The latest articles on DEV Community by Sandro (@xil). https://dev.to/xil https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1162961%2F396c1c7a-e5f6-44a5-873b-ee0685d38e2b.png https://dev.to/xil en Sandro Mon, 18 May 2026 06:30:58 +0000 https://dev.to/xil/i-built-pentestscan-a-simple-web-api-security-scanner-for-developers-and-small-teams-38km https://dev.to/xil/i-built-pentestscan-a-simple-web-api-security-scanner-for-developers-and-small-teams-38km <p>Building security tools always sounds more impressive than it really is at the beginning.</p> <p>In my case, PentestScan started as a practical idea:<br> I wanted to build a simple Web &amp; API security scanner that could help developers, small teams, and DevOps engineers catch common security issues earlier - before an application reaches production.</p> <p>Not as a replacement for professional penetration testing.<br> Not as a magic “find everything” scanner.<br> But it is a practical DevSecOps tool that gives fast, understandable feedback.</p> <p>The problem I wanted to solve was simple:</p> <p>A lot of small teams do not have a dedicated AppSec engineer.<br> Security reviews often happen too late.<br> Reports from bigger tools can be too complex, too noisy, or too expensive for early-stage projects.<br> And developers usually need something direct:</p> <p>What is wrong?<br> Why does it matter?<br> How can I fix it?</p> <p>That is the direction I took with PentestScan.</p> <p>What PentestScan does</p> <p>PentestScan is a Web &amp; API security scanner focused on practical checks around common security weaknesses.</p> <p>The current version is built around:</p> <p>Web application scanning<br> API security testing<br> OWASP Top 10 related checks<br> Security headers analysis<br> JWT and session-related checks<br> Basic exposure detection<br> Report generation<br> DevSecOps-friendly workflow</p> <p>The goal is not to overload the user with hundreds of unclear findings.</p> <p>The goal is to provide a clean report that helps someone understand the risk and take action.</p> <p>Tech stack</p> <p>The project is built with a simple and practical stack:</p> <p>Python<br> FastAPI<br> Docker<br> Nginx<br> HTML reporting<br> API-first backend structure<br> Security-focused scanning modules</p> <p>I wanted the architecture to stay modular because security tooling can become messy very quickly if everything is placed into one large script.</p> <p>So the scanner is organized around separate modules and checks, with the idea that new functionality can be added gradually without breaking the existing structure.</p> <p>Why I built it</p> <p>I built PentestScan mainly as a hands-on DevSecOps project.</p> <p>I wanted to combine several areas that I work with and care about:</p> <p>application security<br> backend development<br> automation<br> Linux deployment<br> Docker-based services<br> CI/CD security thinking<br> security reporting</p> <p>One thing I learned while building it is that detection is only one part of the problem.</p> <p>The harder part is explaining the finding in a useful way.</p> <p>A security report should not only say:</p> <p>Missing security header detected.</p> <p>It should explain:</p> <p>what was detected,<br> why it matters,<br> how it could be abused,<br> how serious it is,<br> and what the developer can do next.</p> <p>That became one of the most important ideas behind the project.</p> <p>What I am trying to improve</p> <p>PentestScan is still evolving.</p> <p>Some of the things I am working on or planning to improve are:</p> <p>better API scanning<br> cleaner report structure<br> more contextual findings<br> CI/CD integration<br> better severity scoring<br> improved attack-path style explanations<br> more useful remediation guidance<br> public sample reports</p> <p>I am also trying to keep the tool realistic.</p> <p>Security scanners can easily create false confidence.<br> Just because a scanner does not find something does not mean the application is secure.</p> <p>So I see PentestScan as a first security layer - something that can help teams catch obvious and common issues earlier, not as a full replacement for manual testing.</p> <p>Current version</p> <p>The project is currently available for free here:</p> <p><a href="https://pentestscan.app/" rel="noopener noreferrer">https://pentestscan.app/</a></p> <p>Before trying the scanner, you can also check a public sample report:</p> <p>Sample vulnerability report:<br><br> <a href="https://pentestscan.app/api/v1/public/marketing/vulnerability_report.html" rel="noopener noreferrer">https://pentestscan.app/api/v1/public/marketing/vulnerability_report.html</a></p> <p>I am sharing PentestScan publicly to get feedback from developers, DevOps engineers, and security people.</p> <p>I would especially appreciate feedback on:</p> <ul> <li>report structure and clarity,</li> <li>usefulness of the findings,</li> <li>scanning flow,</li> <li>missing checks,</li> <li>and whether the tool feels useful for small teams or solo developers.</li> </ul> <p>This project is still a work in progress, but it has already been a valuable learning experience in building security tooling that is not only technical but also understandable and useful.</p> <p>That, for me, is the main point of PentestScan:</p> <p>help developers see security issues earlier, understand them faster, and fix them with less friction.</p> devops security showdev sideprojects