Skip to content

Configuration

app.env (located in deploy directory) controls the behaviour of your SysReptor installation.

After making changes, go to sysreptor/deploy and restart the containers:

1
docker compose up -d

Cloud ยท We take care of all configurations. If you want to change anything, please contact us.

Avaliable Options

Self-Hosted

Django Secret Key

Django server secret key (see https://docs.djangoproject.com/en/4.1/ref/settings/#std-setting-SECRET_KEY). Make sure this key remains secret.

Generate random secret key:
1
printf "SECRET_KEY=$(openssl rand -base64 64 | tr -d '\n=')\n"
Example (regenerate this value!):
1
SECRET_KEY="TODO-change-me-Z6cuMithzO0fMn3ZqJ7nTg0YJznoHiJXoJCNngQM4Kqzzd3fiYKdVx9ZidvTzqsm"

Data Encryption at Rest

Encrypt data at rest by configuring an encryption key. This will encrypt sensitive data in your database and files uploaded in your notes (except images, images are also encrypted).

Database and file storage administrators cannot access encrypted data. The key is held in the web application. Data encryption at rest does not help against malicious actors with access to the web server.

You have to define one DEFAULT_ENCRYPTION_KEY_ID which will be used for data encryption. However, you can rotate your keys by defining multiple keys in ENCRYPTION_KEYS.
All specified keys are used for decrypting stored data.

Note that the DEFAULT_ENCRYPTION_KEY_ID must be part of ENCRYPTION_KEYS.

Generate random encryption keys:
1
KEY_ID=$(uuidgen) && printf "ENCRYPTION_KEYS=[{\"id\": \"${KEY_ID}\", \"key\": \"$(openssl rand -base64 32)\", \"cipher\": \"AES-GCM\", \"revoked\": false}]\nDEFAULT_ENCRYPTION_KEY_ID=\"${KEY_ID}\"\n"
Example (regenerate these values!):
1
2
ENCRYPTION_KEYS='[{"id": "TODO-change-me-unique-key-id-5cdda4c0-a16c-4ae2-8a16-aa2ff258530d", "key": "256 bit (32 byte) base64 encoded AES key", "cipher": "AES-GCM", "revoked": false}]'
DEFAULT_ENCRYPTION_KEY_ID="TODO-change-me-unique-key-id-5cdda4c0-a16c-4ae2-8a16-aa2ff258530d"

Debug mode

Debug mode enables Django's debug toolbar and stack traces. Do not use debug mode in production environments.

Example:
1
DEBUG=off

Allowed Hosts

Comma-separated allowed hostnames/domain names for this installation.

Example:
1
ALLOWED_HOSTS="sysreptor.example.com,sysreptor.example.local"

FIDO2/WebAuthn

If you want to use FIDO2/WebAuthn for MFA, you have to define the hostname (WebAuthn Relying Party ID) of your installation.

Example:
1
MFA_FIDO2_RP_ID="sysreptor.example.com"

License Key

Pro only

License key for SysReptor Professional.

Example:
1
LICENSE="your-license-key"

Single Sign-On (SSO)

Pro only

Configuration for SSO via OIDC. Find detailed instructions at https://docs.sysreptor.com/setup/oidc-setup/.

OIDC example:
1
2
3
4
5
6
OIDC_AZURE_TENANT_ID="azure-tenant-id"
OIDC_AZURE_CLIENT_ID="azure-client-id"
OIDC_AZURE_CLIENT_SECRET="azure-client-secret"

OIDC_GOOGLE_CLIENT_ID="google-client-id"
OIDC_GOOGLE_CLIENT_SECRET="google-client-secret"

If your reverse proxy enforces authentication and provides the username via a HTTP-Header, use following settings to enable SSO.

Remote-User example
1
2
REMOTE_USER_AUTH_ENABLED=true
REMOTE_USER_AUTH_HEADER="Remote-User"

By default users can decide whether they want to log in via SSO or username/password. It is possible to disable login via username/password. Make sure all users have SSO identities configured before enabling this option. Else they will not be able to log in anymore.

Disable username/password authentication example
1
LOCAL_USER_AUTH_ENABLED=false

Configuration of the default authentication provider when multiple authentication providers are enabled (e.g. OIDC via Azure AD and username/password). This setting will redirect users to the default authentication provider, skipping the selection. Other authentication providers can still be used if login via the default provider fails.

Possible values: azure, google, remoteuser, local (username/password authentication)

Default authentication provider example
1
2
DEFAULT_AUTH_PROVIDER="azure"
DEFAULT_REAUTH_PROVIDER="local"

Spell Check

Pro only

You can add words to the spell check dictionary in the markdown editor (see https://docs.sysreptor.com/reporting/spell-check/).

