CodeWall Documentation

Scope defines the boundaries of a penetration test. The agent strictly respects these boundaries — it will never interact with anything outside of scope.

Include rules

Include rules define what the agent is allowed to test. At minimum, you must include the target host.

# Include a single host
example.com

# Include a host and all subdomains
*.example.com

# Include a specific path
example.com/api/*

# Include specific subdomains
app.example.com
api.example.com

Exclude rules

Exclude rules take precedence over include rules. Use them to protect sensitive areas.

# Exclude a path
example.com/admin/delete-all
example.com/api/v1/payments/*

# Exclude an entire subdomain
billing.example.com

# Exclude a specific file type
example.com/*.pdf

Method restrictions

Restrict which HTTP methods the agent can use:

Restriction	Effect
Allow all (default)	Agent can use any HTTP method
Block DELETE	Prevents data deletion operations
Block PUT/PATCH	Prevents data modification
GET/POST only	Read-heavy testing with form submissions
GET only	Purely passive reconnaissance

Pattern syntax

Pattern	Matches
`*`	Any single path segment
`**`	Any number of path segments
`*.example.com`	All subdomains of example.com
`example.com/api/*`	All direct children of /api/
`example.com/api/**`	All descendants of /api/

Examples

Narrow scope — test only the API

Include: api.example.com/**
Exclude: api.example.com/health

Broad scope with protections

Include: *.example.com
Exclude: billing.example.com
Exclude: example.com/admin/danger-zone/*
Method restriction: Block DELETE

Multi-host scope

Include: app.example.com
Include: api.example.com
Include: cdn.example.com
Exclude: api.example.com/internal/*

Default behaviour

If no include rules are specified, the target URL's host is included
If no exclude rules are specified, nothing is excluded
The agent will automatically stay within the included hosts, even when it discovers links to external sites

Scope Configuration