Documentation
  • ๐ŸปIntro
    • Why API Security is Critical?
    • Pynt at a Glance
    • Who Should Use Pynt?
  • ๐Ÿ‘ฉโ€๐Ÿ’ปAPI Security Testing
    • Security Testing Overview
    • Prerequisites for Running Pynt Scans
    • How to Install Pynt CLI
    • How to install Pynt Binary (Linux only)
    • Pynt CLI Modes
      • ๐Ÿ”ตPynt Command CLI Mode
      • ๐Ÿ”ตPynt Listen CLI Mode
    • Pynt Security Tests Coverage
      • Business Logic Tests
      • Injection Tests
      • Authentication Bypass Tests
      • Mass Assignment Tests
      • Server-Side Request Forgery Tests
      • Stack Trace In Response
      • Lack of Resources and Rate Limiting
      • File Path Manipulation
      • GraphQL Introspection Vulnerability
      • GraphQL Alias Overloading
      • LLM APIs Vulnerabilities
      • Insecure Transport Scheme
      • Basic Authentication
      • HTTP Desynchronization (Desync) Attack
    • Sensitive Data Exposure Detection
    • Pynt Scans Troubleshooting
      • Pynt CLI Troubleshooting
      • Pynt for Postman Troubleshooting
        • Troubleshoot Pynt Container not Running Error
        • Troubleshoot Empty API Key Error
        • Troubleshoot Unauthorized API Key Error
        • Troubleshoot Collection Not Found Error
        • Troubleshoot Non-Unique Collection Name Error
        • Troubleshoot Empty Collection Identifier Error
        • Troubleshoot Unreachable Target Error
        • Troubleshoot Target Responds with Errors Error
        • Troubleshoot Unresolved Target Domain Error
        • Troubleshoot Unresolved Variable Error
        • Troubleshoot TLS Handshake Fail Error
        • Troubleshoot Few Requests Error
        • Troubleshoot One User Only Error
        • Troubleshoot Failed Assertions Error
    • How To
      • How to Run Business Logic Tests with Pynt
      • How to associate a Pynt scan to an Application in Pynt Dashboard
      • How to tag a scan in Pynt
    • Benchmarks
      • Pynt vs OWASP crAPI
  • ๐ŸคฒSecurity Testing Integrations
    • ๐ŸŸ Pynt with API Testing Tools
      • ๐Ÿ”˜Pynt for Postman
        • Fork Pynt Collection
        • Run Pynt Container
        • Run Pynt in Postman
        • View Scan Results in Postman
      • ๐Ÿ”˜Pynt for Insomnia
      • ๐Ÿ”˜Pynt for ReadyAPI
    • ๐ŸŸ Pynt with API Testing CLIs
      • ๐Ÿ”˜Pynt for Newman (Postman CLI)
      • ๐Ÿ”˜Pynt for TestRunner (ReadyAPI CLI)
    • ๐ŸŸ Pynt with Testing Frameworks
      • ๐Ÿ”˜Pynt for .NET (xUnit)
      • ๐Ÿ”˜Pynt for Selenium
      • ๐Ÿ”˜Pynt for Rest Assured
      • ๐Ÿ”˜Pynt for Jest
      • ๐Ÿ”˜Pynt for pytest
      • ๐Ÿ”˜Pynt for Go
      • ๐Ÿ”˜Pynt for JMeter
    • ๐ŸŸ Pynt on CI/CD
      • โ—How to get Pynt ID for CI/CD Authentication
      • ๐Ÿ”˜Pynt for GitHub Actions
      • ๐Ÿ”˜Pynt for Azure DevOps Pipelines
      • ๐Ÿ”˜Pynt for GitLab
      • ๐Ÿ”˜Pynt for Jenkins
    • ๐ŸŸ Pynt with Burp Suite
    • ๐ŸŸ Pynt with Browsers
      • ๐Ÿ”˜Pynt for Firefox Browser
    • ๐ŸŸ Live Traffic Connectors
      • ๐Ÿ”˜eBPF
        • ๐Ÿ”˜Key Components
      • ๐Ÿ”˜Traffic Mirroring
    • ๐ŸŸ Advanced Pynt Examples
      • ๐Ÿ”˜Pynt as a Standalone Container
      • ๐Ÿ”˜Pynt with Prerecorded Har Files
      • ๐Ÿ”˜Pynt with cURL
  • ๐ŸˆธApplications View
    • Application View Overview
    • Manage Applications
      • Add Application
      • Delete Application
      • Rename Application
    • Manage Sources for API Discovery
      • Add Source
      • Delete Source
      • View Source Info
      • Source Categories
        • API Documentation
          • Swagger
          • Postman Collection
        • API Gateways
          • AWS API Gateway
          • Azure API Gateway
          • Kong API Gateway
          • GCP API Gateway
          • Gravitee API Gateway
        • Testing (API Security Scans)
        • Live Traffic
          • Data Collection with eBPF
          • ALB Traffic Capture with AWS Traffic Mirroring
        • Code Repository
    • Application Dashboard
    • Generate Pentest Report
  • ๐Ÿ“šAPI Catalog
    • API Catalog Overview
    • Navigate API Catalog
      • Filtering API Catalog by Application
      • API Catalog Customization
      • API Related Info
      • APIs at Risk
    • Manage API Source Gaps
      • New APIs
      • Untested APIs
      • Shadow APIs
      • Undocumented APIs
    • View Detailed Endpoint Info
  • โชScan History
    • Scan History Overview
    • Navigate Scan History
      • Associating Scans with Specific Application
      • Filtering by Application
      • Scan Related Info
      • Scan History Customization
    • View Detailed Scan Info
    • Associate Vulnerabilities to Tickets with JIRA
  • Account Management
    • Single Sign-On (SSO)
      • Setting up Okta
      • Setting up Entra ID
Powered by GitBook
On this page
  • Standalone container mode
  • How to run the Pynt container
  • How to control Pynt container
  • Retrieving Scan Reports
  • Controlling the return code from Pynt
  • Example: Pynt with Kubernetes
  1. Security Testing Integrations
  2. Advanced Pynt Examples

