https://github.com/usestrix/strix

Open-source AI hackers to find and fix your app’s vulnerabilities.
https://github.com/usestrix/strix

agents artificial-intelligence cybersecurity generative-ai llm penetration-testing

Last synced: 9 days ago
JSON representation

Open-source AI hackers to find and fix your app’s vulnerabilities.

• Host: GitHub
• URL: https://github.com/usestrix/strix
• Owner: usestrix
• License: apache-2.0
• Created: 2025-08-05T21:28:30.000Z (7 months ago)
• Default Branch: main
• Last Pushed: 2026-02-16T01:41:10.000Z (17 days ago)
• Last Synced: 2026-02-16T08:20:45.767Z (17 days ago)
• Topics: agents, artificial-intelligence, cybersecurity, generative-ai, llm, penetration-testing
• Language: Python
• Homepage: https://strix.ai
• Size: 4.45 MB
• Stars: 20,060
• Watchers: 108
• Forks: 2,105
• Open Issues: 48
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-offensive-security-ai - Strix GitHub
• AiTreasureBox - usestrix/strix - 11-15_10860_29](https://img.shields.io/github/stars/usestrix/strix.svg)|✨ Open-source AI hackers for your apps 👨🏻‍💻| (Repos)
• awesome-AI-driven-development - Strix - Open-source AI hackers for your apps (Testing & Security / Other IDEs)
• awesome-starts - usestrix/strix - Open-source AI agents for penetration testing (artificial-intelligence)
• awesome-ai-security - strix - _Strix are autonomous AI agents that act just like real hackers - they run your code dynamically, find vulnerabilities, and validate them through actual proof-of-concepts_ (Offensive tools and frameworks / AI for offensive cyber)
• awesome-ai-agents - usestrix/strix - Strix is an open-source AI-driven security testing platform that autonomously finds, validates, and helps fix application vulnerabilities through dynamic and collaborative AI agents. (Personal Assistants & Conversational Agents / Chatbots)

README

          


  

    

  





# Strix

### Open-source AI hackers to find and fix your app’s vulnerabilities.








[![](https://dcbadge.limes.pink/api/server/strix-ai)](https://discord.gg/strix-ai)

















> [!TIP]

> **New!** Strix integrates seamlessly with GitHub Actions and CI/CD pipelines. Automatically scan for vulnerabilities on every pull request and block insecure code before it reaches production!

---

## Strix Overview

Strix are autonomous AI agents that act just like real hackers - they run your code dynamically, find vulnerabilities, and validate them through actual proof-of-concepts. Built for developers and security teams who need fast, accurate security testing without the overhead of manual pentesting or the false positives of static analysis tools.

**Key Capabilities:**

- **Full hacker toolkit** out of the box

- **Teams of agents** that collaborate and scale

- **Real validation** with PoCs, not false positives

- **Developer‑first** CLI with actionable reports

- **Auto‑fix & reporting** to accelerate remediation






  

    

  



## Use Cases

- **Application Security Testing** - Detect and validate critical vulnerabilities in your applications

- **Rapid Penetration Testing** - Get penetration tests done in hours, not weeks, with compliance reports

- **Bug Bounty Automation** - Automate bug bounty research and generate PoCs for faster reporting

- **CI/CD Integration** - Run tests in CI/CD to block vulnerabilities before reaching production

## 🚀 Quick Start

**Prerequisites:**

- Docker (running)

- An LLM API key:

  - Any [supported provider](https://docs.strix.ai/llm-providers/overview) (OpenAI, Anthropic, Google, etc.)

  - Or [Strix Router](https://models.strix.ai) — single API key for multiple providers with $10 free credit on signup

### Installation & First Scan

```bash

# Install Strix

curl -sSL https://strix.ai/install | bash

# Configure your AI provider

export STRIX_LLM="openai/gpt-5"  # or "strix/gpt-5" via Strix Router (https://models.strix.ai)

export LLM_API_KEY="your-api-key"

# Run your first security assessment

strix --target ./app-directory

```

> [!NOTE]

> First run automatically pulls the sandbox Docker image. Results are saved to `strix_runs/`

---

## ✨ Features

### Agentic Security Tools

Strix agents come equipped with a comprehensive security testing toolkit:

- **Full HTTP Proxy** - Full request/response manipulation and analysis

- **Browser Automation** - Multi-tab browser for testing of XSS, CSRF, auth flows

- **Terminal Environments** - Interactive shells for command execution and testing

- **Python Runtime** - Custom exploit development and validation

- **Reconnaissance** - Automated OSINT and attack surface mapping

- **Code Analysis** - Static and dynamic analysis capabilities

- **Knowledge Management** - Structured findings and attack documentation

### Comprehensive Vulnerability Detection

Strix can identify and validate a wide range of security vulnerabilities:

