/CVE-2021-42565.yaml,http/cves/2021/CVE-2021-42566.yaml,http/cves/2021/CVE-2021-43831.yaml,http/cves/2021/CVE-2021-45380.yaml,http/cves/2023/CVE-2023-35161.yaml,http/cves/2023/CVE-2023-39650.yaml,http/cves/2023/CVE-2023-43373.yaml,http/cves/2023/CVE-2023-43374.yaml,http/cves/2023/CVE-2023-47684.yaml,http/cves/2015/CVE-2015-4074.yaml,http/iot/targa-camera-lfi.yaml,http/vulnerabilities/ibm/eclipse-help-system-xss.yaml,http/vulnerabilities/ibm/ibm-infoprint-lfi.yaml,http/vulnerabilities/other/bullwark-momentum-lfi.yaml,http/vulnerabilities/other/discourse-xss.yaml,http/vulnerabilities/ibm/eclipse-help-system-xss.yaml,http/vulnerabilities/other/global-domains-xss.yaml,http/vulnerabilities/other/homeautomation-v3-openredirect.yaml,http/vulnerabilities/other/magicflow-lfi.yaml,http/vulnerabilities/other/java-melody-xss.yaml,http/vulnerabilities/moodle/moodle-filter-jmol-xss.yaml,http/vulnerabilities/other/nginx-merge-slashes-path-traversal.yaml,http/vulnerabilities/other/parentlink-xss.yaml,http/vulnerabilities/other/processmaker-lfi.yaml,http/vulnerabilities/other/sick-beard-xss.yaml,http/vulnerabilities/squirrelmail/squirrelmail-add-xss.yaml,http/vulnerabilities/other/gsoap-lfi.yaml,http/vulnerabilities/other/turbocrm-xss.yaml,http/vulnerabilities/other/wems-manager-xss.yaml,http/vulnerabilities/wordpress/wp-touch-redirect.yaml,http/fuzzing/iis-shortname.yaml

A comma-separated list of Nuclei templates to be reviewed manually if found as they are known to return false positives.

NUCLEI_TEMPLATES_TO_RUN_ON_HOMEPAGE_LINKS

Default: http/fuzzing/linux-lfi-fuzzing.yaml,http/vulnerabilities/generic/top-xss-params.yaml,http/vulnerabilities/generic/xss-fuzz.yaml,http/vulnerabilities/generic/basic-xss-prober.yaml,http/vulnerabilities/generic/error-based-sql-injection.yaml,/opt/artemis/modules/data/nuclei_templates_custom/error-based-sql-injection.yaml,dast/vulnerabilities/sqli/sqli-error-based.yaml,dast/vulnerabilities/redirect/open-redirect-bypass.yaml,dast/vulnerabilities/cmdi/blind-oast-polyglots.yaml,dast/vulnerabilities/cmdi/ruby-open-rce.yaml,dast/vulnerabilities/lfi/lfi-keyed.yaml,dast/vulnerabilities/redirect/open-redirect.yaml,dast/vulnerabilities/ssrf/response-ssrf.yaml,dast/vulnerabilities/ssti/reflection-ssti.yaml,dast/vulnerabilities/lfi/linux-lfi-fuzz.yaml,dast/vulnerabilities/crlf/crlf-injection.yaml,dast/vulnerabilities/cmdi/python-code-injection.yaml,dast/vulnerabilities/xss/reflected-xss.yaml,dast/vulnerabilities/redirect/open-redirect-bypass.yaml,dast/vulnerabilities/redirect/open-redirect.yaml

Normally, Nuclei templates are ran only on the root url. These templates will also run on all URLs linked from the root URL to detect vulnerabilities on non-root pages.

