Skip to main content

Configuration

The Javelin RedTeam configuration system provides comprehensive control over scan parameters, target applications, vulnerability categories, and attack engines.

Configuration Structure

The main configuration consists of several key sections:

# Application under test
app_config:
name: "MyApplication"
description: "Application description for context"
endpoint: "https://api.example.com/chat"

# Scan parameters
scan_config:
parameters:
maxScenarios: 10
timeout: 5
concurrency: 2
reportFormat: "markdown"
categories: ["data_privacy", "security"]

# Framework-level settings (optional)
framework:
database_url: "postgresql://..."
redis_url: "redis://..."
max_concurrent_scans: 2

Application Configuration

Basic Application Settings

app_config:
name: "CustomerChatbot"
description: "A customer service chatbot that helps users with account inquiries, product information, and technical support."
endpoint: "https://api.example.com/chat"
method: "POST" # Default: POST
headers:
Content-Type: "application/json"
Authorization: "Bearer ${API_TOKEN}"
payload_template:
query: "{{query}}"
user_id: "test_user"
session_id: "redteam_session"
FieldTypeDescriptionDefault
namestringApplication name for reportingRequired
descriptionstringDetailed description of target app for context generationRequired
endpointstringTarget HTTP endpoint URLRequired
headersobjectHTTP headers to include
payload_templateobjectRequest payload template with {{query}} placeholderRequired

Scan Configuration

ParameterTypePermissible ValuesDescription
maxScenariosinteger1-1000Test cases generated per category
timeoutinteger1-300Maximum scan duration in minutes
concurrencyinteger1-10Parallel test execution count
reportFormatstringmarkdown, json, pdf, htmlOutput format
categorieslist15 vulnerability categoriesList of vulnerability categories to test (e.g., data_privacy, security, responsible_ai, prompt_injection)

Category Selection

scan_config:
parameters:
categories:
# Core vulnerability categories
- "data_privacy"
- "responsible_ai"
- "security"
- "brand_image"
- "illegal_risks"

# OWASP LLM Top 10 categories
- "prompt_injection"
- "sensitive_information_disclosure"
- "supply_chain"
- "data_and_model_poisoning"
- "improper_output_handling"
- "excessive_agency"
- "system_prompt_leakage"
- "vector_and_embedding_weaknesses"
- "misinformation"
- "unbounded_consumption"

Configuration Validation

Javelin RedTeam validates configuration before execution:

# Validate configuration
javelin-redteam validate --config conf/config.yaml

# Test connectivity
javelin-redteam test-connection --config conf/config.yaml

Best Practices

  1. Start Simple: Begin with basic categories and low test counts
  2. Environment Separation: Use different configs for dev/staging/prod
  3. Incremental Testing: Gradually increase scope and complexity
  4. Resource Management: Monitor concurrency and timeouts
  5. Documentation: Document custom configurations and rationale

Troubleshooting

Common configuration issues:

  • Invalid Categories: Ensure category names match supported options
  • Authentication Failures: Verify API keys and permissions
  • Timeout Issues: Adjust timeout and concurrency settings
  • Resource Limits: Check framework limits for your deployment
  • Model Availability: Ensure specified models are accessible