Java YAML configuration template
Use this template to configure the Java agent using a YAML configuration file. (Learn more about YAML configuration.)
Place your YAML file in the default location:
Unix:
/etc/contrast/java/contrast_security.yaml
Windows:
C:/ProgramData/contrast/java/contrast_security.yaml
# ==============================================================================
# Use the properties in this YAML file to configure a Contrast agent.
# Go to https://docs.contrastsecurity.com/en/order-of-precedence.html
# to determine the order of precedence for configuration values.
# ==============================================================================
# Use this setting if you want to temporarily disable a Contrast agent.
# Set to `true` to enable the agent; set to `false` to disable the agent.
# enable: true
# ==============================================================================
# api
# Use the properties in this section to connect the agent to the Contrast UI.
# ==============================================================================
api:
# ********************** REQUIRED **********************
# Set the URL for the Contrast UI.
url: https://app.contrastsecurity.com/Contrast
# ********************** REQUIRED **********************
# Set the API key needed to communicate with the Contrast UI.
api_key: NEEDS_TO_BE_SET
# ********************** REQUIRED **********************
# Set the service key needed to communicate with the Contrast
# UI. It is used to calculate the Authorization header.
service_key: NEEDS_TO_BE_SET
# ********************** REQUIRED **********************
# Set the user name used to communicate with the Contrast
# UI. It is used to calculate the Authorization header.
user_name: NEEDS_TO_BE_SET
# base64 encoded JSON object containing the `url`,
# `api_key`, `service_key`, and `user_name` config options,
# allowing them all to be set in a single variable.
# token: NEEDS_TO_BE_SET
# Set the timeout for communicating with TeamServer. This property will be
# respected over the deprecated legacy configuration *contrast.timeout*.
# timeout_ms: NEEDS_TO_BE_SET
# ============================================================================
# api.proxy
# Use the following properties for communication
# with the Contrast UI over a proxy.
# ============================================================================
# proxy:
# Set value to `true` for the agent to communicate with
# the Contrast web interface over a proxy. Set value to
# `false` if you don't want to use the proxy. If no value is
# indicated, the presence of a valid **contrast.proxy.host**
# and **contrast.proxy.port** will enable the proxy.
# enable: NEEDS_TO_BE_SET
# Set the proxy host. It must be set with port and scheme.
# host: localhost
# Set the proxy port. It must be set with host and scheme.
# port: 1234
# Set the proxy scheme (e.g., `http` or
# `https`). It must be set with host and port.
# scheme: http
# Set this property as an alternate for `scheme://host:port`. It takes
# precedence over the other settings, if specified; however, an error
# will be thrown if both the URL and individual properties are set.
# url: NEEDS_TO_BE_SET
# Set the proxy user.
# user: NEEDS_TO_BE_SET
# Set the proxy password.
# pass: NEEDS_TO_BE_SET
# Set the proxy authentication type. Value
# options are `NTLM`, `Digest`, and `Basic`.
# auth_type: NEEDS_TO_BE_SET
# ==============================================================================
# agent
# Use the properties in this section to control the way and frequency
# with which the agent communicates to logs and the Contrast UI.
# ==============================================================================
# agent:
# ============================================================================
# agent.diagnostics
# Use the properties in this section to specify the information the agent
# should collect and report in order to diagnose problems in the agent.
#
# ============================================================================
# diagnostics:
# Creates config and system info files
# at startup if true. True by default.
#
# The same thing can be achieved by setting the
# CONTRAST__AGENT__DIAGNOSTICS__ENABLE=[true/false] env variable.
#
# enable: true
# ============================================================================
# agent.route_coverage
# Use the following properties for the route-based coverage feature.
# ============================================================================
# route_coverage: {}
# ============================================================================
# agent.reporting
# Use the following settings to configure reporting to the Contrast UI.
# ============================================================================
# reporting:
# Set the grace period (in milliseconds) after
# agent shutdown to allow draining pending reports.
# shutdown_grace_period_ms: 120000
# ============================================================================
# agent.effective_config
# None
# ============================================================================
# effective_config:
# ==========================================================================
# agent.effective_config.reporting
# None
# ==========================================================================
# reporting:
# Defaults to `true`. Controls whether configuration
# setting reports are sent to the Contrast web interface.