NUCLEI_TEMPLATES_TO_SKIP

Default: http/exposures/configs/exposed-svn.yaml,http/exposures/configs/git-config.yaml,http/exposures/files/svn-wc-db.yaml,http/exposures/configs/configuration-listing.yaml,http/misconfiguration/sound4-directory-listing.yaml,dns/azure-takeover-detection.yaml,dns/elasticbeantalk-takeover.yaml,http/cves/2021/CVE-2021-43798.yaml,http/exposed-panels/pagespeed-global-admin.yaml,http/cves/2021/CVE-2021-24917.yaml,http/exposures/files/travis-ci-disclosure.yaml,http/vulnerabilities/other/rockmongo-xss.yaml,http/exposed-panels/tomcat/tomcat-exposed-docs.yaml,http/exposed-panels/arcgis/arcgis-rest-api.yaml,custom:CVE-2019-1579,custom:CVE-2025-68461,custom:CVE-2024-35286,custom:CVE-2025-24016,custom:xss-inside-tag-top-params.yaml,http/exposures/apis/drupal-jsonapi-user-listing.yaml,http/miscellaneous/joomla-manifest-file.yaml,http/exposures/configs/karma-config-js.yaml,http/cves/2000/CVE-2000-0114.yaml,http/cves/2021/CVE-2021-20323.yaml,http/cves/2023/CVE-2023-24044.yaml,http/vulnerabilities/wordpress/music-store-open-redirect.yaml,http/cves/2020/CVE-2020-15129.yaml,http/cves/2021/CVE-2021-44528.yaml,http/cves/2017/CVE-2017-5487.yaml,http/cves/2019/CVE-2019-8449.yaml,http/cves/2020/CVE-2020-14179.yaml,http/cves/2020/CVE-2020-14181.yaml,http/cves/2021/CVE-2021-3293.yaml,http/cves/2021/CVE-2021-25118.yaml,http/cves/2021/CVE-2021-44848.yaml,http/cves/2023/CVE-2023-4568.yaml,http/cves/2024/CVE-2024-1208.yaml,http/cves/2024/CVE-2024-1210.yaml,http/cves/2024/CVE-2024-3097.yaml,http/cves/2017/CVE-2017-17562.yaml,http/cves/2019/CVE-2019-17382.yaml,http/cves/2022/CVE-2022-2034.yaml,http/cves/2023/CVE-2023-24489.yaml,http/default-logins/apache/tomcat-default-login.yaml,http/default-logins/oracle/peoplesoft-default-login.yaml,http/exposed-panels/adminer-panel-detect.yaml,http/exposures/apis/swagger-api.yaml,http/exposures/backups/php-backup-files.yaml,http/exposures/backups/zip-backup-files.yaml,http/exposures/files/generic-db.yaml,http/fuzzing/cache-poisoning-fuzz.yaml,http/fuzzing/header-command-injection.yaml,http/fuzzing/mdb-database-file.yaml,http/fuzzing/prestashop-module-fuzz.yaml,http/fuzzing/waf-fuzz.yaml,http/fuzzing/wordpress-plugins-detect.yaml,http/fuzzing/wordpress-themes-detect.yaml,http/fuzzing/wordpress-weak-credentials.yaml,http/miscellaneous/defacement-detect.yaml,http/misconfiguration/aem/aem-default-get-servlet.yaml,http/misconfiguration/akamai/akamai-s3-cache-poisoning.yaml,http/misconfiguration/gitlab/gitlab-api-user-enum.yaml,http/misconfiguration/gitlab/gitlab-user-enum.yaml,http/misconfiguration/servicenow-widget-misconfig.yaml,http/technologies/graphql-detect.yaml,http/technologies/graylog/graylog-api-exposure.yaml,http/vulnerabilities/apache/shiro/shiro-deserialization-detection.yaml,http/vulnerabilities/generic/open-redirect-generic.yaml,http/vulnerabilities/grafana/grafana-file-read.yaml,http/vulnerabilities/tongda/tongda-auth-bypass.yaml,http/vulnerabilities/wordpress/wp-xmlrpc-brute-force.yaml,javascript/default-logins/ssh-default-logins.yaml,http/exposures/configs/behat-config.yaml,http/cves/2018/CVE-2018-11784.yaml,http/cves/2019/CVE-2019-10098.yaml,http/cves/2022/CVE-2022-28923.yaml,http/cves/2020/CVE-2020-2096.yaml,http/cves/2023/CVE-2023-35160.yaml,http/cves/2023/CVE-2023-35161.yaml,http/cves/2023/CVE-2023-35162.yaml,http/exposed-panels/fireware-xtm-user-authentication.yaml,network/default-login/ftp-anonymous-login.yaml,http/fuzzing/xff-403-bypass.yaml,javascript/cves/2023/CVE-2023-48795.yaml,http/cves/2024/CVE-2024-43919.yaml,network/default-login/ftp-weak-credentials.yaml,http/exposed-panels/ghe-encrypt-saml.yaml,dast/vulnerabilities/crlf/cookie-injection.yaml,http/cves/2025/CVE-2025-49113.yaml,http/cves/2024/CVE-2024-42009.yaml,http/exposed-panels/aveva-intouch-access-anywhere-panel.yaml,http/exposed-panels/janitza-umg-panel.yaml,http/exposures/logs/trace-axd-expose.yaml