Pynt as a Standalone Container

Run Pynt as a standalone container without the CLI for isolated and scalable API security testing. Ensure consistent and efficient protection across your development environments.

PreviousAdvanced Pynt ExamplesNextPynt with Prerecorded Har Files

Last updated 3 months ago

๐Ÿš€ At a Glance: Pyntโ€™s standalone container mode allows you to run the Pynt container without the CLI, making it ideal for systems like Kubernetes or container orchestration platforms. In this mode, you control Pynt through its APIs and route HTTP traffic through the container for security testing.


Standalone container mode

Pynt container can run without the CLI, facilitating its use in various deployment scenarios beyond traditional Docker-based environments. This mode is particularly useful for systems leveraging Kubernetes or similar container orchestration platforms.

This mode is based on , but here the user is required to run the Pynt container, control it through APIs, and route the http traffic through the container.

There are two step needed for this integration:

Run the Pynt Container: This involves setting up and running the Pynt container. Pynt can operate as a stand-alone server, as long as it setup correctly.

Control via APIs & Route HTTP Traffic: After deploying the Pynt container, you will need to manage it through its APIs. Additionally, route your HTTP traffic through the container to have Pynt scan the traffic.


How to run the Pynt container

Image:

  • ghcr.io/pynt-io/pynt:v1-latest

Ports:

  • 6666 - Pynt proxy port

  • 5001 - port for API commands to Pynt server

Environment variables:

  • PYNT_SAAS_URL="https://api.pynt.io/v1" - Pynt Platform's URL

Flags:

When the application identifier is not provided, the scan results will not be saved in any application, and you can see it in the global views. The best practice is to provide the identifier.

