DEV Community

Scryn
Scryn

Posted on

I built a DAST scanner you can run from Docker - here’s how it works

#security #devsecops #dast #owasp

Scryn DAST scan report details

The problem: scanning internal apps without exposing them

Most SaaS security scanners only see public URLs. If you want to run vulnerability scans (OWASP Top 10–style) on internal apps—admin panels, staging, VPN-only tools—you usually have to either expose them or run something yourself. I wanted a middle ground: a cloud dashboard for scheduling and reports, but scans for internal URLs running inside my own network.

So I built Scryn: a web application security scanner (DAST) that runs in the cloud and can also scan stuff that’s not on the public internet.

How it works

  • Cloud: You get a normal SaaS dashboard—add targets, schedule scans, see results, set up auth (cookies, headers, or a small recorder for OAuth/SAML).
  • Internal URLs: You run a scan agent in your own network (Docker, Kubernetes/Helm, or Windows). The agent talks outbound to my API, pulls scan jobs, runs the scan locally with OWASP ZAP, and sends results back. The target app never receives traffic from the internet—only from the agent.

Same auth profiles work for both cloud and agent scans, so you don’t reconfigure everything when you switch.

Try it in a few minutes

  • Sign up at scryn.cloud.
  • In the dashboard, go to Config → Scan Agents and add an agent. Copy the agent token.
  • Run the agent (example with Docker): 
docker run -d \  
  --name scryn-agent \  
  -e API_URL=https://api.scryn.cloud \  
  -e AGENT_TOKEN=your-agent-token \  
  -e AGENT_ID=your-agent-id \  
  --restart unless-stopped \  
  --network host \  
  -m 6g \  
  scryncloud/scan_agent:latest
Enter fullscreen mode Exit fullscreen mode
  • In the dashboard, add a target URL that the agent can reach (e.g. an internal staging URL) and start a scan. The scan is assigned to the agent and runs on your side.

You do need a Scryn account and the token from the dashboard to run the agent.

There’s a free Scryn trial so you can run a few scans without any cost.

What I’d do differently next time

ZAP in containers: Memory and tuning for ZAP in Docker took some iteration; 6 GB is a safe default for heavier scans.
Agent–API contract: Keeping the job payload small and the agent stateless made it easier to scale and debug.

Who it’s for

  • Teams that want DAST without managing ZAP themselves.
  • Anyone who needs to scan internal or VPN-only apps without opening firewall rules.
  • CI/CD: you can trigger scans via the API and optionally pin them to an agent with scan_agent_id.

If you’ve used other DAST tools or run ZAP yourself, I’d love to hear what’s missing or annoying — and what would make you actually use something like this. Drop a comment or reach out via scryn.cloud/contact.

Top comments (0)