Files
strix/README.md
T

279 lines
12 KiB
Markdown
Raw Normal View History

2025-11-05 01:17:04 +02:00
<p align="center">
2026-01-03 08:28:03 +04:00
<a href="https://strix.ai/">
2026-01-14 05:00:16 +04:00
<img src="https://github.com/usestrix/.github/raw/main/imgs/cover.png" alt="Strix Banner" width="100%">
2025-11-05 01:17:04 +02:00
</a>
</p>
2026-01-14 05:00:16 +04:00
<div align="center">
2025-11-05 01:17:04 +02:00
2026-01-14 05:00:16 +04:00
# Strix
2026-06-29 19:00:46 -07:00
### The open-source AI pentesting tool. Autonomous AI hackers that find and fix your apps vulnerabilities.
2026-01-14 05:00:16 +04:00
<br/>
2025-11-05 01:17:04 +02:00
2025-08-08 20:36:44 -07:00
2026-01-14 05:00:16 +04:00
<a href="https://docs.strix.ai"><img src="https://img.shields.io/badge/Docs-docs.strix.ai-2b9246?style=for-the-badge&logo=gitbook&logoColor=white" alt="Docs"></a>
2026-02-01 05:13:59 +04:00
<a href="https://strix.ai"><img src="https://img.shields.io/badge/Website-strix.ai-f0f0f0?style=for-the-badge&logoColor=000000" alt="Website"></a>
2026-02-22 21:47:24 -05:00
[![](https://dcbadge.limes.pink/api/server/strix-ai)](https://discord.gg/strix-ai)
2025-08-08 20:36:44 -07:00
2026-01-14 05:00:16 +04:00
<a href="https://deepwiki.com/usestrix/strix"><img src="https://deepwiki.com/badge.svg" alt="Ask DeepWiki"></a>
<a href="https://github.com/usestrix/strix"><img src="https://img.shields.io/github/stars/usestrix/strix?style=flat-square" alt="GitHub Stars"></a>
<a href="LICENSE"><img src="https://img.shields.io/badge/License-Apache%202.0-3b82f6?style=flat-square" alt="License"></a>
<a href="https://pypi.org/project/strix-agent/"><img src="https://img.shields.io/pypi/v/strix-agent?style=flat-square" alt="PyPI Version"></a>
2025-08-08 20:36:44 -07:00
2025-11-13 15:55:41 -05:00
2026-01-20 12:58:14 -08:00
<a href="https://discord.gg/strix-ai"><img src="https://github.com/usestrix/.github/raw/main/imgs/Discord.png" height="40" alt="Join Discord"></a>
2026-01-14 05:00:16 +04:00
<a href="https://x.com/strix_ai"><img src="https://github.com/usestrix/.github/raw/main/imgs/X.png" height="40" alt="Follow on X"></a>
2025-12-12 21:58:28 +04:00
2026-01-14 05:00:16 +04:00
<a href="https://trendshift.io/repositories/15362" target="_blank"><img src="https://trendshift.io/api/badge/repositories/15362" alt="usestrix/strix | Trendshift" width="250" height="55"/></a>
2026-07-06 07:38:52 -07:00
<a href="https://trendshift.io/repositories/15362?utm_source=trendshift-badge&amp;utm_medium=badge&amp;utm_campaign=badge-trendshift-15362" target="_blank" rel="noopener noreferrer"><img src="https://trendshift.io/api/badge/trendshift/repositories/15362/weekly" alt="usestrix%2Fstrix | Trendshift" width="250" height="55"/></a>
2025-12-12 21:58:28 +04:00
</div>
> [!TIP]
2026-04-12 12:43:41 -07:00
> **New!** Strix integrates seamlessly with GitHub Actions and CI/CD pipelines. Automatically scan for vulnerabilities on every pull request and block insecure code before it reaches production - [Get started with no setup required](https://app.strix.ai).
2025-08-08 20:36:44 -07:00
---
2026-01-14 05:00:16 +04:00
## Strix Overview
2025-08-08 20:36:44 -07:00
2026-07-03 08:17:02 +05:30
Strix are autonomous AI penetration testing agents that act just like real hackers - they run your code dynamically, find vulnerabilities, and validate them through actual proofs-of-concept. Built for developers and security teams who need fast, accurate security testing without the overhead of manual pentesting or the false positives of static analysis tools.
