Run structured penetration tests against your nSelf stack, generate machine-readable reports, and apply recommended mitigations — all from the CLI.
# Run the full scan against the local stack
nself pentest-kit scan
# Generate a PDF report from the last scan
nself pentest-kit report --format pdf --out ./security-report.pdf
# Auto-apply safe mitigations
nself pentest-kit mitigate --autonself pentest-kit <SUBCOMMAND> [FLAGS]nself pentest-kit is the built-in security audit surface for nSelf. It runs a structured set of attack vectors across auth, storage, network, database, API, and plugin surfaces and produces findings categorized by severity (CRITICAL / HIGH / MEDIUM / LOW / INFO).
The kit is used internally by the SIEGE adversarial QA step in every nSelf release cycle and is also available for customer-facing security audits. All findings reference the CWE and OWASP identifiers where applicable.
Security scans only read from your stack — they never modify production data or inject persistent payloads. Destructive tests (SQLi writes, RCE probes) require the --allow-destructive flag and only run against non-production environments.
| Category | What is tested |
|---|---|
| Authentication | JWT validation, token expiry, session fixation, brute-force rate limits, MFA bypass |
| Authorization | Hasura row-level security, role escalation, IDOR, Hasura admin secret exposure |
| Network | TLS configuration, cipher suites, HSTS, open ports, SSRF probes |
| Storage | MinIO bucket policy, pre-signed URL abuse, path traversal |
| Database | PostgreSQL privilege audit, RLS coverage, connection string exposure |
| API | GraphQL introspection gating, depth/complexity limits, injection probes |
| Plugins | Plugin sandbox escape, license bypass, signature verification |
| Secrets | Env var leakage, hardcoded credentials, Docker volume inspection |
Run the full scan suite. By default targets the local stack. Pass --target to scan staging or production (read-only tests only against production).
# Local scan
nself pentest-kit scan
# Staging scan
nself pentest-kit scan --target staging
# Limit to specific categories
nself pentest-kit scan --only auth,network,api
# Include destructive probes (non-production only)
nself pentest-kit scan --allow-destructive --target stagingScan output is stored at ~/.nself/pentest/<timestamp>.json and summarized to stdout.
# Example summary output
# SEVERITY COUNT
# CRITICAL 0
# HIGH 1 → Hasura introspection enabled on staging
# MEDIUM 3
# LOW 7
# INFO 12
#
# Full results: ~/.nself/pentest/2026-05-07T14-22-00.jsonGenerate a formatted report from the most recent scan (or a specific scan file). Supports PDF, HTML, Markdown, and JSON output formats.
# PDF (default)
nself pentest-kit report --format pdf --out ./report.pdf
# Markdown (good for GitHub issues or Notion)
nself pentest-kit report --format md --out ./report.md
# From a specific scan file
nself pentest-kit report --from ~/.nself/pentest/2026-05-07T14-22-00.json --format html --out ./report.htmlApply mitigations for findings from the most recent scan. Safe mitigations (config changes, flag toggles, env var updates) are applied automatically with --auto. Findings that require code changes are printed as actionable instructions.
# Review what mitigations are available (dry run)
nself pentest-kit mitigate --dry-run
# Apply all safe mitigations automatically
nself pentest-kit mitigate --auto
# Apply mitigations for a specific severity tier and above
nself pentest-kit mitigate --auto --min-severity highExample: disabling Hasura introspection automatically:
# Finding: HASURA_GRAPHQL_ENABLE_INTROSPECTION=true on staging
# Mitigation:
nself pentest-kit mitigate --auto
# ✓ Applied: HASURA_GRAPHQL_ENABLE_INTROSPECTION → false (staging)
# ✓ Auth service reloaded| Flag | Applies to | Type | Description |
|---|---|---|---|
--target | scan | string | Stack to test: local (default), staging, prod |
--only | scan | string | Comma-separated category list to run (default: all) |
--skip | scan | string | Comma-separated categories to exclude |
--allow-destructive | scan | bool | Enable destructive probes (non-production only) |
--format | report | string | Output format: pdf, html, md, json |
--out | report | string | Output file path |
--from | report | string | Path to a specific scan result JSON file |
--auto | mitigate | bool | Apply safe mitigations without prompting |
--dry-run | mitigate | bool | Print proposed mitigations without applying them |
--min-severity | mitigate | string | Minimum severity to mitigate: critical, high, medium, low |
nself pentest-kit scan --target staging --skip destructive
# Exit code 1 if any CRITICAL or HIGH findings
nself pentest-kit report --format json | jq '.findings | map(select(.severity == "CRITICAL" or .severity == "HIGH")) | length'nself pentest-kit scan
nself pentest-kit report --format pdf --out ./audit-$(date +%Y-%m-%d).pdf
nself pentest-kit report --format md --out ./audit-$(date +%Y-%m-%d).md0 — scan complete, zero CRITICAL findings1 — one or more CRITICAL findings2 — scan could not complete (network error, stack not running)3 — invalid arguments