Continuous automated security testing for your nSelf stack. Runs authenticated scans against your own instance on a schedule, checks for OWASP Top 10 vulnerabilities, misconfigured headers, exposed endpoints, and outdated dependencies. Results surface directly in your Admin UI without sending data to a third party.
This plugin is scoped to your local nSelf instance. Never point it at third-party services or systems you do not own. All scans authenticate against your own API using your admin token.
nself plugin install pentest
nself build
nself start# Trigger an on-demand scan
curl -X POST https://api.yoursite.com/pentest/scans \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-d '{"scope": "full", "notify_webhook": "https://hooks.example.com/alerts"}'
# List recent scan results
curl https://api.yoursite.com/pentest/scans \
-H "Authorization: Bearer $ADMIN_TOKEN"
# Get findings from the latest scan
curl https://api.yoursite.com/pentest/findings \
-H "Authorization: Bearer $ADMIN_TOKEN"?severity=high| Category | Checks |
|---|---|
| Authentication | Broken auth, weak JWT configuration, missing token expiry |
| Authorization | IDOR tests, Hasura permission bypass attempts, horizontal privilege escalation |
| Injection | SQL injection probes, GraphQL introspection abuse, SSRF checks |
| Headers | Missing CSP, HSTS, X-Frame-Options, and Referrer-Policy headers |
| Secrets exposure | API keys in responses, verbose error messages with stack traces |
| Dependencies | Known CVEs in installed plugin versions |
| Endpoint | Method | Description |
|---|---|---|
/pentest/scans | GET / POST | List scans or trigger a new one |
/pentest/scans/:id | GET | Scan detail with status and summary counts |
/pentest/findings | GET | All findings with severity, category, and remediation guidance |
/pentest/findings/:id/resolve | POST | Mark a finding as resolved or accepted risk |
/pentest/schedule | GET / PUT | Read or update the automated scan schedule (cron syntax) |
Pro Plugin — ɳSelf+ | v1.0.0