2025-08-08 20:36:44 -07:00
2025-11-13 15:55:41 -05:00
**Key Capabilities:**
2025-09-24 19:21:01 -07:00
2026-06-29 19:09:58 -07:00
- **Full pentesting toolkit** - reconnaissance, exploitation, and validation out of the box
- **Multi-agent orchestration** - teams of AI pentesters that collaborate and scale
2026-06-29 19:00:46 -07:00
- **Real exploit validation** - working PoCs, not false positives like legacy vulnerability scanners
2026-06-29 19:09:58 -07:00
- **Developerfirst CLI** - actionable findings with remediation guidance
- **Autofix & reporting** - generate patches and compliance-ready pentest reports
2025-09-24 19:21:01 -07:00
2025-09-28 21:04:40 -07:00
2026-01-23 06:55:35 +04:00
<br>
<div align="center">
<a href="https://strix.ai">
<img src=".github/screenshot.png" alt="Strix Demo" width="1000" style="border-radius: 16px;">
</a>
</div>
2026-02-01 05:13:59 +04:00
## Use Cases
2025-11-13 15:55:41 -05:00
- **Application Security Testing** - Detect and validate critical vulnerabilities in your applications
- **Rapid Penetration Testing** - Get penetration tests done in hours, not weeks, with compliance reports
- **Bug Bounty Automation** - Automate bug bounty research and generate PoCs for faster reporting
- **CI/CD Integration** - Run tests in CI/CD to block vulnerabilities before reaching production
2025-09-28 21:04:40 -07:00
2025-11-13 15:55:41 -05:00
## 🚀 Quick Start
2025-08-08 20:36:44 -07:00
2025-11-13 15:55:41 -05:00
**Prerequisites:**
2025-09-24 19:21:01 -07:00
- Docker (running)
- An LLM API key from any [supported provider](https://docs.strix.ai/llm-providers/overview) (OpenAI, Anthropic, Google, etc.)
2025-09-24 19:21:01 -07:00
2025-11-13 15:55:41 -05:00
### Installation & First Scan
2025-08-08 20:36:44 -07:00
```bash
2025-11-13 15:55:41 -05:00
# Install Strix
2025-12-15 10:11:08 -08:00
curl -sSL https://strix.ai/install | bash
2025-11-13 15:55:41 -05:00
# Configure your AI provider
export STRIX_LLM="openai/gpt-5.4"
2025-08-08 20:36:44 -07:00
export LLM_API_KEY="your-api-key"
2025-11-13 15:55:41 -05:00
# Run your first security assessment
2025-08-08 20:36:44 -07:00
strix --target ./app-directory
```
2025-11-14 16:07:54 +00:00
> [!NOTE]
> First run automatically pulls the sandbox Docker image. Results are saved to `strix_runs/<run-name>`
2025-08-08 20:36:44 -07:00
2025-11-13 15:55:41 -05:00
---
## ☁️ Strix Platform
2026-06-29 19:09:58 -07:00
Try the Strix full-stack penetration testing platform at **[app.strix.ai](https://app.strix.ai)** - sign up for free, connect your repos and domains, and launch a pentest in minutes.
2026-06-29 19:09:58 -07:00
- **Validated findings with PoCs** - every vulnerability includes a working proof-of-concept exploit and reproduction steps
- **One-click autofix** - AI-generated security patches as ready-to-merge pull requests
- **Continuous pentesting** - always-on vulnerability scanning that keeps pace with your deployments
- **DevSecOps integrations** - GitHub, GitLab, Bitbucket, Slack, Jira, Linear, and CI/CD pipelines
- **Continuous learning** - AI that builds on past findings, adapts to your codebase, and reduces false positives over time
[**Start your first pentest →**](https://app.strix.ai)
---
2025-08-08 20:36:44 -07:00
## ✨ Features
2026-06-29 19:00:46 -07:00
### Agentic Pentesting Tools
2025-08-08 20:36:44 -07:00
2026-06-29 19:09:58 -07:00
Strix agents come equipped with a comprehensive offensive security toolkit - the same tools used by professional penetration testers and ethical hackers:
2025-11-13 15:55:41 -05:00
2026-06-29 19:09:58 -07:00
- **HTTP Interception Proxy** - Full request/response manipulation and analysis with Caido
- **Browser Exploitation** - Automated browser for testing XSS, CSRF, clickjacking, and auth bypass flows
- **Shell & Command Execution** - Interactive terminal for exploit development and post-exploitation
- **Custom Exploit Runtime** - Python sandbox for writing and validating proof-of-concept exploits
- **Reconnaissance & OSINT** - Automated attack surface mapping, subdomain enumeration, and fingerprinting
- **Static & Dynamic Code Analysis** - SAST + DAST capabilities for comprehensive application security testing
- **Vulnerability Knowledge Base** - Structured findings with CVSS scoring and OWASP classification
2025-08-08 20:36:44 -07:00
2026-06-29 19:00:46 -07:00
### Comprehensive Vulnerability Scanner
2025-08-08 20:36:44 -07:00