  • --application-name - Your existing application name or a new one. (the application will be created automatically if it does not exist)

Here is an example of running Pynt server using docker:

docker run -e PYNT_ID="$PYNT_ID" -p 6666:6666 -p 5001:5001 --rm ghcr.io/pynt-io/pynt:v1-latest proxy --application-name my-app

How to control Pynt container

Once the Pynt container is running in your environment, run the Pynt scan by the following these steps:

  1. Set a few environment variables pointing to the container (or to your local machine when exposing the ports):

    export PYNT_SERVER_BASE=http://127.0.0.1
    export PYNT_SERVER_URL=$PYNT_SERVER_BASE:5001
  2. To activate the Pynt proxy, make a call to the /api/proxy/start endpoint. Once activated, Pynt will listen on port 6666 for incoming traffic. For example, you can use curl as follows:

    scan_output=$(curl -X PUT $PYNT_SERVER_URL/api/proxy/start)
  3. Run your functional tests through the Pynt proxy. Pynt will read and analyze the traffic. For example, using Python Pytest:

    export HTTP_PROXY=$PYNT_SERVER_BASE:6666
    export HTTPS_PROXY=$PYNT_SERVER_BASE:6666
    pytest goat.py
  4. To start a Pynt scan, you need to call the /api/proxy/stop endpoint, providing the scan_id in the message body. For example, you can use the following curl command:

    curl -X PUT $PYNT_SERVER_URL/api/proxy/stop -d "$scan_output" -H "Content-Type: application/json"
  5. Optionally, you can pass the Application ID and Test Name for improved management of this scan in the Pynt platform. For example:

    scanId=$(echo $scan_output | jq -r .scanId)
    applicationId=xxxx
    testName="My Test Name"
    json_payload=$(printf '{"scanId": "%s", "applicationId": "%s", "testName": "%s"}' "$scanId" "$applicationId" "$testName")
    curl -X PUT $PYNT_SERVER_URL/api/proxy/stop -d "$json_payload" -H "Content-Type: application/json"

Retrieving Scan Reports

After running a Pynt scan, you can retrieve the scan report by polling the /api/report endpoint using the scan ID. This process ensures that you get the final report once the scan is complete.

Polling for Report Completion

Since scans take time to process, you must continuously check the report status until the scan completes. The server returns:

  • 202 (Accepted): The scan is still in progress.

  • 200 (OK): The scan is complete, and the report is available.

Retrieving the HTML Report

The HTML report provides a human-readable summary of the scan results.

Example using curl

scanId=$(echo $scan_output | jq -r .scanId)
status_code=$(curl -o "pynt_report.html" -s -w "%{http_code}\n" "$PYNT_SERVER_URL/api/report?scanId=$scanId&format=html")

This command saves the report as pynt_report.html


Controlling the return code from Pynt

Pynt container have an optional flag --severity-level

With this flag, you have granular control over whether Pynt returns an error code (3) in the event of findings. Use this flag to control when Pynt will break the CI/CD run, allowed values are:

'all', 'medium', 'high', 'critical', 'none' (default) 

Retrieving the JSON Report

The JSON report contains structured data about vulnerabilities, making it useful for integrations with other tools.

Example using curl

scanId=$(echo $scan_output | jq -r .scanId)
status_code=$(curl -o "pynt_report.json" -s -w "%{http_code}\n" "$PYNT_SERVER_URL/api/report?scanId=$scanId&format=json")

This command retrieves the scan results in JSON format and saves them as pynt_report.json


Example: Pynt with Kubernetes


PYNT_ID="$PYNT_ID" - Pynt credentials,

--application-id -

๐Ÿ’ก Still Need Help? For any questions or troubleshooting, reach out to the .

๐Ÿคฒ
๐ŸŸ 
๐Ÿ”˜
Pynt command
how to get it
Pynt Community Support
Where can I find the application ID?
Running Pynt as standalone container
pynt/goat_functional_tests/k8s at main ยท pynt-io/pyntGitHub
Pynt for Kubernetes
Logo