strike-security 0.1.0

Evidence-first CLI security validation platform
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250

# Strike

**Evidence-first CLI security validation platform. Break it before they do — with proof.**

[![License](https://img.shields.io/badge/license-BSL--1.1-blue.svg)](LICENSE)
[![Crates.io](https://img.shields.io/crates/v/strike.svg)](https://crates.io/crates/strike)
[![Documentation](https://docs.rs/strike/badge.svg)](https://docs.rs/strike)

Strike is a Rust-powered CLI security validation platform designed for penetration testers, red team operators, AppSec engineers, and security researchers. It provides evidence-first, reproducible security testing with standards-mapped findings.

## Features

- **Evidence-First**: Every finding includes validated proof-of-concept with full HTTP traces
- **Reproducible**: Deterministic runs with checkpoint support and replay capability
- **Standards-Mapped**: Automatic mapping to OWASP Top 10, API Security Top 10, WSTG, ASVS, and CVSS v4.0
- **High Performance**: Built in Rust with async/await for parallel execution (up to 64 concurrent workers)
- **CI/CD Native**: SARIF output, policy gates, and exit codes for pipeline integration
- **Multi-Agent Architecture**: Specialized agents for recon, auth, validation, evidence, and reporting
- **Safety by Default**: Production environment blocks, scope validation, and ROE enforcement

## Installation

### From crates.io

```bash
cargo install strike
```

### From source

```bash
git clone https://github.com/xaseai/strike
cd strike
cargo build --release
```

## Quick Start

### 1. Initialize a workspace

```bash
strike init --target https://staging.example.com --env staging
```

### 2. Run reconnaissance

```bash
strike recon --target https://staging.example.com --subdomains --ports --tech-detect
```

### 3. Execute full validation pipeline

```bash
strike run --profile full --workers 16 --rate-limit 50
```

### 4. View findings

```bash
strike findings --severity critical --status confirmed --format table
```

### 5. Generate reports

```bash
strike report --format sarif --confirmed-only --include-evidence
```

## CLI Commands

### Core Commands

- `strike init` - Initialize a new engagement workspace
- `strike run` - Execute full validation pipeline
- `strike recon` - Standalone reconnaissance phase
- `strike scan` - Targeted vulnerability scan
- `strike validate` - Re-validate a specific finding
- `strike retest` - Retest after remediation

### Management Commands

- `strike status` - Show current run status
- `strike findings` - Query and filter findings
- `strike report` - Generate reports (JSON, Markdown, SARIF, HTML, PDF)
- `strike config` - Manage workspace configuration
- `strike benchmark` - Run against test targets (OWASP Juice Shop, WebGoat)

### CI/CD Integration

- `strike ci` - CI/CD mode with policy gates

## Vulnerability Classes Supported

### Access Control
- IDOR/BOLA
- BFLA (Broken Function Level Authorization)
- Privilege Escalation
- Path Traversal
- Mass Assignment

### Injection
- SQL Injection
- NoSQL Injection
- OS Command Injection
- SSTI (Server-Side Template Injection)
- XPath/LDAP Injection

### Authentication & Session
- Broken Authentication
- Session Fixation
- Token Forgery
- JWT Weaknesses
- OAuth2 Misconfigurations
- 2FA Bypass

### Client-Side
- XSS (Reflected, Stored, DOM)
- CSRF
- Clickjacking
- Open Redirect

### Server-Side
- SSRF
- XXE
- Deserialization
- File Upload Abuse
- Race Conditions

### API-Specific
- Mass Data Exposure
- Unrestricted Resource Consumption
- Security Misconfiguration
- Improper Asset Management

## Configuration

Strike uses a `strike.toml` configuration file:

```toml
target = "https://staging.example.com"
env = "staging"
profile = "full"
workers = 16
rate_limit = 50

[llm]
provider = "anthropic"
model = "claude-sonnet-4-6"
max_tokens_per_agent = 4096

[sandbox]
driver = "docker"
network_allowlist = ["staging.example.com"]

[output]
dir = "./.strike/runs"
formats = ["json", "md", "sarif"]
```

## Output Formats

- **JSON**: Machine-readable findings bundle
- **Markdown**: Developer-friendly report
- **SARIF**: CI/CD integration (GitHub Security, GitLab, etc.)
- **HTML**: Standalone report
- **PDF**: Audit-ready documentation

## Evidence Bundle Schema

Each validated finding includes:

- **Proof of Concept**: Full HTTP request/response traces
- **CVSS v4.0 Score**: Automated scoring with environmental tuning
- **Standards Mapping**: OWASP, ASVS, CWE references
- **Remediation Guidance**: Developer-ready fix suggestions
- **Retest History**: Track fix validation over time
- **Authorization**: ROE reference and approval metadata

## Safety & Ethics

Strike enforces mandatory safety guardrails:

- **Scope Validation**: All targets must be explicitly authorized
- **Environment Protection**: Production environments blocked by default
- **Rate Limiting**: Configurable request throttling
- **ROE Enforcement**: Rules of Engagement validated before execution
- **Evidence Sanitization**: Automatic PII/credential redaction

**Legal Notice**: Strike is designed exclusively for authorized security testing. Use only on systems you own or have explicit written permission to test.

## Architecture

- **Runtime**: Tokio async runtime for high concurrency
- **Storage**: SQLite (local) or PostgreSQL (team mode)
- **HTTP Client**: reqwest with rustls (no OpenSSL dependency)
- **Sandbox**: Docker isolation with network allowlisting
- **Observability**: OpenTelemetry tracing and structured logging

## Performance Targets

- **Scan Startup**: < 100ms cold start
- **Concurrent Workers**: Up to 64 parallel tasks
- **Memory Footprint**: < 30MB RSS idle
- **HTTP Throughput**: 10,000+ req/s
- **Report Generation**: < 2s for full evidence bundle

## Roadmap

### Phase 1 (Current - v0.1.0)
- ✅ Core CLI framework
- ✅ Multi-agent architecture
- ✅ SQLite storage
- ✅ Evidence bundle schema
- ✅ CVSS v4.0 scoring
- ✅ JSON/Markdown/SARIF reports

### Phase 2 (v0.2.0)
- Durable workflow state with checkpointing
- Full WSTG + PTES mapping
- LLM-powered hypothesis generation
- Root cause analysis
- PostgreSQL team mode

### Phase 3 (v0.3.0)
- Human-in-the-loop review workflow
- RBAC for team workspaces
- Air-gapped deployment mode
- Comprehensive ASVS coverage

## Contributing

Contributions are welcome! Please read our contributing guidelines and code of conduct.

## License

Strike is licensed under the Business Source License 1.1 (BSL-1.1). See [LICENSE](LICENSE) for details.

## Support

- **Documentation**: https://docs.strike.dev
- **Issues**: https://github.com/xaseai/strike/issues
- **Discussions**: https://github.com/xaseai/strike/discussions

## Acknowledgments

Strike follows OWASP, PTES, and ASVS best practices. Built with Rust for performance and safety.

---

**Strike** - Evidence-first security validation. Break it before they do.