Features

CI/CD Integration

Overview

Pensar provides a CLI tool and API for integrating automated pentesting directly into your CI/CD pipeline. Run pentests on every commit or deployment to catch vulnerabilities before they reach production.

Installation

Install the Pensar CI package globally:

$npm install -g @pensar/ci

Or add it as a dev dependency:

$npm install --save-dev @pensar/ci

View the source code and additional examples on GitHub.

Configuration

Required Environment Variables

VariableDescription
PENSAR_API_KEYYour Pensar API key

Optional Environment Variables

VariableDescriptionDefault
PENSAR_ENVIRONMENTdev, staging, or productionproduction

You can configure CI/CD integration directly from the Pensar Console. Navigate to your project’s Settings → CI/CD page for guided setup and one-click workflow creation.

CLI Usage

Run a Pentest

$pensar pentest [options]

Options:

OptionDescription
-b, --branch <branch>Branch name to associate with the scan
-e, --environment <env>Environment: dev, staging, production
--no-waitDispatch the scan without waiting for completion

Examples:

$# Basic pentest using environment variables
$pensar pentest
$
$# Pentest a specific branch
$pensar pentest --branch main
$
$# Pentest without waiting for completion
$pensar pentest --no-wait
$
$# Pentest with explicit environment
$pensar pentest --branch develop --environment staging

Check Scan Status

$pensar status <scanId>

Example:

$pensar status abc123-def456-789

CI/CD Examples

GitHub Actions

Run a pentest when commits are pushed to main branches:

1name: Pensar Pentest
2
3on:
4  push:
5    branches: [main, master, develop]
6
7jobs:
8  pentest:
9    name: Pensar Pentest
10    runs-on: ubuntu-latest
11    timeout-minutes: 60
12    steps:
13      - uses: actions/checkout@v4
14
15      - uses: actions/setup-node@v4
16        with:
17          node-version: '22'
18
19      - name: Install Pensar CI
20        run: npm install -g @pensar/ci
21
22      - name: Run Pensar Pentest
23        env:
24          PENSAR_API_KEY: ${{ secrets.PENSAR_API_KEY }}
25        run: pensar pentest --branch ${{ github.ref_name }}

GitLab CI

Add to your .gitlab-ci.yml:

1stages:
2  - security
3
4pensar-pentest:
5  stage: security
6  image: node:22
7  rules:
8    - if: $CI_COMMIT_BRANCH == "main"
9  before_script:
10    - npm install -g @pensar/ci
11  script:
12    - pensar pentest --branch $CI_COMMIT_REF_NAME
13  variables:
14    PENSAR_API_KEY: $PENSAR_API_KEY

Bitbucket Pipelines

Add to your bitbucket-pipelines.yml:

1pipelines:
2  branches:
3    main:
4      - step:
5          name: Pensar Pentest
6          image: node:22
7          script:
8            - npm install -g @pensar/ci
9            - pensar pentest --branch main

Exit Codes

CodeMeaning
0Scan completed with no issues
1Scan found security issues or failed

By default, the CLI will exit with code 1 if any security issues are found. Use this to block deployments when vulnerabilities are detected.

API Reference

Dispatch Scan

POST /ci/dispatch

Headers:

  • Authorization: Bearer <api_key> or x-api-key: <api_key>
  • Content-Type: application/json

Request Body:

1{
2  "projectId": "string",
3  "branch": "string (optional)",
4  "scanLevel": "priority | full (optional)"
5}

Response:

1{
2  "scanId": "string",
3  "label": "string",
4  "status": "queued"
5}

Get Scan Status

GET /ci/status/{scanId}

Headers:

  • Authorization: Bearer <api_key> or x-api-key: <api_key>

Response:

1{
2  "scanId": "string",
3  "label": "string",
4  "status": "queued | running | completed | failed | paused",
5  "startedAt": "string | null",
6  "completedAt": "string | null",
7  "errorMessage": "string | null",
8  "issuesCount": 0,
9  "reportReady": false
10}

Next Steps

Whitebox Testing

Learn about comprehensive source code security testing.

Auto-Remediation

Automatically fix vulnerabilities found during scans.

Pentest Reports

Generate detailed security reports from your scans.

GitHub Integration

Set up event-based scanning with GitHub integration.