2026-06-29 19:00:46 -07:00
Strix identifies, validates, and exploits a wide range of security vulnerabilities across the OWASP Top 10 and beyond:
2025-11-13 15:55:41 -05:00
2026-06-29 19:09:58 -07:00
- **Broken Access Control** - IDOR, privilege escalation, auth bypass
- **Injection Attacks** - SQL injection, NoSQL injection, OS command injection, SSTI
- **Server-Side Vulnerabilities** - SSRF, XXE, insecure deserialization, RCE
- **Client-Side Attacks** - XSS (stored/reflected/DOM), prototype pollution, CSRF
- **Business Logic Flaws** - Race conditions, payment manipulation, workflow bypass
- **Authentication & Session** - JWT attacks, session fixation, credential stuffing vectors
- **Infrastructure & Cloud** - Misconfigurations, exposed services, cloud security issues
- **API Security** - Broken authentication, mass assignment, rate limiting bypass
2025-08-08 20:36:44 -07:00
2026-06-29 19:00:46 -07:00
### Graph of Agents (Multi-Agent Pentesting)
2025-08-08 20:36:44 -07:00
2026-06-29 19:00:46 -07:00
Advanced multi-agent orchestration for comprehensive automated penetration testing:
2025-11-13 15:55:41 -05:00
2026-06-29 19:09:58 -07:00
- **Distributed Pentesting** - Specialized AI agents for recon, exploitation, and post-exploitation
- **Scalable Security Testing** - Parallel execution across multiple targets for fast, comprehensive coverage
- **Dynamic Coordination** - Agents share discoveries, chain vulnerabilities, and collaborate like a red team
2025-11-13 15:55:41 -05:00
---
2025-08-08 20:36:44 -07:00
2026-01-14 05:00:16 +04:00
## Usage Examples
2025-08-08 20:36:44 -07:00
2025-11-13 15:55:41 -05:00
### Basic Usage
2025-11-10 10:49:37 +01:00
2025-08-08 20:36:44 -07:00
```bash
2025-11-13 15:55:41 -05:00
# Scan a local codebase
2025-08-08 20:36:44 -07:00
strix --target ./app-directory
2025-11-13 15:55:41 -05:00
# Security review of a GitHub repository
2025-08-08 20:36:44 -07:00
strix --target https://github.com/org/repo
2025-11-13 15:55:41 -05:00
# Black-box web application assessment
2025-08-08 20:36:44 -07:00
strix --target https://your-app.com
2025-11-13 15:55:41 -05:00
```
2025-08-08 20:36:44 -07:00
2025-11-13 15:55:41 -05:00
### Advanced Testing Scenarios
2025-11-10 10:49:37 +01:00
2025-11-13 15:55:41 -05:00
```bash
# Grey-box authenticated testing
strix --target https://your-app.com --instruction "Perform authenticated testing using credentials: user:pass"
2025-11-13 15:55:41 -05:00
# Multi-target testing (source code + deployed app)
strix -t https://github.com/org/app -t https://your-app.com
2026-03-31 14:53:49 -04:00
# White-box source-aware scan (local repository)
strix --target ./app-directory --scan-mode standard
2025-11-13 15:55:41 -05:00
# Focused testing with custom instructions
strix --target api.your-app.com --instruction "Focus on business logic flaws and IDOR vulnerabilities"
# Provide detailed instructions through file (e.g., rules of engagement, scope, exclusions)
strix --target api.your-app.com --instruction-file ./instruction.md
2026-03-31 14:53:49 -04:00
# Force PR diff-scope against a specific base branch
strix -n --target ./ --scan-mode quick --scope-mode diff --diff-base origin/main
```
2026-01-14 05:00:16 +04:00
### Headless Mode
2026-07-03 08:17:02 +05:30
Run Strix programmatically without interactive UI using the `-n/--non-interactive` flag - perfect for servers and automated jobs. The CLI prints real-time vulnerability findings and the final report before exiting. Exits with non-zero code when vulnerabilities are found.
```bash
2025-11-10 10:49:37 +01:00
strix -n --target https://your-app.com
```
2026-01-14 05:00:16 +04:00
### CI/CD (GitHub Actions)
Strix can be added to your pipeline to run a security test on pull requests with a lightweight GitHub Actions workflow:
```yaml
name: strix-penetration-test
on:
pull_request:
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
2026-03-31 14:53:49 -04:00
with:
fetch-depth: 0
- name: Install Strix
2025-12-15 10:11:08 -08:00
run: curl -sSL https://strix.ai/install | bash
- name: Run Strix
env:
STRIX_LLM: ${{ secrets.STRIX_LLM }}
LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
2025-08-08 20:36:44 -07:00
2025-12-15 10:11:08 -08:00
run: strix -n -t ./ --scan-mode quick
2025-08-08 20:36:44 -07:00
```
2026-03-31 14:53:49 -04:00
> [!TIP]
> In CI pull request runs, Strix automatically scopes quick reviews to changed files.
