Shielda User Manual — Advanced Mode
For: Security engineers, DevSecOps, and technical users Goal: Deep configuration, API usage, custom checks, and CI/CD integration Last Updated: 2026-04-03
For: Security engineers, DevSecOps, and technical users Goal: Deep configuration, API usage, custom checks, and CI/CD integration Last Updated: 2026-04-03
---
Table of Contents
Advanced Scan Configuration Custom Checks Attack Paths & Dynamic Verification IDOR Scanning Remediation Campaigns API Inventory AI Safety Monitoring External Report Import CI/CD Integration Custom Instructions Webhook Configuration API Reference Storage & Log Sources Environment Map Vault (Org Memory)
---
Advanced Scan Configuration
Tool Management
Go to Dashboard → Tools to manage individual scanners and bundles.
Activating/Deactivating Bundles
Each bundle groups related tools for a specific security concern:
Bundle Tools Use Case AppSec Starter Semgrep, Trivy, GitLeaks, Checkov, Grype Core application security K8s Hardening Kubescape, Kube-bench Kubernetes security posture Supply Chain Syft, Grype Dependency and SBOM analysis Network/DAST Nmap, ZAP, Nuclei Network recon + dynamic testing AI Red Team Garak, Promptfoo, LLM Guard LLM vulnerability testing AI Robustness Counterfit, ART, TextAttack ML model robustness testing
Toggle bundles via PATCH /api/tools:
Individual Tool Configuration
Each tool in a bundle can be configured independently: Enable/disable specific tools within a bundle Set custom arguments or configuration files Adjust timeout and resource limits
Scan Targeting
When triggering a scan, you can target:
---
Custom Checks
Plan required: Pro or Business
Go to Dashboard → Custom Checks to define organization-specific security rules.
Creating Custom Checks
Custom checks let you enforce internal security policies that standard scanners don't cover:
Click Create Custom Check Define: - Name: Human-readable rule name - Pattern: Regex or Semgrep rule pattern - Severity: How severe violations should be scored - Category: Which scanner category this belongs to - Description: What this check looks for and why
Use Cases
"All API endpoints must validate Content-Type header" "No hardcoded URLs to production databases" "All Docker images must use specific base images" "No console.log statements in production code"
---
Attack Paths & Dynamic Verification
Plan required: Pro or Business
Attack Paths
Go to Dashboard → Attack Paths to see how vulnerabilities chain together.
The AI Scout analyzes findings and maps: Entry points → how an attacker gets in Lateral movement → how they move through your system Blast radius → what's impacted if exploitation succeeds Kill chain → the full attack sequence
Dynamic Verification
Go to Dashboard → Verification to validate whether findings are actually exploitable.
The Verification Engine: Takes a finding and its fix proposal Sets up a safe test environment Attempts to reproduce the vulnerability Reports: Exploitable, Not Exploitable, or Inconclusive
This eliminates false positives with proof.
---
IDOR Scanning
Plan required: Pro or Business
Go to Dashboard → IDOR (accessible via API Inventory).
IDOR (Insecure Direct Object Reference) scanning: Discovers API endpoints from your environment Generates test cases with different user contexts Attempts unauthorized access to resources belonging to other users Reports confirmed IDOR vulnerabilities