Strix AI pentesting — adopted for oriz API fleet
Strix AI pentesting
Apache 2.0 OSS. Autonomous AI pentesting agents — DAST + LLM orchestration.
Repo: usestrix/strix. Docs: docs.strix.ai.
Decision
Adopted. Wired into chirag127/workflows/.github/workflows/ci-astro-api.yml as a separate job.
Runs on every PR on the 6 static API repos (constants, countries-plus, dynasties, ragas, rto, mmi-tickertape).
Why now, not after login-manager
APIs are static Astro sites. No auth middleware yet (per no-auth-in-apps-or-apis).
Strix still finds: XSS in templating, exposed config/keys, CORS misconfig, missing security headers, info-leak in JSON output.
Auth bypass + IDOR scope opens when login-manager ships (Phase 2).
Config
| Field | Value |
|---|---|
| LLM | @cf/meta/llama-4-scout-17b-16e-instruct (CF Workers AI, free) |
| API key | CLOUDFLARE_API_TOKEN + CLOUDFLARE_ACCOUNT_ID repo secrets |
| Trigger | Every PR (workflow_call from each api repo's ci.yml) |
| Scan mode | quick (diff-scoped on PR) |
| Blocking | strix -n exits non-zero → blocks PR on critical/high |
| Findings | Strix Cloud app.strix.ai (free, data leaves machine) |
| Docker | ubuntu-latest runners, pre-installed |
Alternatives rejected
| Tool | Gap |
|---|---|
| Nuclei alone | Pattern-based, no LLM reasoning, no PoC generation |
| OWASP ZAP | LGPL, no agentic layer, GUI-heavy |
| Burp Suite | Paid Professional for CI; free edition headless-limited |
Build-gate
All three alternatives above have documented gaps vs Strix. Gate satisfied.
Phase 2 (login-manager ships)
Add auth-session scanning: pass credentials via --instruction "use session: ...".
Scope expands to IDOR, auth bypass, privilege escalation classes.