Words are added to a global spell check dictionary by default, which is available to all users. If words should be added to user's personal spell check dictionaries, set this setting to true.

Using both global and personal dictionaries at the same time is not possible. Words of personal dictionaries are not shared between users. If one user adds an unknown word to their personal dictionary, the spell checker will still detect an error for other users, even when they are working in the same project or finding.

Spell check dictionary configuration
1
SPELLCHECK_DICTIONARY_PER_USER=false

The picky mode enables additional spell check rules.

It is also possible to selectively enable and disable rules or rule-categories by passing a LanguageTool configuration as JSON. See https://languagetool.org/http-api/ for available options on the /check request. See https://community.languagetool.org/rule/list for available rules (note: rule IDs might differ for languages).

Spell check rule configuration
1
2
SPELLCHECK_MODE_PICKY=true
SPELLCHECK_LANGUAGETOOL_CONFIG='{"disabledRules": "TODO,TO_DO_HYPHEN,PASSIVE_VOICE,PASSIVE_SENTENCE_DE"}'

Languages

Configure which languages are available in the language selection. By default all languages are shown. When this setting is configured, only selected languages are shown. All other languages are hidden.

This setting also defines the order of languages in the selection. The first language is used as default.

Example:
1
PREFERRED_LANGUAGES="de-DE,en-US"

Archiving

Pro only

Archived projects require at least ARCHIVING_THRESHOLD number of users to restore the archive (see https://docs.sysreptor.com/reporting/archiving/). By default two users are required, enforcing a 4-eye principle. If ARCHIVING_THRESHOLD=1 every user is able to restore archived projects on their own, disabling the 4-eye principle. Changing this setting does not affect previously archived projects.

Example:
1
ARCHIVING_THRESHOLD=2

The process of archiving finished projects and deleting old archives can be automated by following settings. The values are time spans in days.

Example:
1
2
3
4
# Automatically archive finished projects after 3 months
AUTOMATICALLY_ARCHIVE_PROJECTS_AFTER=90
# Automatically delete archived projects after 2 years
AUTOMATICALLY_DELETE_ARCHIVED_PROJECTS_AFTER=730

Private Designs

Users without Designer permission can create and edit private designs that cannot be read or used by other users. If a pentest project is created using a private design, a copy of the private design becomes accessible by project members. Use this setting to enable private designs.

Example:
1
ENABLE_PRIVATE_DESIGNS=true

Guest Users

Restrict capabilities of guest users.

Example:
1
2
3
4
5
6
GUEST_USERS_CAN_CREATE_PROJECTS=True
GUEST_USERS_CAN_IMPORT_PROJECTS=False
GUEST_USERS_CAN_EDIT_PROJECTS=True
GUEST_USERS_CAN_UPDATE_PROJECT_SETTINGS=True
GUEST_USERS_CAN_DELETE_PROJECTS=True
GUEST_USERS_CAN_SEE_ALL_USERS=False

S3 Storage

Uploaded files and images can be stored in an S3 bucket. Files are stored on the filesystem in a docker volume by default. If data at rest encryption is configured files are encrypted (except images, images are also encrypted).

DEFAULT_S3_* settings to apply to all file storages. It is possible to configure different settings per storage.

Global storage configuration: store everything in S3 bucket
1
2
3
4
5
6
DEFAULT_STORAGE="s3"  # Default: "filesystem"
DEFAULT_S3_ACCESS_KEY="access-key"
DEFAULT_S3_SECRET_KEY="secret-key"
DEFAULT_S3_SESSION_TOKEN="session-token"  # optional
DEFAULT_S3_BUCKET_NAME="bucket-name"
DEFAULT_S3_ENDPOINT_URL="endpoint-url"
Uploaded file storage configuration
1
2
3
4
5
6
7
UPLOADED_FILE_STORAGE="s3"  # Default: "filesystem"
UPLOADED_FILE_S3_ACCESS_KEY="access-key"
UPLOADED_FILE_S3_SECRET_KEY="secret-key"
UPLOADED_FILE_S3_SESSION_TOKEN="session-token"  # optional
UPLOADED_FILE_S3_BUCKET_NAME="bucket-name"
UPLOADED_FILE_S3_ENDPOINT_URL="endpoint-url"
UPLOADED_FILE_LOCATION="uploadedfiles"
Uploaded image storage configuration
1
2
3
4
5
6
7
UPLOADED_IMAGE_STORAGE="s3"  # Default: "filesystem"
UPLOADED_IMAGE_S3_ACCESS_KEY="access-key"
UPLOADED_IMAGE_S3_SECRET_KEY="secret-key"
UPLOADED_IMAGE_S3_SESSION_TOKEN="session-token"  # optional
UPLOADED_IMAGE_S3_BUCKET_NAME="bucket-name"
UPLOADED_IMAGE_S3_ENDPOINT_URL="endpoint-url"
UPLOADED_IMAGE_LOCATION="uploadedimages"
Uploaded asset storage configuration
1
2
3
4
5
6
7
UPLOADED_ASSET_STORAGE="s3"  # Default: "filesystem"
UPLOADED_ASSET_S3_ACCESS_KEY="access-key"
UPLOADED_ASSET_S3_SECRET_KEY="secret-key"
UPLOADED_ASSET_S3_SESSION_TOKEN="session-token"  # optional
UPLOADED_ASSET_S3_BUCKET_NAME="bucket-name"
UPLOADED_ASSET_S3_ENDPOINT_URL="endpoint-url"
UPLOADED_ASSET_LOCATION="uploadedasset"

