Overview
Arnica is a code security posture management (CSPM) platform focused on developer-centric risk signals: hardcoded secrets, risky code changes, overprivileged tokens, and supply chain threats. The Pwnbook integration pulls Arnica findings into your engagements for consolidated review.Prerequisites
- An Arnica account
- An Arnica API token with read access
- Your Arnica organization ID
- Admin or Owner access in Pwnbook to configure the integration
Credentials required
| Field | Description |
|---|---|
| API Token | An Arnica API token. Generate one in Arnica Settings → Integrations → API. |
| Organization ID | Your Arnica organization identifier, found in Settings → Organization. |
Setup
Generate an Arnica API token
- Log in to your Arnica account.
- Go to Settings → Integrations → API Access.
- Click Generate Token.
- Give the token a descriptive name (e.g.,
pwnbook). - Assign Read permissions.
- Copy the token.
Find your organization ID
Your Arnica organization ID is displayed in the URL or in Settings → Organization Details.
What gets synced
| Data | Description |
|---|---|
| Hardcoded secrets | API keys, tokens, and passwords committed to source code |
| Risky code changes | Code changes that touch sensitive areas (auth, cryptography, access control) |
| Supply chain risks | Malicious or highly vulnerable packages in your dependency graph |
| Developer risk signals | Unusual committer behavior, token misuse, and policy violations |
| Severity | Critical, high, medium, low |
| Repository | The repository and branch where the issue was found |
| Remediation | Suggested actions and fix guidance |
Viewing findings in Pwnbook
Arnica findings appear under Security Findings → Arnica in the engagement. You can filter by severity, finding type, and repository. Findings can be linked to threat model threats and tracked through remediation.Disconnecting
To remove the Arnica integration:- Go to Organization Settings → Marketplace → Arnica.
- Click Disconnect.
- Confirm.