2025-11-05 01:17:04 +02:00
<p align="center">
<a href="https://usestrix.com/">
<img src=".github/logo.png" width="150" alt="Strix Logo">
</a>
</p>
2025-11-13 15:55:41 -05:00
<h1 align="center">Strix</h1>
2025-11-05 01:17:04 +02:00
<h2 align="center">Open-source AI Hackers to secure your Apps</h2>
2025-08-08 20:36:44 -07:00
<div align="center">
2025-11-05 01:17:04 +02:00
[](https://pypi.org/project/strix-agent/)
[](https://pypi.org/project/strix-agent/)
[](https://pepy.tech/projects/strix-agent)
[](LICENSE)
2025-08-08 20:36:44 -07:00
2025-11-05 01:17:04 +02:00
[](https://github.com/usestrix/strix)
2025-11-07 18:03:47 +04:00
[](https://discord.gg/YjKFvEZSdZ)
2025-11-05 01:17:04 +02:00
[](https://usestrix.com)
2025-08-08 20:36:44 -07:00
2025-11-08 15:07:53 +04:00
<a href="https://trendshift.io/repositories/15362" target="_blank"><img src="https://trendshift.io/api/badge/repositories/15362" alt="usestrix%2Fstrix | Trendshift" style="width: 250px; height: 55px;" width="250" height="55"/></a>
2025-11-13 15:55:41 -05:00
2025-12-12 21:58:28 +04:00
[](https://deepwiki.com/usestrix/strix)
</div>
<br>
<div align="center">
<img src=".github/screenshot.png" alt="Strix Demo" width="800" style="border-radius: 16px;">
2025-08-08 20:36:44 -07:00
</div>
2025-11-13 15:55:41 -05:00
<br>
2025-11-05 01:17:04 +02:00
> [!TIP]
> **New!** Strix now integrates seamlessly with GitHub Actions and CI/CD pipelines. Automatically scan for vulnerabilities on every pull request and block insecure code before it reaches production!
2025-08-08 20:36:44 -07:00
---
2025-11-14 20:01:39 +04:00
## 🦉 Strix Overview
2025-08-08 20:36:44 -07:00
2025-11-05 01:17:04 +02:00
Strix are autonomous AI agents that act just like real hackers - they run your code dynamically, find vulnerabilities, and validate them through actual proof-of-concepts. Built for developers and security teams who need fast, accurate security testing without the overhead of manual pentesting or the false positives of static analysis tools.
2025-08-08 20:36:44 -07:00
2025-11-13 15:55:41 -05:00
**Key Capabilities:**
2025-09-24 19:21:01 -07:00
2025-11-13 15:55:41 -05:00
- 🔧 **Full hacker toolkit** out of the box
- 🤝 **Teams of agents** that collaborate and scale
- ✅ **Real validation** with PoCs, not false positives
- 💻 **Developer‑ first** CLI with actionable reports
- 🔄 **Auto‑ fix & reporting** to accelerate remediation
2025-09-24 19:21:01 -07:00
2025-09-28 21:04:40 -07:00
2025-11-13 15:55:41 -05:00
## 🎯 Use Cases
- **Application Security Testing** - Detect and validate critical vulnerabilities in your applications
- **Rapid Penetration Testing** - Get penetration tests done in hours, not weeks, with compliance reports
- **Bug Bounty Automation** - Automate bug bounty research and generate PoCs for faster reporting
2025-11-14 20:01:39 +04:00
- **CI/CD Integration** - Run tests in CI/CD to block vulnerabilities before reaching production
2025-09-28 21:04:40 -07:00
---
2025-11-13 15:55:41 -05:00
## 🚀 Quick Start
2025-08-08 20:36:44 -07:00
2025-11-13 15:55:41 -05:00
**Prerequisites:**
2025-09-24 19:21:01 -07:00
- Docker (running)
- Python 3.12+
2025-11-14 20:01:39 +04:00
- An LLM provider key (e.g. [get OpenAI API key ](https://platform.openai.com/api-keys ) or use a local LLM)
2025-09-24 19:21:01 -07:00
2025-11-13 15:55:41 -05:00
### Installation & First Scan
2025-08-08 20:36:44 -07:00
```bash
2025-11-13 15:55:41 -05:00
# Install Strix
2025-08-08 20:36:44 -07:00
pipx install strix-agent
2025-11-13 15:55:41 -05:00
# Configure your AI provider
2025-08-15 13:02:39 -07:00
export STRIX_LLM = "openai/gpt-5"
2025-08-08 20:36:44 -07:00
export LLM_API_KEY = "your-api-key"
2025-11-13 15:55:41 -05:00
# Run your first security assessment
2025-08-08 20:36:44 -07:00
strix --target ./app-directory
```
2025-11-14 16:07:54 +00:00
> [!NOTE]
2025-11-22 22:28:14 +04:00
> First run automatically pulls the sandbox Docker image. Results are saved to `strix_runs/<run-name>`
2025-08-08 20:36:44 -07:00
2025-11-21 23:07:11 +04:00
## ☁️ Run Strix in Cloud
2025-11-13 15:55:41 -05:00
2025-12-01 16:04:46 +04:00
Want to skip the local setup, API keys, and unpredictable LLM costs? Run the hosted cloud version of Strix at ** [app.usestrix.com ](https://usestrix.com )**.