Comma-separated list of Nuclei templates not to be executed. See artemis/config.py for the rationale behind skipping particular templates.

NUCLEI_TEMPLATES_TO_SKIP_PROBABILISTICALLY_FILE

Default:

File with a list of Nuclei templates (one per line) to be skipped with NUCLEI_TEMPLATES_TO_SKIP_PROBABILISTICALLY_PROBABILITY probability. Use this if you have some templates that never yield results - you don’t want to skip them altogether (because they may start giving results) but maybe don’t run them on all hosts.

NUCLEI_TEMPLATES_TO_SKIP_PROBABILISTICALLY_PROBABILITY

Default: 0

Probability (0…100) of each template from NUCLEI_TEMPLATES_TO_SKIP_PROBABILISTICALLY to be skipped. Use this if you have some templates that never yield results - you don’t want to skip them altogether (because they may start giving results) but maybe don’t run them on all hosts.

NUCLEI_TEMPLATES_TO_SKIP_WHEN_REPORTING

Default: http/exposed-panels/adobe/aem-sling-login.yaml,http/exposed-panels/alfresco-detect.yaml,http/exposed-panels/backpack/backpack-admin-panel.yaml,http/exposed-panels/bolt-cms-panel.yaml,http/exposed-panels/concrete5/concrete5-panel.yaml,http/exposed-panels/contao-login-panel.yaml,http/exposed-panels/craftcms-admin-panel.yaml,http/exposed-panels/django-admin-panel.yaml,http/exposed-panels/dokuwiki-panel.yaml,http/exposed-panels/drupal-login.yaml,http/exposed-panels/ez-publish-panel.yaml,http/exposed-panels/joomla-panel.yaml,http/exposed-panels/kentico-login.yaml,http/exposed-panels/liferay-portal.yaml,http/exposed-panels/magnolia-panel.yaml,http/exposed-panels/neos-panel.yaml,http/exposed-panels/netlify-cms.yaml,http/exposed-panels/strapi-panel.yaml,http/exposed-panels/tikiwiki-cms.yaml,http/exposed-panels/typo3-login.yaml,http/exposed-panels/umbraco-login.yaml,http/exposed-panels/wordpress-login.yaml,http/exposed-panels/axigen-webmail.yaml,http/exposed-panels/squirrelmail-login.yaml,http/exposed-panels/horde-webmail-login.yaml,http/exposed-panels/horde-login-panel.yaml,http/exposed-panels/zimbra-web-login.yaml,http/exposed-panels/zimbra-web-client.yaml,http/exposed-panels/icewarp-panel-detect.yaml,http/exposed-panels/fortinet/fortiweb-panel.yaml,http/exposed-panels/fortinet/fortios-panel.yaml,http/exposed-panels/fortinet/fortinet-fortigate-panel.yaml,http/exposed-panels/checkpoint/ssl-network-extender.yaml,http/exposed-panels/pulse-secure-panel.yaml,http/exposed-panels/pulse-secure-version.yaml,http/exposed-panels/cisco/cisco-asa-panel.yaml,http/exposed-panels/cisco/cisco-anyconnect-vpn.yaml,http/exposed-panels/cyberoam-ssl-vpn-panel.yaml,http/exposed-panels/openvpn-connect.yaml,http/exposed-panels/ivanti-csa-panel.yaml,http/exposed-panels/ivanti-connect-secure-panel.yaml,http/exposed-panels/softether-vpn-panel.yaml,http/exposed-panels/cas-login.yaml,http/exposed-panels/casdoor-login.yaml,http/exposed-panels/openam-panel.yaml,http/exposed-panels/sonicwall-sslvpn-panel.yaml,http/exposed-panels/netscaler-aaa-login.yaml,http/exposed-panels/citrix-adc-gateway-panel.yaml,http/exposed-panels/globalprotect-panel.yaml,http/exposed-panels/bitrix-panel.yaml,http/exposed-panels/dynamicweb-panel.yaml,http/exposed-panels/jira-detect.yaml,http/exposed-panels/kanboard-login.yaml,http/exposed-panels/linshare-panel.yaml,http/exposed-panels/magento-admin-panel.yaml,http/exposed-panels/mantisbt-panel.yaml,http/exposed-panels/mautic-crm-panel.yaml,http/exposed-panels/opencart-panel.yaml,http/exposed-panels/osticket-panel.yaml,http/exposed-panels/redmine-panel.yaml,http/exposed-panels/mattermost-panel.yaml,http/exposed-panels/bigbluebutton-login.yaml,http/exposed-panels/ilias-panel.yaml,http/exposed-panels/librespeed-panel.yaml,http/exposed-panels/office-webapps-panel.yaml,http/exposed-panels/onlyoffice-login-panel.yaml,http/exposed-panels/opensis-panel.yaml,http/exposed-panels/projectsend-login.yaml,http/exposed-panels/rocketchat-panel.yaml,http/exposed-panels/webeditors-check-detect.yaml

