wpscan api token with docker

I’ve been trying to get this working as intended for a little while now. My regular workflow while using wpscan has been that I have to log in to WP Scan’s Vulnerability Database website to retrieve my API token and build out the following scan parameters:

docker run -it --rm wpscanteam/wpscan --url https://example.com --api-token MY_API_TOKEN

This was tedious at best, so I have been toying with the notion of setting up a local file as recommended by the application documentation:

I had created the relevant file, setting my API token, but struggled to get the Docker container to read my local file. I started digging around and the majority of information I found was creating links between the local system and the container for the direction. I didn’t find a specific guide or instruction for this. After a large chunk of today was spent researching and testing various implementations I brain stormed with a colleague.

He pointed me in the direction of the Docker file link on the Docker Hub which gave me the clue I needed:

RUN adduser -h /wpscan -g WPScan -D wpscan

That told me that the home directory being created for the container was set to /wpscan. Since the application documents already indicated that the file will be read from the ./wpscan directory I tried the following combination:

docker run -it --rm -v ${HOME}/.wpscan/scan.yml:/wpscan/.wpscan/scan.yml wpscanteam/wpscan --url https://example.com

And with that, wpscan was picking up my set API key without issue and using it to scan the sites. Perfect!

In the above example the -v flag allows you to link a volume to the container. The syntax for that is source:destination in its simplest form. What you are linking from the local file system (source) to the file system on the container (destination).

Hopefully the above will help others get rolling with configuring their API token with wpscan while using Docker.