first commit
This commit is contained in:
@@ -0,0 +1,108 @@
|
||||
---
|
||||
title: "CLI Reference"
|
||||
description: "Command-line options for Strix"
|
||||
---
|
||||
|
||||
## Basic Usage
|
||||
|
||||
```bash
|
||||
strix --target <target> [options]
|
||||
```
|
||||
|
||||
## Options
|
||||
|
||||
<ParamField path="--target, -t" type="string" required>
|
||||
Target to test. Accepts URLs, repositories, local directories, domains, or IP addresses. Can be specified multiple times.
|
||||
</ParamField>
|
||||
|
||||
<ParamField path="--mount" type="string">
|
||||
Bind-mount a local directory into the sandbox (read-only) instead of copying it in file-by-file. Use this for large repositories that are too big to stream into the container. Can be specified multiple times.
|
||||
|
||||
Strix copies local `--target` directories into the sandbox one file at a time, which stalls on very large trees. When a local target exceeds the copy limit (see `STRIX_MAX_LOCAL_COPY_MB`, default 1024 MB) Strix exits early and asks you to re-run with `--mount`.
|
||||
|
||||
<Note>
|
||||
The mount is read-only to protect your source from accidental modification. This is not a hard security boundary: a root process inside the container can remount it writable, so treat `--mount` as "scan my own code", not as isolation from untrusted code.
|
||||
</Note>
|
||||
|
||||
<Note>
|
||||
The size pre-flight only covers local directory targets. Remote repositories (cloned at scan time) are not size-checked.
|
||||
</Note>
|
||||
</ParamField>
|
||||
|
||||
<ParamField path="--instruction" type="string">
|
||||
Custom instructions for the scan. Use for credentials, focus areas, or specific testing approaches.
|
||||
</ParamField>
|
||||
|
||||
<ParamField path="--instruction-file" type="string">
|
||||
Path to a file containing detailed instructions.
|
||||
</ParamField>
|
||||
|
||||
<ParamField path="--scan-mode, -m" type="string" default="deep">
|
||||
Scan depth: `quick`, `standard`, or `deep`.
|
||||
</ParamField>
|
||||
|
||||
<ParamField path="--scope-mode" type="string" default="auto">
|
||||
Code scope mode: `auto` (enable PR diff-scope in CI/headless runs), `diff` (force changed-files scope), or `full` (disable diff-scope).
|
||||
</ParamField>
|
||||
|
||||
<ParamField path="--diff-base" type="string">
|
||||
Target branch or commit to compare against (e.g., `origin/main`). Defaults to the repository's default branch.
|
||||
</ParamField>
|
||||
|
||||
<ParamField path="--non-interactive, -n" type="boolean">
|
||||
Run in headless mode without TUI. Ideal for CI/CD.
|
||||
</ParamField>
|
||||
|
||||
<ParamField path="--config" type="string">
|
||||
Path to a custom config file (JSON) to use instead of `~/.strix/cli-config.json`.
|
||||
</ParamField>
|
||||
|
||||
<ParamField path="--max-budget-usd" type="number">
|
||||
Maximum LLM spend in USD for the whole scan, counted cumulatively across the
|
||||
root agent and every child agent. The budget is checked after each model
|
||||
response; once the running cost reaches the threshold, the scan stops cleanly
|
||||
with a `stopped` status (not a failure) and the sandbox is torn down.
|
||||
|
||||
Must be greater than `0`. Omit the flag for no limit.
|
||||
|
||||
**Limitations**
|
||||
|
||||
- The check fires *after* a response is returned, so the final spend can
|
||||
slightly overshoot the limit by any calls already in flight when the
|
||||
threshold is crossed (most relevant with several child agents running
|
||||
concurrently).
|
||||
- Cost is a best-effort estimate derived from token usage and model pricing;
|
||||
providers that do not expose priced usage may under-count.
|
||||
</ParamField>
|
||||
|
||||
## Examples
|
||||
|
||||
```bash
|
||||
# Basic scan
|
||||
strix --target https://example.com
|
||||
|
||||
# Authenticated testing
|
||||
strix --target https://app.com --instruction "Use credentials: user:pass"
|
||||
|
||||
# Focused testing
|
||||
strix --target api.example.com --instruction "Focus on IDOR and auth bypass"
|
||||
|
||||
# CI/CD mode
|
||||
strix -n --target ./ --scan-mode quick
|
||||
|
||||
# Force diff-scope against a specific base ref
|
||||
strix -n --target ./ --scan-mode quick --scope-mode diff --diff-base origin/main
|
||||
|
||||
# Multi-target white-box testing
|
||||
strix -t https://github.com/org/app -t https://staging.example.com
|
||||
|
||||
# Large local repository — bind-mount instead of copying it in
|
||||
strix --mount ./huge-monorepo
|
||||
```
|
||||
|
||||
## Exit Codes
|
||||
|
||||
| Code | Meaning |
|
||||
|------|---------|
|
||||
| 0 | Scan completed, no vulnerabilities found |
|
||||
| 2 | Vulnerabilities found (headless mode only) |
|
||||
@@ -0,0 +1,73 @@
|
||||
---
|
||||
title: "Custom Instructions"
|
||||
description: "Guide Strix with custom testing instructions"
|
||||
---
|
||||
|
||||
Use instructions to provide context, credentials, or focus areas for your scan.