Comma-separated list of Nuclei templates to be executed but not to be reported (they will be used for asset discovery only). See artemis/config.py for the rationale behind skipping particular templates.

NUCLEI_TEMPLATE_GROUPS_FILE

Default: /opt/artemis/modules/data/nuclei_template_groups.json

A path (inside Docker container) of a file with JSON dictionary of template group assignments: {“template1”: “group1”, “template2”: “group2”, …}. If a template is assigned to a group, instead of the template, the whole group will be reported as the detected template name. Therefore, due to findings deduplication, only one instance of such vulnerability will be reported. This is useful to detect situations when multiple .env detectors detect a single file or multiple XSS templates are triggered on a single page.

NUCLEI_TEMPLATE_LISTS

Default: known_exploited_vulnerabilities,log_exposures,exposed_panels

Which template lists to use besides the ones defined by NUCLEI_SEVERITY_THRESHOLD. Available: known_exploited_vulnerabilities (from https://github.com/Ostorlab/KEV/), log_exposures (http/exposures/logs folder in https://github.com/projectdiscovery/nuclei-templates/), exposed_panels (http/exposed-panels/ folder).

OVERRIDE_STANDARD_NUCLEI_TEMPLATES_TO_RUN

Default:

Comma-separated list of Nuclei templates to be executed. If provided it will override standard list of templates to be executed. Should be rather used for testing/debuging purpose. Templates defined in NUCLEI_ADDITIONAL_TEMPLATES will be executed alongside.

PlaceholderPageContent

ENABLE_PLACEHOLDER_PAGE_DETECTOR

Default: False

Enable or disable placeholder pages detector. Using this feature you may skip vulnerability scanning for websites that aren’t built yet, but e.g. contain a hosting provider placeholder page. If the page exists and the specified string is found within it, the page will not be scanned for vulnerabilities. If the page is not marked as a placeholder, a full scan will be performed.

PLACEHOLDER_PAGE_CONTENT_FILENAME

Default: /home/docs/checkouts/readthedocs.org/user_builds/artemis-scanner/checkouts/latest/artemis/modules/data/placeholder_page_content.txt

Path to placeholder page content file. The file is divided into lines – each line is a string containing a different HTML code element to check.

PortScanner

ADD_PORTS_FROM_SHODAN_INTERNETDB

Default: False

Besides the scanned ports (configured by PORT_SCANNER_PORT_LIST and CUSTOM_PORT_SCANNER_PORTS), add ports from internetdb.shodan.io. By using this source you confirm that you have read carefully the terms and conditions on https://internetdb.shodan.io/ and agree to respect them, in particular in ensuring no conflict with the commercialization clause. For the avoidance of doubt, in any case, you remain solely liable for how you use this source and your compliance with the terms, and NASK is relieved of such liability to the fullest extent possible.

