Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1
Add the orbs
stanza below your version, invoking the orb:
1
2
orbs:
nexploit: neuralegion/nexploit@2.0.2
Use nexploit
elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
Run a new scan using just curl and Nexploit API
1
2
3
4
5
6
7
8
9
10
11
12
version: 2.1
orbs:
nexploit: neuralegion/nexploit@2.0
jobs:
build:
machine: true
steps:
- nexploit/new-scan-curl:
scan_name: My new curl scan
fileId: 27SJV96JZKdWYjsUCM9M1B
discovery_types: '"archive", "crawler"'
protocol: http
Run a new scan using npm util
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
version: 2.1
orbs:
nexploit: neuralegion/nexploit@2.0
jobs:
build:
machine: true
steps:
- nexploit/scan:
scan_name: CircleCI Scan
api_key: NEXPLOIT_API_KEY
discovery_types: crawler
crawlers: https://www.random1.org/,https://www.random2.org/
host_filters: random1.org,random2.org
headers: 'Content-Type: application/json;Keep-Alive: timeout=5, max=1000'
type: appscan
protocol: http
Retest a scan and wait for results
1
2
3
4
5
6
7
8
9
version: 2.1
orbs:
nexploit: neuralegion/nexploit@2.0
workflows:
your-workflow:
jobs:
- nexploit/retest-and-poll:
scan_id: 7MeuiCeFc25WdJBamaaTG
api_key: NEXPLOIT_API_KEY
Restart scan and poll its status
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
api_key | Api Key. You can get it on "Organization" tab in Nexploit app | No | NEXPLOIT_API_KEY | env_var_name |
scan_id | Scan id to rerun | Yes | - | string |
hostname | Just leave the default value unless you use a special solution | No | https://nexploit.app | string |
interval | Period of time between the end of a timeout period or completion of a scan status request, and the next request for status
| No | 5000 | integer |
failure_on | - | No | first-issue | enum |
executor_image | Docker image name | No | neuralegion/nexploit-cli | string |
executor_tag | Docker image tag | No | latest | string |
Installs nexploit-cli util to the environment. You need this util for working with nexploit API. `nexploit-cli` requires Node v12 to be installed.
Start a new Nexploit scan using just a curl
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
api_key | Api Key. You can get it on "Organization" tab in Nexploit app | No | NEXPLOIT_API_KEY | env_var_name |
scan_name | Name for a scan | Yes | - | string |
hostname | Just leave the default value unless you use a special solution | No | https://nexploit.app | string |
fileId | Get it with the help of curl `curl -X POST "https://nexploit.app/api/v1/files?discard=true" -H "Content-Type: multipart/form-data" -H "Authorization: Api-Key yufn0f6.yourapikeykuj069zopv0b1i" -F "har=@/path/to/the/file.har"
`. This command will return you an id for the File ID field. | No | '' | string |
protocol | - | Yes | - | enum |
discovery_types | Array. Can be: "archive", "crawler", "oas". Specify separated by commas and every item in quotes | No | '"archive"' | string |
hosts_filter | Array. Specify separated by commas and every item in quotes | No | '' | string |
crawler_urls | Crawler URLs. Specify separated by commas and every item in quotes | No | '' | string |
module | - | No | core | enum |
type | - | No | appscan | enum |
Start a new Nexploit scan using nexploit-cli. Requires npm
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
api_key | Api Key. You can get it on "Organization" tab in Nexploit app | No | NEXPLOIT_API_KEY | env_var_name |
scan_name | Name for a scan | Yes | - | string |
protocol | - | Yes | - | enum |
archive | Path to the archive | No | '' | string |
hostname | Just leave the default value unless you use a special solution | No | https://nexploit.app | string |
type | - | No | appscan | enum |
discovery_types | Array. Can be: "archive", "crawler", "oas". Specify separated by commas and every item in quotes | No | '"archive"' | string |
crawlers | Crawler URLs. Specify separated by commas without spaces | No | '' | string |
host_filters | Array. Specify separated by commas without spaces | No | '' | string |
headers | Array. Specify separated by semicolons without spaces | No | '' | string |
Allows to poll status and wait for issues.