# enable: true
# ============================================================================
# agent.logger
# Define the following properties to set logging values.
# If the following properties are not defined, the
# agent uses the logging values from the Contrast UI.
# ============================================================================
# logger:
# Enable diagnostic logging by setting a path to a log file.
# While diagnostic logging hurts performance, it generates
# useful information for debugging Contrast. The value set here
# is the location to which the agent saves log output. If no
# log file exists at this location, the agent creates a file.
#
# Example - `/opt/Contrast/contrast.log` creates a log in the
# `/opt/Contrast` directory, and rotates it automatically as needed.
#
# path: ./contrast_agent.log
# Set the the log output level. Valid options are
# `ERROR`, `WARN`, `INFO`, `DEBUG`, and `TRACE`.
# level: INFO
# Set to `true` to redirect all logs to
# `stdout` instead of the file system.
# stdout: false
# Set to `true` to redirect all logs to `stderr` instead of
# the file system. May be combined with the corresponding
# `stdout` configuration to write to both streams.
# stderr: false
# Change the Contrast logger from a file-sized based rolling scheme
# to a date-based rolling scheme. At midnight server time, the
# previous day log is renamed to *file_name.yyyy-MM-dd*. Note -
# this scheme does not have a size limit; manual log pruning is
# required. You must set this flag to use the backups and size flags.
# roll_daily: false
# Set the roll size for log files in megabytes. The agent will
# attempt to prevent the log file from being larger than this size.
# roll_size: 100
# Set the number of backup files to keep. Set to `0` to disable.
# backups: 10
# ============================================================================
# agent.security_logger
# Define the following properties to set security logging
# values associated with Protect. If not defined, the agent
# uses the security logging (CEF) values from the Contrast UI.
# ============================================================================
# security_logger:
# Set the file to which the agent logs security events.
# path: ./contrast/security.log
# Set the log level for security logging. Valid options
# are `ERROR`, `WARN`, `INFO`, `DEBUG`, and `TRACE`.
# level: ERROR
# Change the Contrast security logger from a file-sized based rolling
# scheme to a date-based rolling scheme. At midnight server time,
# the log from the previous day is renamed to *file_name.yyyy-MM-dd*.
# Note - this scheme does not have a size limit; manual log
# pruning will be required. This flag must be set to use the
# backups and size flags. Value options are `true` or `false`.
# roll_daily: NEEDS_TO_BE_SET
# Specify the file size cap (in MB) of each log file.
# roll_size: NEEDS_TO_BE_SET
# Specify the number of backup logs that the agent will create before
# Contrast cleans up the oldest file. A value of `0` means that no backups
# are created, and the log is truncated when it reaches its size cap.
#
# Note - this property must be used with
# `agent.security_logger.roll_daily=false`; otherwise,
# Contrast continues to log daily and disregard this limit.
#
# backups: NEEDS_TO_BE_SET
# ==========================================================================
# agent.security_logger.syslog
# Define the following properties to set Syslog values. If the properties
# are not defined, the agent uses the Syslog values from the Contrast UI.
# ==========================================================================
# syslog:
# Set to `true` to enable Syslog logging.
# enable: NEEDS_TO_BE_SET
# Set the IP address of the Syslog server
# to which the agent should send messages.
# ip: NEEDS_TO_BE_SET
# Set the port of the Syslog server to
# which the agent should send messages.
# port: NEEDS_TO_BE_SET
# Set the facility code of the messages the agent sends to Syslog.
# facility: 19
# Set the log level of Exploited attacks. Value options are `ALERT`,
# `CRITICAL`, `ERROR`, `WARNING`, `NOTICE`, `INFO`, and `DEBUG`.
# severity_exploited: ALERT
# Set the log level of Blocked attacks. Value options are `ALERT`,
# `CRITICAL`, `ERROR`, `WARNING`, `NOTICE`, `INFO`, and `DEBUG`.
# severity_blocked: NOTICE
# Set the log level of Blocked At Perimeter
# attacks. Value options are `ALERT`, `CRITICAL`,
# `ERROR`, `WARNING`, `NOTICE`, `INFO`, and `DEBUG`.
# severity_blocked_perimeter: NOTICE
# Set the log level of Probed attacks. Value options are `ALERT`,
# `CRITICAL`, `ERROR`, `WARNING`, `NOTICE`, `INFO`, and `DEBUG`.
# severity_probed: WARNING
# Set the log level of Suspicious attacks. Value options are `ALERT`,
# `CRITICAL`, `ERROR`, `WARNING`, `NOTICE`, `INFO`, and `DEBUG`.
# severity_suspicious: WARNING
# ========================================================================
# agent.security_logger.syslog.heartbeat
# Define the following properties to
# set the Syslog heartbeat properties.
# ========================================================================
# heartbeat:
# Set to `true` to enable the Syslog heartbeat.
# The heartbeat will issue a Syslog message at
# the INFO level after every interval passes.
# enable: false
# Set the interval for sending heartbeat messages
# to the Syslog server (in milliseconds).
# interval_ms: 60000
# ============================================================================
# agent.java
# The following properties apply to any Java agent-wide configurations.