CUSTOM_PORT_SCANNER_PORTS

Default:

Custom port list to scan in CSV form (replaces default list).

PORT_SCANNER_MAX_BATCH_SIZE

Default: 10

Port scanner: number of hosts scanned by one port_scanner instance

PORT_SCANNER_MAX_NUM_PORTS

Default: 100

The number of open ports we consider to be too much and a false positive - if we observe more open ports, we trim by performing an intersection of the result with the list of 100 most popular ones.

PORT_SCANNER_PORT_LIST

Default: short

Chosen list of ports to scan (can be ‘short’ or ‘long’)

PORT_SCANNER_TIMEOUT_MILLISECONDS

Default: 5000

Port scanner: milliseconds to wait before timing out

Postman

POSTMAN_MAIL_FROM

Default: from@example.com

Sender e-mail address that will be used to test whether a server is an open relay or allows sending e-mails to any address.

POSTMAN_MAIL_TO

Default: to@example.com

Recipient e-mail address, e.g. for open relay testing.

RemovedDomainExistingVhost

REMOVED_DOMAIN_EXISTING_VHOST_PASSIVEDNS_SLEEP_BETWEEN_REQUESTS_SECONDS

Default: 10

How long to sleep between passivedns requests in order not to overload the provider.

REMOVED_DOMAIN_EXISTING_VHOST_PASSIVEDNS_URLS

Default: None

Comma-separated list of URLs (optionally with username:password) to download old domain IPs from. Currently, the system was tested with circl.lu passive DNS. The URL should end with /pdns/query/.

REMOVED_DOMAIN_EXISTING_VHOST_REPORT_ONLY_SUBDOMAINS

Default: False

If set to True, ‘removed domain but existing vhost’ situations will be reported only for subdomains.

REMOVED_DOMAIN_EXISTING_VHOST_SIMILARITY_THRESHOLD

Default: 0.5

How similar the results for correct and different domain should be to consider that the server doesn’t host the given domain.

ReverseDNSLookup

REVERSE_DNS_APIS

Default:

List of URLs (such as e.g. https://internetdb.shodan.io/) that provide a JSON dictionary with ‘hostnames’ field for an IP. By using this source you confirm that you have read carefully the terms and conditions on https://internetdb.shodan.io/ and agree to respect them, in particular in ensuring no conflict with the commercialization clause. For the avoidance of doubt, in any case, you remain solely liable for how you use this source and your compliance with the terms, and NASK is relieved of such liability to the fullest extent possible.

SSHBruter

ADDITIONAL_BRUTE_FORCE_SLEEP_SECONDS

Default: 20

Some SSH servers drop connections after a large number of tries in a short time period. This is to combat this behavior.

Shodan

SHODAN_API_KEY

Default:

Shodan API key so that Shodan vulnerabilities will be displayed in Artemis.

SqlInjectionDetector

SQL_INJECTION_MINIMAL_HEADERS_MAX_LEN

Default: 5

Maximum number of headers kept after SQLi header minimization.

SQL_INJECTION_MINIMAL_PARAMS_MAX_LEN

Default: 5

Maximum number of parameters kept after SQLi parameter minimization.

SQL_INJECTION_NUM_RETRIES_TIME_BASED

Default: 10

How many times to re-check whether long request duration with inject (and short without inject) is indeed a vulnerability or a random fluctuation

SQL_INJECTION_STOP_ON_FIRST_MATCH

Default: True

Whether to display only the first SQL injection and stop scanning.

SQL_INJECTION_TIME_THRESHOLD

Default: 5

Seconds to sleep using the sleep() or pg_sleep() methods

SubdomainEnumeration

DNS_BRUTE_FORCE_TIME_LIMIT_SECONDS

Default: 2400

Time limit for DNS brute force in seconds - some of the servers are very slow, so we don’t want to wait too long.

DNS_QUERIES_PER_SECOND

Default: 20

Number of DNS queries per second (as they are easier to handle than e.g. HTTP queries, let’s have a separate limit)

GAU_ADDITIONAL_OPTIONS

Additional command-line options that will be passed to gau (https://github.com/lc/gau).

