Scan profiles and templates
How WASViking selects which analyzers run, and how to lock a baseline your whole team uses.
A scan profile picks which analyzers run, which protocol coverage is on, which compliance catalog is primary, and which payload class settings apply. A scan template locks a profile plus its configuration so every team member runs the same baseline.
Built-in scan profiles
WASViking® ships six profiles. Pick the one that matches the
application, or pick full if you are not sure.
| Profile | Use case | Primary compliance catalog |
|---|---|---|
full |
Default. All analyzers enabled. | Driven by industry signal. |
web_app |
Classic web application. Skips API-specific analyzers. | OWASP Top 10 + ISO 27001. |
api_jwt |
REST API with JWT auth. JWT advanced analyzer active. | OWASP API Security + ISO 27001. |
soap |
SOAP / WSDL service. WSDL parser and SOAP-context analyzers active. | BACEN for BR financial; ISO 27001 otherwise. |
network |
Sensitive port and subdomain monitoring, SSL/TLS scan. | ISO 27001 + PCI infrastructure. |
custom |
Operator-defined via analyzer_toggles. |
Operator-defined. |
The profile choice also drives:
- Compliance primary catalog. Renders first in the PDF and the portal Compliance tab.
- AI prompt context. The AI Recommendation favors the right framework vocabulary.
analyzer_togglesgating. Disabled analyzers are skipped even if the catalog lists them.
Subdomain coverage
Independent from the scan profile. A target with wildcard coverage
expands to discovered subdomains; single host does not. Wildcard
coverage runs through the Target Discovery Engine to enumerate the
surface.
Scan templates
A template is a saved profile plus configuration. Templates make scans reproducible across the team.
A template captures:
- Scan profile (
full,web_app, etc.). - Analyzer toggles (override the profile).
- Auth mode and stored credentials reference.
- Scope (subdomain coverage, allow-list, deny-list).
- Schedule (one-shot or recurring).
- SLA overrides per severity (if any).
Templates have:
- Versioning. Every edit creates a new version. The previous version stays referenceable in scan history.
- Lock. Locked templates cannot be edited without unlock; protects baselines.
- Bulk apply. Apply a template to a group of targets in one action.
- History and restore. Revert to a previous version.
- Export and import. Move a template between organizations. Secrets are stripped on export.
Built-in templates
WASViking seeds six system templates:
| Template | Profile | Notes |
|---|---|---|
| Quick web scan | web_app |
Fast feedback for development. |
| Full external | full |
Default for production-grade external scans. |
| REST API + JWT | api_jwt |
OpenAPI ingest + JWT advanced. |
| SOAP / WSDL | soap |
WSDL parser + SOAP-context analyzers. |
| Network surface | network |
Sensitive ports + SSL/TLS. |
| Compliance pass | full |
Compliance-first, longer evidence capture. |
You can clone any system template to start your own, or build one from scratch.
CI/CD usage
The Sentinel CI gate accepts an org-scoped template slug. The server resolves the template; secrets never reach the runner. Exit code 70 if the template is not found, 71 if forbidden.
See the Sentinel agent section for the full CI integration recipe.