# ============================================================================
# java:
# Configure the Java agent to skip its application discovery
# algorithm, and instead associate all libraries, vulnerabilities,
# and web traffic to a single application with the name specified
# by this property. This configuration is preferred when deploying
# Java SE applications with embedded web servers (e.g., applications
# built with Spring Boot, Dropwizard, and embedded Jetty). When used
# with an application server, this configuration associates all
# web traffic with the single, standalone application, including
# web traffic handled by application server-hosted endpoints that
# would not be associated with a discovered application otherwise.
#
# Note - This settings takes preferences
# over the `application.name` setting.
#
# standalone_app_name: NEEDS_TO_BE_SET
# By default, the Java agent visits all classes at startup to look
# for vulnerabilities, which the agent may detect by scanning a
# class (e.g., hardcoded passwords). Set this property to `false`
# to disable the default behavior. If disabled, the agent will
# only visit classes which are likely to require sensors; this
# can improve application startup time, but may produce fewer
# findings (most likely findings that require static analysis).
#
# scan_all_classes: true
# By default, the Java agent deeply inspects all JAR and WAR files loaded
# by the JVM to build a comprehensive understanding of the type hierarchy.
# This understanding allows Contrast to instrument sensors into types
# that it might have overlooked. In most cases, this produces a slight
# increase in accuracy at the cost of increased application startup
# time. Set this property to `false` to disable this level of inspection.
#
# scan_all_code_sources: true
# ==============================================================================
# inventory
# Use the properties in this section to override the inventory features.
# ==============================================================================
# inventory:
# Set to `false` to disable inventory features in the agent.
# enable: true
# Define a list of directories where libraries are stored.
# Directories must be formatted as a semicolon-delimited
# list for Windows or a colon-delimited list for Linux.
#
# Define a list of directories where libraries are stored.
# Directories must be formatted as a semicolon-delimited list.
# Example - `path1;path2;path3`(Windows) or `path1:path2:path3`(Linux)
# Example - `path1;path2;path3`
#
# library_dirs: NEEDS_TO_BE_SET
# Set the maximum archive unpacking depth when analyzing libraries.
# library_depth: 10
# Set the boolean to more aggressively limit the
# manifest information reported for libraries. If true,
# the limit is 1,000 characters, otherwise it's 3,000.
# prune_package_details: true
# Apply a list of labels to libraries. Labels
# must be formatted as a comma-delimited list.
# Example - `label1, label2, label3`
#
# tags: NEEDS_TO_BE_SET
# ==============================================================================
# assess
# Use the properties in this section to control Assess.
# ==============================================================================
# assess:
# Include this property to determine if the Assess
# feature should be enabled. If this property is not
# present, the decision is delegated to the Contrast UI.
# enable: false
# Control the values captured by Assess vulnerability events. `Full`
# captures most values by calling ToString on objects, which can
# provide more info but causes increased memory usage. `Minimal`
# has better performance as it only captures String type objects
# as strings and uses type name for other object type values.
# event_detail: minimal
# Apply a list of labels to vulnerabilities and preflight
# messages. Labels must be formatted as a comma-delimited list.
# Example - `label1, label2, label3`
#
# tags: NEEDS_TO_BE_SET
# ============================================================================
# assess.sampling
# Use the following properties to control sampling in the agent.
# ============================================================================
# sampling:
# Set to `true` to enable sampling.
# enable: false
# This property indicates the number of requests
# to analyze in each window before sampling begins.
# baseline: 5
# This property indicates that every *nth*
# request after the baseline is analyzed.
# request_frequency: 10
# This property indicates the duration for which a sample set is valid.
# window_ms: 180_000
# ============================================================================
# assess.rules
# Use the following properties to control simple rule configurations.
# ============================================================================
# rules:
# Define a list of Assess rules to disable in the agent. To view a
# list of rule names, in Contrast go to user menu > Policy Management >
# Assess rules. The rules must be formatted as a comma-delimited list.
#
# Example - Set `reflected-xss,sql-injection` to disable
# the reflected-xss rule and the sql-injection rule.
#
# disabled_rules: NEEDS_TO_BE_SET
# ==============================================================================
# profile
# Set configuration values under a profile name to enable
# multi-tenant application configuration on web servers. See
# https://support.contrastsecurity.com/hc/en-us/articles/360052187171-Multi-Application-configuration-with-Contrast-Profiles