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
api_key | Api Key. You can get it on "Organization" tab in Nexploit app | No | NEXPLOIT_API_KEY | env_var_name |
scan_id | Scan id to rerun | Yes | - | string |
interval | Period of time between the end of a timeout period or completion of
a scan status request, and the next request for status
| No | 5000 | integer |
hostname | Just leave the default value unless you use a special solution | No | https://nexploit.app | string |
failure_on | - | No | first-issue | enum |
Perhaps the most convenient way to start a scan. Start a new scan, using web UI at https://nexploit.app. You can get scan id from address bar. You should use this id to rerun the scan.
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
api_key | Api Key. You can get it on "Organization" tab in Nexploit app | No | NEXPLOIT_API_KEY | env_var_name |
scan_id | Scan id to rerun | Yes | - | string |
hostname | Just leave the default value unless you use a special solution | No | https://nexploit.app | string |
Default environment for Nexploit. This is a small Alpine-based Docker image with a low resource class.
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
image | Docker image name | No | neuralegion/nexploit-cli | string |
tag | Docker image tag | No | latest | string |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
version: 2.1
description: |-
Nexploit is a Machine Learning powered Interactive Application Security Testing (IAST) solution. Automating a cyber-security specialist’s critical thinking process to scan any target and find real vulnerabilities, including logical-flow problems, with no false positives.
This orb allows you to use Nexploit power in your CI.
Setup
Note - An active subscription for Nexploit is needed for usage of this extension.
Get API Key
In NexPloit Dashboard navigate to the "Organization" tab and scroll to the "Manage your application API keys" section.
Press "Create new API key" button and enter any suitable name (circleci key e.g.) Note - Make sure to backup the API key, it can't be restored.
Using a pre-recorded HAR file
Upload the file using a simple curl command:
```sh
$ curl -X POST "https://nexploit.app/api/v1/files?discard=true" \
-H "Content-Type: multipart/form-data" \
-H "Authorization: Api-Key yufn0f6.yourapikeykuj069zopv0b1i" \
-F "har=@/path/to/the/file.har"
{"ids":["6xkFraa5ecfmHhxTEnabZg"]}
```
This id will then be used for the File ID field.
When setup is complete, the new scan will start automatically and be visible in your Nexploit account.
display:
home_url: https://neuralegion.com
source_url: https://github.com/NeuraLegion/circleci-orb
examples:
new-scan-curl:
description: Run a new scan using just curl and Nexploit API
usage:
version: 2.1
orbs:
nexploit: neuralegion/nexploit@2.0
jobs:
build:
machine: true
steps:
- nexploit/new-scan-curl:
scan_name: My new curl scan
fileId: 27SJV96JZKdWYjsUCM9M1B
discovery_types: '"archive", "crawler"'
protocol: http
new-scan:
description: Run a new scan using npm util
usage:
version: 2.1
orbs:
nexploit: neuralegion/nexploit@2.0
jobs:
build:
machine: true
steps:
- nexploit/scan:
scan_name: CircleCI Scan
api_key: NEXPLOIT_API_KEY
discovery_types: 'crawler'
crawlers: 'https://www.random1.org/,https://www.random2.org/'
host_filters: 'random1.org,random2.org'
headers: 'Content-Type: application/json;Keep-Alive: timeout=5, max=1000'
type: appscan
protocol: http
nexploit_job:
description: Retest a scan and wait for results
usage:
version: 2.1
orbs:
nexploit: neuralegion/nexploit@2.0
workflows:
your-workflow:
jobs:
- nexploit/retest-and-poll:
scan_id: 7MeuiCeFc25WdJBamaaTG
api_key: NEXPLOIT_API_KEY
commands:
install:
description: >
Installs nexploit-cli util to the environment. You need this util for
working with nexploit API. `nexploit-cli` requires Node v12 to be
installed.
