Engagement Workflow

You can launch a pentester engagement through the web console, CLI, or automation pipelines.

Web Console

1. Navigate to Explore → API Engagements.

2. Click New Engagement and provide the application name, target host, and OpenAPI specification.

3. Optional: attach authentication headers or recorded traffic to bootstrap deeper testing.

4. Submit to start the hands-off assessment. Progress and findings stream back into the console and configured integrations.

CLI

Use the CLI when you want to run engagements locally or wire them into custom pipelines. Generate a service-account token first (see API Configuration).

nullify dast \
  --app-name      "Payments API" \
  --spec-path     "./openapi.json" \
  --target-host   "https://api.example.dev" \
  --github-owner  "my-org" \
  --github-repo   "payments-service" \
  --header        "Authorization: Bearer 1234, X-Custom-Header: abcxyz"

ℹ️ The CLI command retains the dast verb for backwards compatibility; upcoming releases will alias it to pentester.

GitHub Action

Automate engagements in CI by adopting the Nullify Pentester Action (published as dast-action). Configure it to run on release branches, nightly jobs, or bespoke workflows. Findings are routed back through the Nullify API and any connected ticketing systems.