# for more details.
# ==============================================================================
# profile: {}
# ==============================================================================
# protect
# Use the properties in this section to override Protect features.
# ==============================================================================
# protect:
# Include this property to determine if the Protect
# feature should be enabled. If this property is not
# present, the decision is delegated to the Contrast UI.
# enable: false
# ============================================================================
# protect.rules
# Use the following properties to set simple rule configurations.
# ============================================================================
# rules:
# Define a list of Protect rules to disable in the agent. To view a
# list of rule names, in Contrast go to user menu > Policy Management >
# Protect rules. The rules must be formatted as a comma-delimited list.
# disabled_rules: NEEDS_TO_BE_SET
# ==========================================================================
# protect.rules.bot-blocker
# Use the following selection to configure if the
# agent blocks bots. Set to `true` to enable blocking.
# ==========================================================================
# bot-blocker:
# Set to `true` for the agent to block known bots.
# enable: false
# ==========================================================================
# protect.rules.sql-injection
# Use the following settings to configure the sql-injection rule.
# ==========================================================================
# sql-injection:
# Set the mode of the rule. Value options are
# `monitor`, `block`, `block_at_perimeter`, or off.
#
# Note - If a setting says, "if blocking is enabled",
# the setting can be `block` or `block_at_perimeter`.
#
# mode: off
# Tell the agent to detect when semantic analysis of the query
# reveals tautologies used in exfiltration attacks (e.g., "or
# 1=1" or "or 2<>3"). The agent blocks if blocking is enabled.
# detect_tautologies: false
# Tell the agent to detect when semantic analysis of the query
# reveals the invocation of dangerous functions typically used in
# weaponized exploits. The agent blocks if blocking is enabled.
# detect_dangerous_functions: false
# Tell the agent to detect when semantic analysis of the query
# reveals chained queries, which is uncommon in normal usage but
# common in exploit. The agent blocks if blocking is enabled.
# detect_chained_queries: false
# Tell the agent to detect when semantic analysis of the query
# reveals database queries are being made for system tables and
# sensitive information. The agent blocks if blocking is enabled.
# detect_suspicious_unions: false
# Tell the agent to be more aggressive in detecting user
# inputs as SQL comments. This enables the agent to better
# detect SQL Injection input vectors that use comments to
# terminate queries. The agent blocks if blocking is enabled.
# aggressive_comment: false
# ==========================================================================
# protect.rules.cmd-injection
# Use the following properties to configure
# how the command injection rule works.
# ==========================================================================
# cmd-injection:
# Set the mode of the rule. Value options are
# `monitor`, `block`, `block_at_perimeter`, or `off`.
#
# Note - If a setting says, "if blocking is enabled",
# the setting can be `block` or `block_at_perimeter`.
#
# mode: off
# Detect when the agent sees user parameters being executed as
# system commands. The agent blocks if blocking is enabled.
# detect_parameter_command_backdoors: true
# Detect when a system command is issued which contains
# chained commands. The agent blocks if blocking is enabled.
# detect_chained_commands: true
# Detect when a system command is issued with an argument matching a
# known dangerous file path. The agent blocks if blocking is enabled.
# detect_dangerous_path_args: true
# Tell the agent to detect when commands come directly
# from input. The agent blocks if blocking is enabled.
# detect_phased_commands: true
# ==========================================================================
# protect.rules.cmd-injection-process-hardening
# Use the following settings to configure whether
# the agent blocks all attempts to start an external
# process. To enable blocking, set to 'true'.
# ==========================================================================
# cmd-injection-process-hardening:
# Set to `true` to enable the agent to block
# all attempts to start external processes.
# enable: false
# ==========================================================================
# protect.rules.path-traversal
# Use the following properties to configure
# how the path traversal rule works.
# ==========================================================================
# path-traversal:
# Set the mode of the rule. Value options are
# `monitor`, `block`, `block_at_perimeter`, or `off`.
#
# Note - If a setting says, "if blocking is enabled",
# the setting can be `block` or `block_at_perimeter`.
#
# mode: off
# Detect when custom code attempts to access sensitive
# system files. The agent blocks if blocking is enabled.
# detect_custom_code_accessing_system_files: true
# Detect when users attempt to bypass filters by
# using "::$DATA" channels or null bytes in file
# names. The agent blocks if blocking is enabled.
# detect_common_file_exploits: true
# ==========================================================================
# protect.rules.method-tampering
# Use the following properties to configure
# how the method tampering rule works.