RETRIES

Number of retries for subdomain enumeration.

SLEEP_TIME_SECONDS

Time to sleep between retries for subdomain enumeration in seconds.

SUBFINDER_PROVIDER_CONFIG

Subfinder provider configuration in JSON format. Used to generate provider-config.yaml dynamically. Example: ‘{“github”: [“key1”, “key2”], “virustotal”: [“key”]}’

VCS

VCS_MAX_DB_SIZE_BYTES

Default: 5242880

Maximum size of the VCS (e.g. SVN) db file.

WordPressPlugins

WORDFENCE_API_KEY

Default: None

If set, Artemis will fetch WordFence vulnerability data and enrich wordpress_plugins reports with CVE information.

WORDPRESS_SKIP_VERSION_CHECK_ON_LESS_POPULAR_PLUGINS

Default: False

Some plugins have wrong versions in the README. For the most popular 1500 plugins, Artemis team monitors such cases and excludes the plugins that have wrong versions in the README from scanning. For the less popular plugins (e.g. if one can be identified by /wp- content/plugins/xyz/ URL in the website source), such cases can be a source of false positives. If this option is set to True, version check for such plugins will not be performed.

WordPressScanner

WORDPRESS_VERSION_AGE_DAYS

Default: 90

After what number of days we consider the WordPress version to be obsolete. This is a long threshold because WordPress maintains a separate list of insecure versions, so “old” doesn’t mean “insecure” here.

PublicSuffixes

ADDITIONAL_PUBLIC_SUFFIXES

Default:

Additional domains that will be treated as public suffixes (even though they’re not on the default Public Suffix List).

ALLOW_SUBDOMAIN_ENUMERATION_IN_PUBLIC_SUFFIXES

Default: False

Whether we will enumerate subdomains for a public suffix (e.g. .pl) if it appears on the target list. This may cause very large number of domains to be scanned.

Reporting

ADDITIONAL_SEVERITY_FILE

Default: None

A path (inside Docker container) of a file with JSON dictionary containing severities of additional report types: ‘{“report_type1”: “high”, “report_type2”: “medium”, …}’.

MIN_DAYS_BETWEEN_REMINDERS__SEVERITY_HIGH

Default: 60

If a high-severity report has already been seen earlier - how much time needs to pass for a second report to be generated.

MIN_DAYS_BETWEEN_REMINDERS__SEVERITY_LOW

Default: 540

If a low-severity report has already been seen earlier - how much time needs to pass for a second report to be generated.

MIN_DAYS_BETWEEN_REMINDERS__SEVERITY_MEDIUM

Default: 120

If a medium-severity report has already been seen earlier - how much time needs to pass for a second report to be generated.

REPORTING_DEDUPLICATION_COMMON_HTTP_PORTS

Default: 80,443

Ports that we will treat as “standard http/https ports” when deduplicating vulnerabilities - that is, if we observe identical vulnerability of two standard ports (e.g. on 80 and on 443), we will treat such case as the same vulnerability. This is configurable because e.g. we observed some hostings serving mirrors of content from port 80 on ports 81-84.

REPORTING_MAX_VULN_AGE_DAYS

Default: 180

When creating e-mail reports, what is the vulnerability maximum age (in days) for it to be reported.

REPORTING_SEPARATE_INSTITUTIONS

Default:

Sometimes even if we scan example.com, we want to report subdomain.example.com to a separate contact, because it is a separate institution. This variable should contain a comma-separated list of such subdomains.

Extra modules

Additionally, you can configure modules from the Artemis-modules-extra repository (https://github.com/CERT-Polska/Artemis-modules-extra) using the configuration variables from https://github.com/CERT-Polska/Artemis-modules-extra/blob/main/extra_modules_config.py. The file to put them in (.env) and the syntax (VARIABLE_NAME=VARIABLE_VALUE) is the same as for the core Artemis configuration.

Blocklist

You may exclude some systems from being scanned or included in the reports. To do that, set the BLOCKLIST_FILE environment variable to a path to a blocklist file (it needs to be placed in the ./shared directory which is mounted to all scanning containers as /shared).

