type: decision
status: active
timestamp: 2026-07-03
tags: [security, strix, dast, ci, pentesting]

Strix AI pentesting — adopted for oriz API fleet

Strix open-source agentic DAST+LLM pentesting wired into ci-astro-api shared workflow.

Strix AI pentesting

Apache 2.0 OSS. Autonomous AI pentesting agents — DAST + LLM orchestration. Repo: usestrix/strix. Docs: docs.strix.ai.

Decision

Adopted. Wired into chirag127/workflows/.github/workflows/ci-astro-api.yml as a separate job. Runs on every PR on the 6 static API repos (constants, countries-plus, dynasties, ragas, rto, mmi-tickertape).

Why now, not after login-manager

APIs are static Astro sites. No auth middleware yet (per no-auth-in-apps-or-apis). Strix still finds: XSS in templating, exposed config/keys, CORS misconfig, missing security headers, info-leak in JSON output. Auth bypass + IDOR scope opens when login-manager ships (Phase 2).

Config

FieldValue
LLM@cf/meta/llama-4-scout-17b-16e-instruct (CF Workers AI, free)
API keyCLOUDFLARE_API_TOKEN + CLOUDFLARE_ACCOUNT_ID repo secrets
TriggerEvery PR (workflow_call from each api repo’s ci.yml)
Scan modequick (diff-scoped on PR)
Blockingstrix -n exits non-zero → blocks PR on critical/high
FindingsStrix Cloud app.strix.ai (free, data leaves machine)
Dockerubuntu-latest runners, pre-installed

Alternatives rejected

ToolGap
Nuclei alonePattern-based, no LLM reasoning, no PoC generation
OWASP ZAPLGPL, no agentic layer, GUI-heavy
Burp SuitePaid Professional for CI; free edition headless-limited

Build-gate

All three alternatives above have documented gaps vs Strix. Gate satisfied.

Phase 2 (login-manager ships)

Add auth-session scanning: pass credentials via --instruction "use session: ...". Scope expands to IDOR, auth bypass, privilege escalation classes.


Edit on GitHub · Back to index