steps:
- run:
name: Install nexploit-cli
command: |
if which npm > /dev/null
then
if which nexploit-cli > /dev/null
then
echo "nexploit-cli is already installed"
else
npm config set registry http://registry.npmjs.org/
npm install @neuralegion/nexploit-cli -g
fi
else
echo "You need to install Node v12"
exit 1
fi
new-scan-curl:
description: Start a new Nexploit scan using just a curl
parameters:
api_key:
type: env_var_name
default: NEXPLOIT_API_KEY
description: 'Api Key. You can get it on "Organization" tab in
Nexploit app'
scan_name:
type: string
description: Name for a scan
hostname:
type: string
default: https://nexploit.app
description: Just leave the default value unless you use a special solution
fileId:
type: string
default: ''
description: |-
Get it with the help of curl `curl -X POST "https://nexploit.app/api/v1/files?discard=true" -H "Content-Type: multipart/form-data" -H "Authorization: Api-Key yufn0f6.yourapikeykuj069zopv0b1i" -F "har=@/path/to/the/file.har"
`. This command will return you an id for the File ID field.
protocol:
type: enum
enum:
- http
- websocket
discovery_types:
description: 'Array. Can be: "archive", "crawler", "oas". Specify
separated by commas and every item in quotes'
default: '"archive"'
type: string
hosts_filter:
description: 'Array. Specify separated by commas and every item in quotes'
default: ''
type: string
crawler_urls:
description: 'Crawler URLs. Specify separated by commas and every item in quotes'
default: ''
type: string
module:
type: enum
default: core
enum:
- core
- exploratory
type:
type: enum
default: appscan
enum:
- appscan
- protoscan
steps:
- run:
command: |-
curl "<< parameters.hostname >>/api/v1/scans" \
-H "Content-Type: application/json" \
-H "Authorization: Api-Key $<< parameters.api_key >>" \
-d '{
"name": "<< parameters.scan_name >>",
"protocol": "<< parameters.protocol >>",
"type": "<< parameters.type >>",
"discoveryTypes": [<< parameters.discovery_types >>],
<<# parameters.fileId >>"fileId": "<< parameters.fileId >>",<</ parameters.fileId >>
<<# parameters.crawler_urls >>"crawlerUrls": "<< parameters.crawler_urls >>",<</ parameters.crawler_urls >>
"hostsFilter": [<< parameters.hosts_filter >>],
"module": "<< parameters.module >>"
}'
new-scan:
description: 'Start a new Nexploit scan using nexploit-cli. Requires npm'
parameters:
api_key:
type: env_var_name
default: NEXPLOIT_API_KEY
description: 'Api Key. You can get it on "Organization" tab in
Nexploit app'
scan_name:
type: string
description: Name for a scan
protocol:
type: enum
enum:
- http
- websocket
archive:
type: string
default: ''
description: Path to the archive
hostname:
type: string
default: https://nexploit.app
description: Just leave the default value unless you use a special solution
type:
type: enum
default: appscan
enum:
- appscan
- protoscan
discovery_types:
description: 'Array. Can be: "archive", "crawler", "oas". Specify
separated by commas and every item in quotes'
default: '"archive"'
type: string
crawlers:
description: 'Crawler URLs. Specify separated by commas without spaces'
default: ''
type: string
host_filters:
description: 'Array. Specify separated by commas without spaces'
default: ''
type: string
headers:
description: 'Array. Specify separated by semicolons without spaces'
default: ''
type: string
steps:
- run:
command: >
crawlers="<< parameters.crawlers >>"
crawlers_list=`echo "--crawler=${crawlers//,/" --crawler="}"`
echo $crawlers_list
host_filters="<< parameters.host_filters >>"
host_filters_list=`echo "--host-filter=${host_filters//,/" --host-filter="}"`
echo $host_filters_list
headers="<< parameters.headers >>"
headers_list=`echo "--header=${headers//;/" --header="}"`
echo $headers_list
command="nexploit-cli scan:run
--name=<< parameters.scan_name >>
<<# parameters.archive >>--archive=<< parameters.archive >><</parameters.archive >>
--protocol=<< parameters.protocol >>
--api-key=$<< parameters.api_key >>
--api=<< parameters.hostname >>
--type=<< parameters.type >>
--discard=false
--discovery=<< parameters.discovery_types >>
<<# parameters.crawlers >>$crawlers_list<</parameters.crawlers >>
<<# parameters.host_filters >>$host_filters_list<</parameters.host_filters >>
<<# parameters.headers >>$headers_list<</parameters.headers >>"
echo $command
scan_id=`($command)`
echo "Your scan is available on << parameters.hostname >>/scans/$scan_id"
polling-status:
description: Allows to poll status and wait for issues.
