APK Scanner

Configuration

How to configure the APK Scanner using configuration files.

Overview

To specify the default behavior of the APK Scanner (optional) configuration files can be provided.

If there are matching config options and command line parameters, the command line parameters override the specified config options.

To view the current in use configuration, you can use the config show command or view the configuration files in the source code.

CLI (`apkscanner-cli.yaml`)

apkscanner-cli_sample.yaml

verbose: false
quiet: false

apkscanner_config_file_path: "apkscanner.yaml"

console_output:
  enable_rich_output: true

scan_apk:
  verbose_all: false
  verbose_generic: false
  verbose_apk_info: false
  verbose_detected_libraries: true
  verbose_permissions: true
  verbose_signature_apksig: false
  verbose_signature_certificate: false
  verbose_signing_block: false

  store_as_json: "no"
  json_exclude_defaults: false
  json_output_directory: ""
  json_output_subdirectory: false
  json_output_with_apk: false

View the recent sample configuration.

quiet

boolean

Default to false - Do not print any program output (where possible).

Defaults to false

verbose

boolean

Default to false - Print additional verbose output; ignored when quiet is enabled.

Defaults to false

apkscanner_config_file_path

string

Path (absolute/relative) to the apkscanner-cli.yaml, containing APK Scanner configuration.

Defaults to apkscanner.yaml

`console_output`

enable_rich_output

boolean

Whether output should be rich, e.g.: bold, with color, etc.

Defaults to true

`scan_apk`

verbose_all

boolean

Enable all verbose prints when true, otherwise respect the other scoped verbose_* options.

Defaults to false

verbose_generic

boolean

Print generic information, such as information about the scan itself, e.g.: scan date, time, etc.

Defaults to false

verbose_apk_info

boolean

Print additional apk information, such as file name, sha256sum of file, etc.

Defaults to false

verbose_detected_libraries

boolean

Print full information of detected libraries.

Defaults to true

verbose_permissions

boolean

Print full information about requested permissions.

Defaults to true

verbose_signature_apksig

boolean

Print full information about the apksig signature verification.

Defaults to false

verbose_signature_certificate

boolean

Print full information about the certificate during signature verification, e.g.: issuer and subject principals, public key hashes, etc.

Defaults to false

verbose_signing_block

boolean

Print full information about signing blocks, e.g.: all ok blocks, dangerous blocks which were checked but not found, etc.

Defaults to false

store_as_json

no|yes|pretty

Store output result as json file.

Defaults to no
Supported values:
- no
  - Do not store scan output as json file.
- Yes
  - Store scan output as minified json file.
- pretty
  - Store scan output as json file with human readable formatting.

json_exclude_defaults

boolean

Exclude default values when storing the scan result as json file.

While this may result in smaller json files, the resulting json files may be interpreted differently by consumers.

Defaults to false

json_output_directory

path

A directory where the scan output should be stored. The directory will be created, if it does not already exist.

Specifying an empty location will use the current working directory.

Defaults to ""

json_output_subdirectory

boolean

Store the scan output in a subdirectory within the output directory.

Defaults to false

json_output_with_apk

boolean

Store the scan output next to the APK file(s) (suffixed with '.json') instead of writing to a file within the specified output directory.

Defaults to false

APK Scanner (`apkscanner.yaml`)

apkscanner_sample.yaml

data:
  use_default_data: true
  certificate_denylist_path: ""
  certificate_denylist_export_path: "export/certificate_denylist.json"
  library_definition_path: ""
  library_definition_export_path: "export/libsmali.jsonl"
  library_information_path: ""
  library_information_export_path: "export/libinfo.jsonl"
  manifest_config_path: ""
  manifest_config_export_path: "export/manifest_config.json"
database:
  debug: false
  type: "none"
  mode: "default"
  path: "apkscanner"
scan:
  apk_reported_path_type: "default"

View the recent sample configuration.

`data`

use_default_data

boolean

Use bundled data for empty paths. This is useful, if you do not plan to use your own data and instead want to use what is coming with APK Scanner by default.

Defaults to true

certificate_denylist_path

path

Path to a JSON file, containing certificate definitions to be used for the deny list.

Defaults to ""
View sample file

certificate_denylist_export_path

path

Path to a file, where certificate export results should be exported to.

Defaults to "export/certificate_denylist.json"

library_definition_path

path

Path to a JSON Lines file, containing library definitions to be used by the library scanner.

Defaults to ""
View sample file

library_definition_export_path

path

Path to a file, where library definition export results should be exported to.

Defaults to "export/libsmali.jsonl"

library_information_path

path

Path to a JSON Lines file, containing library information to be used by the library scanner.

Defaults to ""
View sample file

library_information_export_path

path

Path to a file, where library information export results should be exported to.

Defaults to "export/libinfo.jsonl"

manifest_config_path

path

Path to a JSON file, containing manifest configurations to be used by the manifest scanner.

Default to ""
View sample file

manifest_config_export_path

path

Path to a file, where manifest export results should be exported to.

Defaults to "export/manifest_config.json"

`database`

debug

boolean

Print debug output for database transactions.

Defaults to false

type

string

The type of database to use.

Defaults to none
Supported values:
- none
  - This disables database usage.
- h2

mode

string

The mode to run the database in, if supported by the database type.

Defaults to default
Supported values (other than default):
- For h2
  - memory - Run the database in memory mode, destroying the database after the application exits.

path

Path to the database, if supported by the database type.

Default to apkscanner

`scan`

apk_reported_path_type

string

Print debug output for database transactions.

Defaults to default
Supported values:
- absolute: use absolute path of the file, e.g.: /opt/repo/file.apk.
- filename: use file name only, e.g.: file.apk.
- relative: use relative path from current working directory to the file, e.g.: repo/file.apk.
- default: use current default (filename).

Usage

How to use APK Scanner.

General

An overview of general options for every APK Scanner command.