|
||||
|
||||
## Inline Instructions
|
||||
|
||||
```bash
|
||||
strix --target https://app.com --instruction "Focus on authentication vulnerabilities"
|
||||
```
|
||||
|
||||
## File-Based Instructions
|
||||
|
||||
For complex instructions, use a file:
|
||||
|
||||
```bash
|
||||
strix --target https://app.com --instruction-file ./pentest-instructions.md
|
||||
```
|
||||
|
||||
## Common Use Cases
|
||||
|
||||
### Authenticated Testing
|
||||
|
||||
```bash
|
||||
strix --target https://app.com \
|
||||
--instruction "Login with email: test@example.com, password: TestPass123"
|
||||
```
|
||||
|
||||
### Focused Scope
|
||||
|
||||
```bash
|
||||
strix --target https://api.example.com \
|
||||
--instruction "Focus on IDOR vulnerabilities in the /api/users endpoints"
|
||||
```
|
||||
|
||||
### Exclusions
|
||||
|
||||
```bash
|
||||
strix --target https://app.com \
|
||||
--instruction "Do not test /admin or /internal endpoints"
|
||||
```
|
||||
|
||||
### API Testing
|
||||
|
||||
```bash
|
||||
strix --target https://api.example.com \
|
||||
--instruction "Use API key header: X-API-Key: abc123. Focus on rate limiting bypass."
|
||||
```
|
||||
|
||||
## Instruction File Example
|
||||
|
||||
```markdown instructions.md
|
||||
# Penetration Test Instructions
|
||||
|
||||
## Credentials
|
||||
- Admin: admin@example.com / AdminPass123
|
||||
- User: user@example.com / UserPass123
|
||||
|
||||
## Focus Areas
|
||||
1. IDOR in user profile endpoints
|
||||
2. Privilege escalation between roles
|
||||
3. JWT token manipulation
|
||||
|
||||
## Out of Scope
|
||||
- /health endpoints
|
||||
- Third-party integrations
|
||||
```
|
||||
|
||||
<Tip>
|
||||
Be specific. Good instructions help Strix prioritize the most valuable attack paths.
|
||||
</Tip>
|
||||
@@ -0,0 +1,62 @@
|
||||
---
|
||||
title: "Scan Modes"
|
||||
description: "Choose the right scan depth for your use case"
|
||||
---
|
||||
|
||||
Strix offers three scan modes to balance speed and thoroughness.
|
||||
|
||||
## Quick
|
||||
|
||||
```bash
|
||||
strix --target ./app --scan-mode quick
|
||||
```
|
||||
|
||||
Fast checks for obvious vulnerabilities. Best for:
|
||||
- CI/CD pipelines
|
||||
- Pull request validation
|
||||
- Rapid smoke tests
|
||||
|
||||
**Duration**: Minutes
|
||||
|
||||
## Standard
|
||||
|
||||
```bash
|
||||
strix --target ./app --scan-mode standard
|
||||
```
|
||||
|
||||
Balanced testing for routine security reviews. Best for:
|
||||
- Regular security assessments
|
||||
- Pre-release validation
|
||||
- Development milestones
|
||||
|
||||
**Duration**: 30 minutes to 1 hour
|
||||
|
||||
**White-box behavior**: Uses source-aware mapping and static triage to prioritize dynamic exploit validation paths.
|
||||
|
||||
## Deep
|
||||
|
||||
```bash
|
||||
strix --target ./app --scan-mode deep
|
||||
```
|
||||
|
||||
Thorough penetration testing. Best for:
|
||||
- Comprehensive security audits
|
||||
- Pre-production reviews
|
||||
- Critical application assessments
|
||||
|
||||
**Duration**: 1-4 hours depending on target complexity
|
||||
|
||||
**White-box behavior**: Runs broad source-aware triage (`semgrep`, AST structural search, secrets, supply-chain checks) and then systematically validates top candidates dynamically.
|
||||
|
||||
<Note>
|
||||
Deep mode is the default. It explores edge cases, chained vulnerabilities, and complex attack paths.
|
||||
</Note>
|
||||
|
||||
## Choosing a Mode
|
||||
|
||||
| Scenario | Recommended Mode |
|
||||
|----------|------------------|
|
||||
| Every PR | Quick |
|
||||
| Weekly scans | Standard |
|
||||
| Before major release | Deep |
|
||||
| Bug bounty hunting | Deep |
|
||||
Reference in New Issue
Block a user