> If diff-scope cannot resolve, ensure checkout uses full history (`fetch-depth: 0`) or pass
> `--diff-base` explicitly.
2026-01-14 05:00:16 +04:00
### Configuration
2025-08-08 20:36:44 -07:00
2025-11-10 10:49:37 +01:00
```bash
export STRIX_LLM="openai/gpt-5.4"
2025-11-10 10:49:37 +01:00
export LLM_API_KEY="your-api-key"
2025-08-08 20:36:44 -07:00
2025-11-10 10:49:37 +01:00
# Optional
export LLM_API_BASE="your-api-base-url" # if using a local model, e.g. Ollama, LMStudio
export PERPLEXITY_API_KEY="your-api-key" # for search capabilities
export STRIX_REASONING_EFFORT="high" # control thinking effort (default: high, quick scan: medium)
2025-11-10 10:49:37 +01:00
```
2025-08-08 20:36:44 -07:00
2026-01-10 15:48:42 -08:00
> [!NOTE]
> Strix automatically saves your configuration to `~/.strix/cli-config.json`, so you don't have to re-enter it on every run.
**Recommended models for best results:**
2026-06-29 19:09:58 -07:00
- [OpenAI GPT-5.4](https://openai.com/api/) - `openai/gpt-5.4`
- [Anthropic Claude Sonnet 4.6](https://claude.com/platform/api) - `anthropic/claude-sonnet-4-6`
- [Google Gemini 3 Pro Preview](https://cloud.google.com/vertex-ai) - `vertex_ai/gemini-3-pro-preview`
See the [LLM Providers documentation](https://docs.strix.ai/llm-providers/overview) for all supported providers including Vertex AI, Bedrock, Azure, and local models.
2026-01-03 17:56:28 -08:00
2026-06-29 19:00:46 -07:00
## Enterprise Pentesting
2026-06-29 19:00:46 -07:00
Get the same Strix experience with [enterprise-grade](https://strix.ai/demo) controls: SSO (SAML/OIDC), custom compliance-ready penetration testing reports (SOC 2, ISO 27001, PCI DSS), dedicated support & SLA, custom deployment options (VPC/self-hosted), BYOK model support, and tailored AI pentesting agents optimized for your environment. [Learn more](https://strix.ai/demo).
2026-01-14 05:00:16 +04:00
## Documentation
2026-01-03 17:56:28 -08:00
2026-06-29 19:09:58 -07:00
Full documentation is available at **[docs.strix.ai](https://docs.strix.ai)** - including detailed guides for usage, CI/CD integrations, skills, and advanced configuration.
2025-08-08 20:36:44 -07:00
2026-01-14 05:00:16 +04:00
## Contributing
We welcome contributions of code, docs, and new skills - check out our [Contributing Guide](https://docs.strix.ai/contributing) to get started or open a [pull request](https://github.com/usestrix/strix/pulls)/[issue](https://github.com/usestrix/strix/issues).
2026-01-14 05:00:16 +04:00
## Join Our Community
2025-11-10 10:49:37 +01:00
2026-01-20 12:58:14 -08:00
Have questions? Found a bug? Want to contribute? **[Join our Discord!](https://discord.gg/strix-ai)**
2025-11-10 10:49:37 +01:00
2026-01-14 05:00:16 +04:00
## Support the Project
2025-08-08 20:36:44 -07:00
**Love Strix?** Give us a ⭐ on GitHub!
2026-01-14 05:00:16 +04:00
## Acknowledgements
2025-11-29 19:27:30 +04:00
2026-01-16 02:34:30 +04:00
Strix builds on the incredible work of open-source projects like [LiteLLM](https://github.com/BerriAI/litellm), [Caido](https://github.com/caido/caido), [Nuclei](https://github.com/projectdiscovery/nuclei), [Playwright](https://github.com/microsoft/playwright), and [Textual](https://github.com/Textualize/textual). Huge thanks to their maintainers!
2025-11-29 19:27:30 +04:00
2025-08-08 20:36:44 -07:00
> [!WARNING]
> Only test apps you own or have permission to test. You are responsible for using Strix ethically and legally.
2025-08-08 20:36:44 -07:00
</div>