# ==========================================================================
# method-tampering:
# Set the mode of the rule. Value options are
# `monitor`, `block`, `block_at_perimeter`, or `off`.
#
# Note - If a setting says, "if blocking is enabled",
# the setting can be `block` or `block_at_perimeter`.
#
# mode: off
# ==========================================================================
# protect.rules.reflected-xss
# Use the following properties to configure how
# the reflected cross-site scripting rule works.
# ==========================================================================
# reflected-xss:
# Set the mode of the rule. Value options are
# `monitor`, `block`, `block_at_perimeter`, or `off`.
#
# Note - If a setting says, "if blocking is enabled",
# the setting can be `block` or `block_at_perimeter`.
#
# mode: off
# ==========================================================================
# protect.rules.xxe
# Use the following properties to configure
# how the XML external entity works.
# ==========================================================================
# xxe:
# Set the mode of the rule. Value options are
# `monitor`, `block`, `block_at_perimeter`, or `off`.
#
# Note - If a setting says, "if blocking is enabled",
# the setting can be `block` or `block_at_perimeter`.
#
# mode: off
# ==========================================================================
# protect.rules.padding-oracle
# Use the following properties to configure
# how the padding-oracle rule works.
# ==========================================================================
# padding-oracle: {}
# ==============================================================================
# application
# Use the properties in this section for
# the application(s) hosting this agent.
# ==============================================================================
# application:
# Override the reported application name.
#
# Note - On systems where multiple, distinct applications may be served
# by a single process, this configuration causes the agent to report
# all discovered applications as one application with the given name.
#
# Note - On Java systems where multiple, distinct applications may be
# served by a single process, this configuration causes the agent to report
# all discovered applications as one application with the given name.
#
# name: NEEDS_TO_BE_SET
# Override the reported application path.
# path: NEEDS_TO_BE_SET
# Add the name of the application group with which this
# application should be associated in the Contrast UI.
# group: NEEDS_TO_BE_SET
# Add the application code this application should use in the Contrast UI.
# code: NEEDS_TO_BE_SET
# Override the reported application version.
# version: NEEDS_TO_BE_SET
# Apply labels to an application. Labels must
# be formatted as a comma-delimited list.
# Example - `label1,label2,label3`
#
# tags: NEEDS_TO_BE_SET
# Define a set of `key=value` pairs (which conforms to RFC 2253) for
# specifying user-defined metadata associated with the application. The
# set must be formatted as a comma-delimited list of `key=value` pairs.
# Example - `business-unit=accounting, office=Baltimore`
#
# metadata: NEEDS_TO_BE_SET
# Provide the ID of a session which already exists in the Contrast
# UI. Vulnerabilities discovered by the agent are associated with
# this session. If an invalid ID is supplied, the agent will be
# disabled. This option and `application.session_metadata` are
# mutually exclusive; if both are set, the agent will be disabled.
# session_id: NEEDS_TO_BE_SET
# Provide metadata which is used to create a new session ID in the
# Contrast UI. Vulnerabilities discovered by the agent are associated with
# this new session. This value should be formatted as `key=value` pairs
# (conforming to RFC 2253). Available key names for this configuration
# are branchName, buildNumber, commitHash, committer, gitTag, repository,
# testRun, and version. This option and `application.session_id` are
# mutually exclusive; if both are set the agent will be disabled.
# session_metadata: NEEDS_TO_BE_SET
# ==============================================================================
# server
# Use the settings in this section to set metadata for the server
# hosting this agent. Contrast recognizes common, supported server
# names, paths, types and environments. Doing this may require a new
# server or license, and it may affect functionality of some features.
# ==============================================================================
# server:
# Override the reported server name.
# name: localhost
# Override the reported server path.
# path: NEEDS_TO_BE_SET
# Override the reported server type.
# type: NEEDS_TO_BE_SET
# Set the environment directly to override the default set
# by the Contrast UI. This allows the user to configure the
# environment dynamically at startup rather than manually
# updating the Server in the Contrast UI themselves afterwards.
#
# Valid values include `QA`, `PRODUCTION` and `DEVELOPMENT`.
# For example, `PRODUCTION` registers this Server as
# running in a `PRODUCTION` environment, regardless of the
# organization's default environment in the Contrast UI.
#
# environment: NEEDS_TO_BE_SET
# Apply a list of labels to the server. Labels
# must be formatted as a comma-delimited list.
# Example - `label1,label2,label3`
#
# tags: NEEDS_TO_BE_SET
# Set to `false` to disable detection of cloud
# provider metadata such as resource identifiers.
# discover_cloud_resource: true