Prancer PAC CLI

It is possible to integrate Prancer PAC pentesting in the CI / CD pipeline to integrate with your current SDLC process tightly. To do so, you will use Prancer PAC CLI to run the pentesting.

There are two different uses of Prancer-PAC. The first usage is in Scanner mode, and the system gets prancer PAC from the docker and then runs in AZURE or AWS cloud. The second usage is in custom mode, and we explain in this document how you can install and run Prancer-PAC on your local machine.

Prerequisites:

make sure the following binaries are installed on your CI machine:

How to Install Prancer Pac

To Install Prancer PAC, you can flow these steps:

  • You can download the latest version from here.

  • Extract download file : tar -xvf prancer-pac-latest.tar.gz.

  • If extract for the first time, You will run chmod command for install.sh: sudo chmod 0777 install.sh.

  • To Install Prancer PAC, you can run the following command: sudo ./install.sh

To make sure prancer-pac is installed successfully, you can run this command:

  $ prancer-pac version
  The version of prancer pac is 1.0.0-beta linux/amd64

CI Variables

Defining variables in PAC tool to run Prancer PAC in your pipeline, you need to define some variables.

Prancer API token

Generate a user access token from Prancer SaS solution How to generate token in Prancer SaaS

You should define this variable as APITOKEN in your CI tool. Add this as a secret.

Pentest Configuration ID

you need to get target configoration, you need to go the admin panel and choose PAC Management page from side bar and then choose your config and press in pac configuration and finally copy config id.

How to run

  • For run pentest without authentication run following command:

    prancer-pac pentest --customer YOUR_CUSTOMER_ID --token APITOKEN --config CONFIGURATION_ID

  • For run pentest with authentication run following command:

    prancer-pac pentest --customer YOUR_CUSTOMER_ID --token APITOKEN --config CONFIGURATION_ID auth --username USERNAME --password PASSWORD

Pentest command

[short description] Pentest command prepare an enviroment to set your information and create zap enviroment to start test.

[long description]

### The pentest flags

  • -c, --config => Config is the id of configuration that, it will going to extract required data from prancer database for setting up pentest configurations

  • -i, --customer => Customer should pass for getting jwt token

  • -e, --env => Set your working enviroment. the list including dev,qa and prod. (default is prod) (default "prod")

  • -t, --token => Access token should passed as prameter for getting jwt token so prancer-cli be able to send request to portal

  • -o, --output => Output field will use to get out put in terminal and out put support json and normal (Default=normal) (default "normal")

  • -p, --port => Set your available port for proxy docker port on your system, default is 8080 (default 8080)

  • -s, --silent => Silent field will use to ignore the details of terminal

  • -h, --help => Help for pentest

The pentest available commands

  • auth => [short description] you enter authentication details here when you run you pentest with authentication like form base or jwt authentication :
  • -u, --username => Enter your target user name for authorize
  • -p, --password => Enter your target user name for authorize