scan target/home/runner/work/oh-pen-testing/oh-pen-testing/packages/websetup in progress: scan target will lock in once you finish the wizard
1. Install2. Setup3. First Scan4. Agents5. Reports
La Guida Β· 02

Setup

One command opens the guided wizard. Marinara walks you through everything in under five minutes.

Next: First Scan β†’
cd into the project you want to scan first. The scan target is the directory you launch opt from, not something it clones remotely.
The one command

Run this from your project root. It scaffolds .ohpentesting/, starts the Next.js web wizard on port 7676, and opens your browser automatically.

opt setup

Pass --port 7777 to use a different port if 7676 is taken.

What the wizard does
1
Connect an AI provider
The wizard detects whether you have the claude CLI on PATH and pre-selects it. Click β–Ά Run to confirm, or expand Or pick a different provider to choose Claude API, Ollama, or OpenRouter. API-key providers prompt you to paste your key (it’s stored in your OS keychain, never in the repo).
2
Wire GitHub
Paste your repo slug (owner/name) so remediation agents know where to open pull requests. Then paste a GitHub Personal Access Token with Contents + Pull requests read/write scope. The token is stored in your keychain alongside the API key.
3
Choose autonomy mode
Three levels: pick the one that fits your workflow:
  • CarefulEvery fix needs your explicit approval before a PR is opened.
  • RecommendedAuto-PR for small, non-critical fixes. Asks first for auth changes, secrets rotation, schema migrations, and large diffs.
  • YOLOAuto-PR for everything except the hard-coded safety triggers.
4
Acknowledge authorisation
A hard gate: you must confirm in writing that you have authorisation to test the target codebase. Your name and timestamp are recorded in .ohpentesting/config.yml. No scan can run until this is acknowledged.
5
Run your first scan
Once setup completes, Marinara offers to kick off a starter scan (5 safe regex-only playbooks, no network, no AI cost). Accept to see results immediately, or skip and run opt scan from the terminal whenever you’re ready.
Terminal-only alternative

If you prefer the terminal over the browser, opt connect handles provider setup interactively and writes the result to config.yml. Then run opt scan directly.

opt connect   # interactive provider picker + probe + keychain storage
opt scan      # jump straight to scanning
What gets created
.ohpentesting/
  config.yml          ← all your settings live here
  issues/             ← one JSON file per discovered issue
  scans/              ← scan run metadata
  reports/            ← generated reports
  logs/               ← agent activity logs
  playbooks/local/    ← drop custom playbooks here

The directory is added to your .gitignore automatically. State files never end up in the repo.

← InstallNext: First Scan β†’