2025-08-08 20:36:44 -07:00
2025-11-21 23:07:11 +04:00
Launch a scan in just a few minutes—no setup or configuration required—and you’ ll get:
2025-11-10 10:49:37 +01:00
2025-11-21 23:07:11 +04:00
- **A full pentest report** with validated findings and clear remediation steps
- **Shareable dashboards** your team can use to track fixes over time
- **CI/CD and GitHub integrations** to block risky changes before production
- **Continuous monitoring** so new vulnerabilities are caught quickly
2025-11-10 10:49:37 +01:00
2025-12-01 16:04:46 +04:00
[**Run your first pentest now →** ](https://usestrix.com )
2025-11-10 10:49:37 +01:00
2025-11-13 15:55:41 -05:00
---
2025-08-08 20:36:44 -07:00
## ✨ Features
### 🛠️ Agentic Security Tools
2025-11-13 15:55:41 -05:00
Strix agents come equipped with a comprehensive security testing toolkit:
2025-11-14 20:01:39 +04:00
- **Full HTTP Proxy** - Full request/response manipulation and analysis
- **Browser Automation** - Multi-tab browser for testing of XSS, CSRF, auth flows
- **Terminal Environments** - Interactive shells for command execution and testing
- **Python Runtime** - Custom exploit development and validation
- **Reconnaissance** - Automated OSINT and attack surface mapping
- **Code Analysis** - Static and dynamic analysis capabilities
- **Knowledge Management** - Structured findings and attack documentation
2025-08-08 20:36:44 -07:00
### 🎯 Comprehensive Vulnerability Detection
2025-11-13 15:55:41 -05:00
Strix can identify and validate a wide range of security vulnerabilities:
2025-11-14 20:01:39 +04:00
- **Access Control** - IDOR, privilege escalation, auth bypass
- **Injection Attacks** - SQL, NoSQL, command injection
- **Server-Side** - SSRF, XXE, deserialization flaws
- **Client-Side** - XSS, prototype pollution, DOM vulnerabilities
- **Business Logic** - Race conditions, workflow manipulation
- **Authentication** - JWT vulnerabilities, session management
- **Infrastructure** - Misconfigurations, exposed services
2025-08-08 20:36:44 -07:00
### 🕸️ Graph of Agents
2025-11-13 15:55:41 -05:00
Advanced multi-agent orchestration for comprehensive security testing:
2025-11-14 20:01:39 +04:00
- **Distributed Workflows** - Specialized agents for different attacks and assets
- **Scalable Testing** - Parallel execution for fast comprehensive coverage
- **Dynamic Coordination** - Agents collaborate and share discoveries
2025-11-13 15:55:41 -05:00
---
2025-08-08 20:36:44 -07:00
## 💻 Usage Examples
2025-11-13 15:55:41 -05:00
### Basic Usage
2025-11-10 10:49:37 +01:00
2025-08-08 20:36:44 -07:00
```bash
2025-11-13 15:55:41 -05:00
# Scan a local codebase
2025-08-08 20:36:44 -07:00
strix --target ./app-directory
2025-11-13 15:55:41 -05:00
# Security review of a GitHub repository
2025-08-08 20:36:44 -07:00
strix --target https://github.com/org/repo
2025-11-13 15:55:41 -05:00
# Black-box web application assessment
2025-08-08 20:36:44 -07:00
strix --target https://your-app.com
2025-11-13 15:55:41 -05:00
```
2025-08-08 20:36:44 -07:00
2025-11-13 15:55:41 -05:00
### Advanced Testing Scenarios
2025-11-10 10:49:37 +01:00
2025-11-13 15:55:41 -05:00
```bash
# Grey-box authenticated testing
2025-11-14 20:01:39 +04:00
strix --target https://your-app.com --instruction "Perform authenticated testing using credentials: user:pass"
2025-11-13 15:55:41 -05:00
# Multi-target testing (source code + deployed app)
2025-11-14 20:01:39 +04:00
strix -t https://github.com/org/app -t https://your-app.com
2025-11-01 01:39:01 +02:00
2025-11-13 15:55:41 -05:00
# Focused testing with custom instructions
2025-11-14 20:01:39 +04:00
strix --target api.your-app.com --instruction "Focus on business logic flaws and IDOR vulnerabilities"
2025-12-03 13:59:59 -05:00
# Provide detailed instructions through file (e.g., rules of engagement, scope, exclusions)
2025-12-08 20:23:51 +01:00
strix --target api.your-app.com --instruction-file ./instruction.md
2025-10-31 21:06:04 +02:00
```
2025-10-31 20:53:28 +02:00
### 🤖 Headless Mode
2025-10-31 21:06:04 +02:00
Run Strix programmatically without interactive UI using the `-n/--non-interactive` flag—perfect for servers and automated jobs. The CLI prints real-time vulnerability findings, and the final report before exiting. Exits with non-zero code when vulnerabilities are found.
