pentest scope template - nself-org/cli GitHub Wiki

Pentest Scope Template

Reference template for penetration test engagements against ɳSelf deployments.

Generating a Scope Document

# Requires pentest plugin + Business+ license
nself pentest-kit generate --output-dir ./pentest-docs

This renders ./pentest-docs/pentest-scope.md populated with the deployment's actual IP ranges, ports, subdomains, and API endpoints.

Scope Document Structure

In-scope surfaces, IP ranges, ports, subdomains, API endpoints
Out-of-scope surfaces, Cloudflare, Stripe, GitHub Actions, third-party SaaS
Test credentials, pentest Hasura role + JWT
Rules of engagement, no DoS, no social engineering, 72h critical reporting
Emergency stop procedure, contact, protocol

Provisioning Pentest Credentials

nself pentest-kit credentials

Creates a pentest Hasura role with pentest:true metadata. The role has:

Read access to non-sensitive tables.
No access to admin secrets, audit logs, or billing data.
7-day JWT expiry.

Importing Findings

After the engagement, import findings from the structured report:

nself pentest-kit remediation --import findings.json

Track progress:

nself pentest-kit status

Compliance References

SOC 2 CC7.1, System monitoring and vulnerability management
PCI-DSS 11.3, Penetration testing
HIPAA Security Rule, Periodic security testing (addressable)

Related

cmd-pentest-kit, CLI reference
security/secret-rotation-runbook, credential rotation after pentest
Home

ɳSelf CLI v1.0.9. MIT licensed. Docs CC BY 4.0.

GitHub · Issues · Discussions · nself.org · docs.nself.org

⚠️ GitHub.com Fallback ⚠️