> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pwnbook.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Arnica

> Connect Arnica to import code security posture and supply chain findings into Pwnbook, including hardcoded secrets, risky code changes, and developer risk signals.

## Overview

Arnica is a code security posture management (CSPM) platform focused on developer-centric risk signals: hardcoded secrets, risky code changes, overprivileged tokens, and supply chain threats. The Pwnbook integration pulls Arnica findings into your engagements for consolidated review.

## Prerequisites

* An [Arnica](https://www.arnica.io) account
* An Arnica API token with read access
* Your Arnica organization ID
* Admin or Owner access in Pwnbook to configure the integration

## Credentials required

| Field               | Description                                                                    |
| ------------------- | ------------------------------------------------------------------------------ |
| **API Token**       | An Arnica API token. Generate one in **Arnica Settings → Integrations → API**. |
| **Organization ID** | Your Arnica organization identifier, found in **Settings → Organization**.     |

## Setup

<Steps>
  <Step title="Generate an Arnica API token">
    1. Log in to your Arnica account.
    2. Go to **Settings → Integrations → API Access**.
    3. Click **Generate Token**.
    4. Give the token a descriptive name (e.g., `pwnbook`).
    5. Assign **Read** permissions.
    6. Copy the token.
  </Step>

  <Step title="Find your organization ID">
    Your Arnica organization ID is displayed in the URL or in **Settings → Organization Details**.
  </Step>

  <Step title="Configure the integration in Pwnbook">
    1. Go to **Organization Settings → Marketplace → Arnica**.
    2. Click **Configure**.
    3. Enter your **API Token** and **Organization ID**.
    4. Click **Save & Test**.
  </Step>
</Steps>

## What gets synced

| Data                       | Description                                                                  |
| -------------------------- | ---------------------------------------------------------------------------- |
| **Hardcoded secrets**      | API keys, tokens, and passwords committed to source code                     |
| **Risky code changes**     | Code changes that touch sensitive areas (auth, cryptography, access control) |
| **Supply chain risks**     | Malicious or highly vulnerable packages in your dependency graph             |
| **Developer risk signals** | Unusual committer behavior, token misuse, and policy violations              |
| **Severity**               | Critical, high, medium, low                                                  |
| **Repository**             | The repository and branch where the issue was found                          |
| **Remediation**            | Suggested actions and fix guidance                                           |

## Viewing findings in Pwnbook

Arnica findings appear under **Security Findings → Arnica** in the engagement. You can filter by severity, finding type, and repository. Findings can be linked to threat model threats and tracked through remediation.

## Disconnecting

To remove the Arnica integration:

1. Go to **Organization Settings → Marketplace → Arnica**.
2. Click **Disconnect**.
3. Confirm.
