Self-Hosting Pentographer

Deploy Pentographer on your own server using Docker Compose, with full control over data residency, storage, and network configuration.

Self-hosting gives you complete control over where your data lives. All project descriptions, customer files, and findings stay on your own infrastructure. You can run Pentographer in air-gapped environments, behind a corporate VPN, or on any Linux server without sending assessment data to a third party.

If you just want to try Pentographer before committing to a deployment, see the Quick Start Guide to run it locally in minutes.

Infrastructure Requirements

Operating System: Linux (Ubuntu 22.04 LTS or newer recommended), macOS, or Windows Server.
Container Engine: Docker Engine 24+ and Docker Compose v2+.
Database: PostgreSQL 16+ (included in the Docker Compose stack below).
Memory: Minimum 1 GB RAM (2 GB recommended for teams).
Anthropic API key: Optional. Required only for AI-assisted finding drafts and report summaries.

The Role of MinIO

Pentographer Cloud stores evidence screenshots and report templates on managed object storage. For self-hosted deployments, the Docker Compose stack includes MinIO — a self-hosted, S3-compatible service — as a companion container. It stores your files locally and exposes them to the application via the S3 API. All file access is proxied through /api/files/, so the MinIO port is never publicly accessible.

Docker Compose Setup

Create a directory for your deployment and save the following as docker-compose.yml:

version: "3.8"

services:
  app:
    image: lswartsenburg/pentographer:latest
    ports:
      - "127.0.0.1:3000:3000"
    environment:
      - DATABASE_URL=postgres://postgres:postgres_password@db:5432/pentographer
      - NEXTAUTH_SECRET=your_nextauth_secret_key_here
      - NEXTAUTH_URL=https://app.yourdomain.com
      - ANTHROPIC_API_KEY=your_anthropic_api_key_here
      - STORAGE_BACKEND=minio
      - MINIO_ENDPOINT=http://minio:9000
      - MINIO_ACCESS_KEY=minio_access_key
      - MINIO_SECRET_KEY=minio_secret_key
      - MINIO_BUCKET=pentographer
    depends_on:
      - db
      - minio

  db:
    image: postgres:16-alpine
    environment:
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=postgres_password
      - POSTGRES_DB=pentographer
    volumes:
      - pgdata:/var/lib/postgresql/data

  minio:
    image: minio/minio:latest
    command: server /data --console-address ":9001"
    ports:
      - "9000:9000"
      - "9001:9001"
    environment:
      - MINIO_ROOT_USER=minio_access_key
      - MINIO_ROOT_PASSWORD=minio_secret_key
    volumes:
      - miniodata:/data

volumes:
  pgdata:
  miniodata:

Replace the placeholder values with your own secrets. Generate NEXTAUTH_SECRET with openssl rand -base64 32. Set NEXTAUTH_URL to the public HTTPS URL you will put in front of this stack.

The app container binds to 127.0.0.1:3000 so the port is only reachable via a local reverse proxy, not directly from the internet.

[!CAUTION] Change the default MinIO credentials (minio_access_key / minio_secret_key) before exposing port 9000 or 9001 to any network. The MinIO web console at port 9001 uses the same credentials.

Starting the Stack

$ docker compose up -d

The application runs database migrations automatically on first start. Check docker compose logs -f app to confirm a clean startup, then access the dashboard at http://localhost:3000 (before reverse proxy) or your domain.

Next Steps

Add HTTPS: See the Reverse Proxy and SSL Setup guide to put nginx or Caddy in front of the stack with automatic Let's Encrypt certificates.
Review environment variables: See the Environment Variables Configuration reference for the full list of options.
Invite your team: Create your admin account on first login, then go to Workspace Settings > Team to add members.
Keep it updated: When new releases ship, follow the Upgrading a Self-Hosted Instance guide.