2025-10-31 20:53:28 +02:00
```bash
2025-11-10 10:49:37 +01:00
strix -n --target https://your-app.com
2025-10-31 20:53:28 +02:00
```
### 🔄 CI/CD (GitHub Actions)
Strix can be added to your pipeline to run a security test on pull requests with a lightweight GitHub Actions workflow:
```yaml
name : strix-penetration-test
on :
pull_request :
jobs :
security-scan :
runs-on : ubuntu-latest
steps :
2025-12-11 19:24:20 +01:00
- uses : actions/checkout@v6
2025-10-31 20:53:28 +02:00
- name : Install Strix
run : pipx install strix-agent
- name : Run Strix
env :
STRIX_LLM : ${{ secrets.STRIX_LLM }}
LLM_API_KEY : ${{ secrets.LLM_API_KEY }}
2025-08-08 20:36:44 -07:00
2025-11-01 01:39:01 +02:00
run : strix -n -t ./
2025-08-08 20:36:44 -07:00
```
2025-11-10 10:49:37 +01:00
### ⚙️ Configuration
2025-08-08 20:36:44 -07:00
2025-11-10 10:49:37 +01:00
```bash
export STRIX_LLM = "openai/gpt-5"
export LLM_API_KEY = "your-api-key"
2025-08-08 20:36:44 -07:00
2025-11-10 10:49:37 +01:00
# Optional
export LLM_API_BASE = "your-api-base-url" # if using a local model, e.g. Ollama, LMStudio
export PERPLEXITY_API_KEY = "your-api-key" # for search capabilities
```
2025-08-08 20:36:44 -07:00
2025-11-23 22:29:44 +04:00
[OpenAI's GPT-5 ](https://openai.com/api/ ) (`openai/gpt-5` ) and [Anthropic's Claude Sonnet 4.5 ](https://claude.com/platform/api ) (`anthropic/claude-sonnet-4-5` ) are the recommended models for best results with Strix. We also support many [other options ](https://docs.litellm.ai/docs/providers ), including cloud and local models, though their performance and reliability may vary.
2025-08-08 20:36:44 -07:00
2025-10-10 02:41:42 -07:00
## 🤝 Contributing
2025-12-03 20:09:22 +00:00
We welcome contributions of code, docs, and new prompt modules - check out our [Contributing Guide ](CONTRIBUTING.md ) to get started or open a [pull request ](https://github.com/usestrix/strix/pulls )/[issue ](https://github.com/usestrix/strix/issues ).
2025-10-10 02:41:42 -07:00
2025-11-10 10:49:37 +01:00
## 👥 Join Our Community
Have questions? Found a bug? Want to contribute? ** [Join our Discord! ](https://discord.gg/YjKFvEZSdZ )**
2025-08-08 20:36:44 -07:00
## 🌟 Support the Project
**Love Strix?** Give us a ⭐ on GitHub!
2025-11-29 19:27:30 +04:00
## 🙏 Acknowledgements
Strix builds on the incredible work of open-source projects like [LiteLLM ](https://github.com/BerriAI/litellm ), [Caido ](https://github.com/caido/caido ), [ProjectDiscovery ](https://github.com/projectdiscovery ), [Playwright ](https://github.com/microsoft/playwright ), and [Textual ](https://github.com/Textualize/textual ). Huge thanks to their maintainers!
2025-08-08 20:36:44 -07:00
2025-11-14 20:01:39 +04:00
> [!WARNING]
> Only test apps you own or have permission to test. You are responsible for using Strix ethically and legally.
2025-08-08 20:36:44 -07:00
</div>