parameters:
api_key:
type: env_var_name
default: NEXPLOIT_API_KEY
description: 'Api Key. You can get it on "Organization" tab in
Nexploit app'
scan_id:
type: string
description: Scan id to rerun
interval:
type: integer
default: 5000
description: |
Period of time between the end of a timeout period or completion of
a scan status request, and the next request for status
hostname:
type: string
default: https://nexploit.app
description: Just leave the default value unless you use a special solution
failure_on:
type: enum
default: first-issue
enum:
- first-issue
- first-medium-severity-issue
- first-high-severity-issue
steps:
- run:
command: |
nexploit-cli scan:polling << parameters.scan_id >> \
--failure-on=<< parameters.failure_on >> \
--api-key=$<< parameters.api_key >> \
--api=<< parameters.hostname >> \
--interval=<< parameters.interval >>
retest-scan:
description: >
Perhaps the most convenient way to start a scan. Start a new scan, using
web UI at https://nexploit.app. You can get scan id from address bar.
You should use this id to rerun the scan.
parameters:
api_key:
type: env_var_name
default: NEXPLOIT_API_KEY
description: 'Api Key. You can get it on "Organization" tab in
Nexploit app'
scan_id:
type: string
description: Scan id to rerun
hostname:
type: string
default: https://nexploit.app
description: Just leave the default value unless you use a special solution
steps:
- run:
command: |
nexploit-cli \
scan:retest << parameters.scan_id >> \
--api-key=$<< parameters.api_key >> \
--api=<< parameters.hostname >>
executors:
default:
description: >
Default environment for Nexploit. This is a small Alpine-based Docker
image with a low resource class.
parameters:
image:
type: string
default: neuralegion/nexploit-cli
description: Docker image name
tag:
type: string
default: latest
description: Docker image tag
resource_class: small
docker:
- image: <<parameters.image>>:<<parameters.tag>>
jobs:
retest-and-poll:
description: >
Restart scan and poll its status
executor:
name: default
image: << parameters.executor_image >>
tag: << parameters.executor_tag >>
parameters:
api_key:
type: env_var_name
default: NEXPLOIT_API_KEY
description: 'Api Key. You can get it on "Organization" tab in
Nexploit app'
scan_id:
type: string
description: Scan id to rerun
hostname:
type: string
default: https://nexploit.app
description: Just leave the default value unless you use a special solution
interval:
type: integer
default: 5000
description: >
Period of time between the end of a timeout period or completion of
a scan status request, and the next request for status
failure_on:
type: enum
default: first-issue
enum:
- first-issue
- first-medium-severity-issue
- first-high-severity-issue
executor_image:
type: string
default: neuralegion/nexploit-cli
description: Docker image name
executor_tag:
type: string
default: latest
description: Docker image tag
steps:
- run:
name: Retest an exesting scan and wait for results
command: |
scan_id=$(nexploit-cli scan:retest << parameters.scan_id >> \
--api-key=$<< parameters.api_key >> \
--api=<< parameters.hostname >>)
echo "Your scan is available on << parameters.hostname >>/scans/$scan_id"
echo "Waiting for issues..."
nexploit-cli scan:polling $scan_id \
--failure-on=<< parameters.failure_on >> \
--api-key=$<< parameters.api_key >> \
--api=<< parameters.hostname >> \
--interval=<< parameters.interval >>