Thanks for taking the time to contribute to OWASP Penetration Testing Kit (PTK)!
PTK is an OWASP open-source browser extension focused on practical application security testing workflows. Contributions of all kinds are welcome: bug fixes, features, docs, tests, and new scanning modules.
- Report bugs (with clear reproduction steps)
- Suggest enhancements
- Fix issues (good first issues are ideal starting points)
- Improve documentation (README, wiki pages, examples)
- Add or improve modules (DAST / SAST / IAST / SCA logic and content)
Please use GitHub Issues for questions, bug reports, and feature requests:
https://github.com/DenisPodgurskii/pentestkit/issues
- Search existing issues and PRs to avoid duplicates.
- If your change is non-trivial, open an issue first to discuss approach and scope.
PTK is a browser extension (Chromium + Firefox). Setup varies by browser and platform, but the workflow is typically:
- Clone the repo
- Install dependencies (if applicable in this repo)
- Load the extension in developer mode:
- Chromium:
chrome://extensions→ Developer mode → Load unpacked - Firefox:
about:debugging→ This Firefox → Load Temporary Add-on
- Chromium:
If the repo contains build scripts (recommended), prefer using those to generate the final extension bundle.
If you have build/setup steps that are “the one true way” for PTK, add them here (or link to a dedicated docs page). Keep it short and reproducible.
- Create a new branch from
main:feature/<name>for new featuresfix/<name>for bug fixesdocs/<name>for documentation changes
- Keep PRs small and focused.
- Include a clear PR description:
- What changed
- Why it changed
- How it was tested
At minimum:
- Describe how you tested (browser + OS + target app if relevant).
- If your change affects scanning logic, include:
- a small reproduction case, sample target, or sample scan output
- any screenshots/logs that help validate behavior
Where possible:
- Add/extend automated tests (unit/integration) if this repo has a test harness.
- Avoid changes that introduce noisy findings or obvious false positives.
- Prefer readability over cleverness.
- Avoid adding new dependencies unless necessary.
- Keep security-sensitive logic explicit (input validation, URL handling, message passing, storage).
If your change touches scanning modules (DAST/SAST/IAST/SCA):
- Keep metadata accurate (name, description, severity, confidence).
- Make recommendations concise and actionable.
- Ensure payloads and probes are safe by default and respect user scope.
- Avoid actions that could cause unintended harm (e.g., destructive requests) unless explicitly marked and documented.
Please do not file public issues for security vulnerabilities.
See SECURITY.md for the responsible disclosure process.
By contributing, you agree that your contributions will be licensed under the same license as this project.