The blocklist file is a yaml file with the following syntax:

- mode: 'block_scanning_and_reporting' (to block both scanning and reporting) or
    'block_reporting_only' (if you want the scanning to be performed but want the
    issues to be skipped from automatic e-mail reports)
  domain_and_subdomains: null or the domain to be filtered (this will also filter its
     subdomains)
  subdomains: null or a domain - this setting will filter out only subdomains of this domain,
     but not the domain itself
  ip_range: null or the ip range to be filtered (to filter a single ip address,
    use the xxx.xxx.xxx.xxx/32 syntax)
  until: null or a date (YYYY-MM-DD) until which the filter will be active
  karton_name: null or the name of a scanning module

  report_target_should_contain: null or the string that must occur in the target for
    the report to be blocklisted - this parameter can be used only when 'mode' is set
    to 'block_reporting_only'.
  report_type: null (which will block all reports) or a string containing
     the type of reports that will be blocked (e.g. "misconfigured_email") - this
     parameter can be used only when 'mode' is 'block_reporting_only'.

There may be multiple entries in a blocklist file, each with syntax described above.

Advanced: Karton configuration

Artemis is based on the Karton framework (https://github.com/CERT-Polska/karton). Please refer to the Karton documentation for more information.

Module Runtime Configuration

The ModuleRuntimeConfiguration class serves as the base for all module-specific runtime configurations (that can be changed on a per-task basis) in Artemis. It provides a standardized way to handle module configurations with serialization, deserialization, and validation capabilities.

Basic Usage

from artemis.modules.base.module_runtime_configuration import ModuleRuntimeConfiguration

# Create a configuration with default values
config = ModuleRuntimeConfiguration()

# Serialize to a dictionary
config_dict = config.serialize()
# Result: {}

# Deserialize from a dictionary
config = ModuleRuntimeConfiguration.deserialize({})

# Validate configuration
is_valid = config.validate()

Extending The Base Class

To create a module-specific configuration, extend the ModuleRuntimeConfiguration class:

from typing import Dict, Any
from artemis.modules.base.module_runtime_configuration import ModuleRuntimeConfiguration

class PortScannerConfiguration(ModuleRuntimeConfiguration):
    def __init__(
        self,
        timeout_ms: int = 5000,
        max_ports: int = 1000
    ) -> None:
        super().__init__()
        self.timeout_ms = timeout_ms
        self.max_ports = max_ports

    def serialize(self) -> Dict[str, Any]:
        result = super().serialize()
        result.update({
            "timeout_ms": self.timeout_ms,
            "max_ports": self.max_ports
        })
        return result

    @classmethod
    def deserialize(cls, config_dict: Dict[str, Any]) -> "PortScannerConfiguration":
        return cls(
            timeout_ms=config_dict.get("timeout_ms", 5000),
            max_ports=config_dict.get("max_ports", 1000)
        )

    def validate(self) -> bool:
        base_valid = super().validate()
        return (
            base_valid and
            isinstance(self.timeout_ms, int) and self.timeout_ms > 0 and
            isinstance(self.max_ports, int) and self.max_ports > 0
        )

API Reference

serialize() -> Dict[str, Any]

Serializes the configuration to a dictionary format suitable for storage or transmission.

deserialize(config_dict: Dict[str, Any]) -> ModuleConfiguration

Class method that creates a new configuration instance from a dictionary.

validate() -> bool

Validates that the configuration is valid. Returns True if valid, False otherwise.

Integration with Module System

When developing a new module for Artemis, you should:

1. Create a custom configuration class extending ModuleRuntimeConfiguration

2. Add module-specific configuration options

3. Override the serialize(), deserialize(), and validate() methods

4. Use the configuration in your module implementation

This approach ensures consistency in how module runtime configurations are handled throughout the system.

API validation

In order for API to validate the runtime configuration you need to add record to mapping in artemis/api.py.

RUNTIME_CONFIGURATION_CLASSES: Dict[str, Type[ModuleRuntimeConfiguration]] = {
    "mail_dns_scanner": MailDNSScannerConfiguration,
    "nuclei": NucleiConfiguration,
}