← knowledge.oriz.in

Strix AI pentesting — adopted for oriz API fleet

decision securitystrixdastcipentesting

Strix AI pentesting

Apache 2.0 OSS. Autonomous AI pentesting agents — DAST + LLM orchestration. Repo: usestrix/strix. Docs: docs.strix.ai.

Decision

Adopted. Wired into chirag127/workflows/.github/workflows/ci-astro-api.yml as a separate job. Runs on every PR on the 6 static API repos (constants, countries-plus, dynasties, ragas, rto, mmi-tickertape).

Why now, not after login-manager

APIs are static Astro sites. No auth middleware yet (per no-auth-in-apps-or-apis). Strix still finds: XSS in templating, exposed config/keys, CORS misconfig, missing security headers, info-leak in JSON output. Auth bypass + IDOR scope opens when login-manager ships (Phase 2).

Config

Field Value
LLM @cf/meta/llama-4-scout-17b-16e-instruct (CF Workers AI, free)
API key CLOUDFLARE_API_TOKEN + CLOUDFLARE_ACCOUNT_ID repo secrets
Trigger Every PR (workflow_call from each api repo's ci.yml)
Scan mode quick (diff-scoped on PR)
Blocking strix -n exits non-zero → blocks PR on critical/high
Findings Strix Cloud app.strix.ai (free, data leaves machine)
Docker ubuntu-latest runners, pre-installed

Alternatives rejected

Tool Gap
Nuclei alone Pattern-based, no LLM reasoning, no PoC generation
OWASP ZAP LGPL, no agentic layer, GUI-heavy
Burp Suite Paid Professional for CI; free edition headless-limited

Build-gate

All three alternatives above have documented gaps vs Strix. Gate satisfied.

Phase 2 (login-manager ships)

Add auth-session scanning: pass credentials via --instruction "use session: ...". Scope expands to IDOR, auth bypass, privilege escalation classes.