Pentographer
Docs/Getting Started/Environment Variables Configuration

Environment Variables Configuration

Reference guide for configuring Pentographer environment variables for database, session, storage, and AI access.

Pentographer reads configurations from environment variables at startup. Set these variables in your .env.local file (local dev) or pass them to your Docker container.

Required Variables

Configure these settings to boot the server:

  • DATABASE_URL: Connection string for PostgreSQL (e.g. postgres://user:password@host:5432/db).
  • NEXTAUTH_SECRET: A secure random string used to sign session cookies. Generate one with openssl rand -base64 32.
  • NEXTAUTH_URL: The canonical URL of your deployment (e.g. https://app.yourdomain.com). In production this must be the full HTTPS URL, including the subdomain. NextAuth uses it to construct OAuth callback URLs — a mismatch between this value and the actual request host causes authentication failures. For local development, http://localhost:3000 is correct.

Storage Variables

Pentographer uses a storage adapter to manage finding evidence screenshots.

  • STORAGE_BACKEND: Set to local (disk storage), minio (self-hosted S3-compatible storage), or vercel (Vercel Blob). Defaults to vercel.
  • STORAGE_PATH: (For local storage) The folder path on the server where uploaded screenshots are saved.

[!WARNING] If you deploy with Docker and use local storage, ensure that the path specified in STORAGE_PATH is mounted as a persistent Docker volume. If you do not mount this path, you will lose all uploaded evidence screenshots when the container restarts.

MinIO Configuration

If you set STORAGE_BACKEND to minio, configure the following credentials:

  • MINIO_ENDPOINT: The URL of your MinIO instance (defaults to http://localhost:9000).
  • MINIO_REGION: The S3 region string (defaults to us-east-1).
  • MINIO_ACCESS_KEY: The MinIO root username or access key (defaults to minioadmin).
  • MINIO_SECRET_KEY: The MinIO root password or secret access key (defaults to minioadmin).
  • MINIO_BUCKET: The S3 bucket name (defaults to pentographer). The server creates this bucket automatically if it does not exist.

AI Configuration

  • ANTHROPIC_API_KEY: The Anthropic API key used by the application as a fallback when workspace-specific API keys are absent.

Was this article helpful?

Help us improve the Pentographer documentation.

Subscribe to security audits for builders

Get technical write-ups on building deterministic AI pipelines, self-hosting secure apps, and automating pentesting workflows. No marketing spam.

← Previous articleFinding Status WorkflowNext article →Quick Start: Run Pentographer Locally