Archived project files can also be uploaded to an S3 bucket. Archives are stored on the filesystem in a docker volume by default.

Archived file storage configuratio
1
2
3
4
5
6
7
ARCHIVED_FILE_STORAGE="s3"  # Default: "filesystem"
ARCHIVED_FILE_S3_ACCESS_KEY="access-key"
ARCHIVED_FILE_S3_SECRET_KEY="secret-key"
ARCHIVED_FILE_S3_SESSION_TOKEN="session-token"  # optional
ARCHIVED_FILE_S3_BUCKET_NAME="bucket-name"
ARCHIVED_FILE_S3_ENDPOINT_URL="endpoint-url"
ARCHIVED_FILE_LOCATION="archivedfiles"

Backup Key

Pro only

API key used for creating backups via REST API. The key should be random and must have 20 or more characters. Find more information at https://docs.sysreptor.com/backups/.
Make sure this key remains secret.

Generate random backup key:
1
printf "BACKUP_KEY=$(openssl rand -base64 25 | tr -d '\n=')\n"
Example (do not use this value!):
1
BACKUP_KEY="WfyqYzRVZAOFbCtltYEFN36XBzRz6Ys6ZA"

Compress Images

Uploaded images are compressed to reduce file size, but to retain quality suitable for PDF files. Disable image compression using this setting.

Example:
1
COMPRESS_IMAGES=false

PDF Rendering

PDFs are compressed via ghostscript when generating the final report (not in previews). PDF compression reduces the file size, but can lead to quality loss of images and differences between the preview and the final PDF. PDF compression is enabled by default. Disable PDF compression using this setting.

Example:
1
COMPRESS_PDFS=false

SysReptor limits the rendering time a PDF can take. If the rendering time exceeds the limit, the PDF render task is aborted. The default limit is 300 seconds (5 minutes). If you experience slow PDF rendering, try to optimize your design before increasing the limit.

Example:
1
PDF_RENDERING_TIME_LIMIT=300

Reverse Proxy

Interpret X-Forwarded-* headers when SysReptor is behind a reverse proxy. See also https://docs.djangoproject.com/en/stable/ref/settings/#use-x-forwarded-host

1
2
USE_X_FORWARDED_HOST=on
USE_X_FORWARDED_PORT=on

When SysReptor is accessible via HTTPS (recommended), use following setting to redirect all HTTP requests to HTTPS. This flag also enables setting the Secure flag for cookies.

1
SECURE_SSL_REDIRECT=on

Proxy Server

Set the proxy variables HTTP_PROXY and HTTPS_PROXY to allow outbound connections using a proxy server.

Example:
1
2
HTTP_PROXY="http://192.168.0.111:8080"
HTTPS_PROXY="http://192.168.0.111:8080"

The proxy server must be reachable from container

Make sure that the proxy server is reachable from inside your docker container. Loopback addresses (e. g. 127.0.0.1) or localhost will not work.

Custom CA Certificates

If your SysReptor is behind a proxy with a custom certificate, you can use this setting to specify your custom CA certificates.

1
CA_CERTIFICATES="-----BEGIN CERTIFICATE-----\nMIIDqDCCApCgAwIBAgIFAMjv7sswDQYJKoZIhv..."

WebSockets

Disable WebSockets and always use HTTP fallback for collaborative editing. This is not recommended because some features are only available with WebSockets and HTTP fallback has higher latency. This setting sould only be activated if WebSockets are blocked by a firewall or not supported by a reverse proxy.

Example:
1
DISABLE_WEBSOCKETS=true

Plugins

Extend the functionality of SysReptor by enabling plugins. Plugins are disabled by default and need to be explicitly enabled. ENABLED_PLUGINS is a comma separated list of plugin names or plugin IDs.

Example:
1
ENABLED_PLUGINS="cyberchef,graphqlvoyager,checkthehash"

Some plugins require additional configuration. These plugin settings are configured as separate entries in app.env. Please refer to the plugin documentation for more information on available plugin setting.