- **Access Control** - IDOR, privilege escalation, auth bypass

- **Injection Attacks** - SQL, NoSQL, command injection

- **Server-Side** - SSRF, XXE, deserialization flaws

- **Client-Side** - XSS, prototype pollution, DOM vulnerabilities

- **Business Logic** - Race conditions, workflow manipulation

- **Authentication** - JWT vulnerabilities, session management

- **Infrastructure** - Misconfigurations, exposed services

### Graph of Agents

Advanced multi-agent orchestration for comprehensive security testing:

- **Distributed Workflows** - Specialized agents for different attacks and assets

- **Scalable Testing** - Parallel execution for fast comprehensive coverage

- **Dynamic Coordination** - Agents collaborate and share discoveries

---

## Usage Examples

### Basic Usage

```bash

# Scan a local codebase

strix --target ./app-directory

# Security review of a GitHub repository

strix --target https://github.com/org/repo

# Black-box web application assessment

strix --target https://your-app.com

```

### Advanced Testing Scenarios

```bash

# Grey-box authenticated testing

strix --target https://your-app.com --instruction "Perform authenticated testing using credentials: user:pass"

# Multi-target testing (source code + deployed app)

strix -t https://github.com/org/app -t https://your-app.com

# Focused testing with custom instructions

strix --target api.your-app.com --instruction "Focus on business logic flaws and IDOR vulnerabilities"

# Provide detailed instructions through file (e.g., rules of engagement, scope, exclusions)

strix --target api.your-app.com --instruction-file ./instruction.md

```

### Headless Mode

Run Strix programmatically without interactive UI using the `-n/--non-interactive` flag—perfect for servers and automated jobs. The CLI prints real-time vulnerability findings, and the final report before exiting. Exits with non-zero code when vulnerabilities are found.

```bash

strix -n --target https://your-app.com

```

### CI/CD (GitHub Actions)

Strix can be added to your pipeline to run a security test on pull requests with a lightweight GitHub Actions workflow:

```yaml

name: strix-penetration-test

on:

  pull_request:

jobs:

  security-scan:

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v6

      - name: Install Strix

        run: curl -sSL https://strix.ai/install | bash

      - name: Run Strix

        env:

          STRIX_LLM: ${{ secrets.STRIX_LLM }}

          LLM_API_KEY: ${{ secrets.LLM_API_KEY }}

        run: strix -n -t ./ --scan-mode quick

```

### Configuration

```bash

export STRIX_LLM="openai/gpt-5"

export LLM_API_KEY="your-api-key"

# Optional

export LLM_API_BASE="your-api-base-url"  # if using a local model, e.g. Ollama, LMStudio

export PERPLEXITY_API_KEY="your-api-key"  # for search capabilities

export STRIX_REASONING_EFFORT="high"  # control thinking effort (default: high, quick scan: medium)

```

> [!NOTE]

> Strix automatically saves your configuration to `~/.strix/cli-config.json`, so you don't have to re-enter it on every run.

**Recommended models for best results:**

- [OpenAI GPT-5](https://openai.com/api/) — `openai/gpt-5`

- [Anthropic Claude Sonnet 4.6](https://claude.com/platform/api) — `anthropic/claude-sonnet-4-6`

- [Google Gemini 3 Pro Preview](https://cloud.google.com/vertex-ai) — `vertex_ai/gemini-3-pro-preview`

See the [LLM Providers documentation](https://docs.strix.ai/llm-providers/overview) for all supported providers including Vertex AI, Bedrock, Azure, and local models.

## Documentation

Full documentation is available at **[docs.strix.ai](https://docs.strix.ai)** — including detailed guides for usage, CI/CD integrations, skills, and advanced configuration.

## Contributing

We welcome contributions of code, docs, and new skills - check out our [Contributing Guide](https://docs.strix.ai/contributing) to get started or open a [pull request](https://github.com/usestrix/strix/pulls)/[issue](https://github.com/usestrix/strix/issues).

## Join Our Community

Have questions? Found a bug? Want to contribute? **[Join our Discord!](https://discord.gg/strix-ai)**

## Support the Project

**Love Strix?** Give us a ⭐ on GitHub!

## Acknowledgements

Strix builds on the incredible work of open-source projects like [LiteLLM](https://github.com/BerriAI/litellm), [Caido](https://github.com/caido/caido), [Nuclei](https://github.com/projectdiscovery/nuclei), [Playwright](https://github.com/microsoft/playwright), and [Textual](https://github.com/Textualize/textual). Huge thanks to their maintainers!

> [!WARNING]

> Only test apps you own or have permission to test. You are responsible for using Strix ethically and legally.