1. neuralegion/nexploit@2.0.2

neuralegion/nexploit@2.0.2

Sections
Nexploit is a Machine Learning powered Interactive Application Security Testing (IAST) solution. Automating a cyber-security specialist’s critical thinking process to scan any target and find real vulnerabilities, including logical-flow problems, with no false positives. This orb allows you to use Nexploit power in your CI. Setup Note - An active subscription for Nexploit is needed for usage of this extension. Get API Key In NexPloit Dashboard navigate to the "Organization" tab and scroll to the "Manage your application API keys" section. Press "Create new API key" button and enter any suitable name (circleci key e.g.) Note - Make sure to backup the API key, it can't be restored. Using a pre-recorded HAR file Upload the file using a simple curl command: ```sh $ curl -X POST "https://nexploit.app/api/v1/files?discard=true" \ -H "Content-Type: multipart/form-data" \ -H "Authorization: Api-Key yufn0f6.yourapikeykuj069zopv0b1i" \ -F "har=@/path/to/the/file.har" {"ids":["6xkFraa5ecfmHhxTEnabZg"]} ``` This id will then be used for the File ID field. When setup is complete, the new scan will start automatically and be visible in your Nexploit account.
Created: August 31, 2019Version Published: March 11, 2020Releases: 23
Org Usage:
< 25

Orb Quick Start Guide

Use CircleCI version 2.1 at the top of your .circleci/config.yml file.

1 version: 2.1

Add the orbs stanza below your version, invoking the orb:

1 2 orbs: nexploit: neuralegion/nexploit@2.0.2

Use nexploit elements in your existing workflows and jobs.

Opt-in to use of uncertified orbs on your organization’s Security settings page.

Usage Examples

new-scan-curl

Run a new scan using just curl and Nexploit API

1 2 3 4 5 6 7 8 9 10 11 12 version: 2.1 orbs: nexploit: neuralegion/nexploit@2.0 jobs: build: machine: true steps: - nexploit/new-scan-curl: scan_name: My new curl scan fileId: 27SJV96JZKdWYjsUCM9M1B discovery_types: '"archive", "crawler"' protocol: http

new-scan

Run a new scan using npm util

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 version: 2.1 orbs: nexploit: neuralegion/nexploit@2.0 jobs: build: machine: true steps: - nexploit/scan: scan_name: CircleCI Scan api_key: NEXPLOIT_API_KEY discovery_types: crawler crawlers: https://www.random1.org/,https://www.random2.org/ host_filters: random1.org,random2.org headers: 'Content-Type: application/json;Keep-Alive: timeout=5, max=1000' type: appscan protocol: http

nexploit_job

Retest a scan and wait for results

1 2 3 4 5 6 7 8 9 version: 2.1 orbs: nexploit: neuralegion/nexploit@2.0 workflows: your-workflow: jobs: - nexploit/retest-and-poll: scan_id: 7MeuiCeFc25WdJBamaaTG api_key: NEXPLOIT_API_KEY

Jobs

retest-and-poll

Restart scan and poll its status

Show job Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
api_key
Api Key. You can get it on "Organization" tab in Nexploit app
No
NEXPLOIT_API_KEY
env_var_name
scan_id
Scan id to rerun
Yes
-
string
hostname
Just leave the default value unless you use a special solution
No
https://nexploit.app
string
interval
Period of time between the end of a timeout period or completion of a scan status request, and the next request for status
No
5000
integer
failure_on
-
No
first-issue
enum
executor_image
Docker image name
No
neuralegion/nexploit-cli
string
executor_tag
Docker image tag
No
latest
string

Commands

install

Installs nexploit-cli util to the environment. You need this util for working with nexploit API. `nexploit-cli` requires Node v12 to be installed.

Show command Source

new-scan-curl

Start a new Nexploit scan using just a curl

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
api_key
Api Key. You can get it on "Organization" tab in Nexploit app
No
NEXPLOIT_API_KEY
env_var_name
scan_name
Name for a scan
Yes
-
string
hostname
Just leave the default value unless you use a special solution
No
https://nexploit.app
string
fileId
Get it with the help of curl `curl -X POST "https://nexploit.app/api/v1/files?discard=true" -H "Content-Type: multipart/form-data" -H "Authorization: Api-Key yufn0f6.yourapikeykuj069zopv0b1i" -F "har=@/path/to/the/file.har" `. This command will return you an id for the File ID field.
No
''
string
protocol
-
Yes
-
enum
discovery_types
Array. Can be: "archive", "crawler", "oas". Specify separated by commas and every item in quotes
No
'"archive"'
string
hosts_filter
Array. Specify separated by commas and every item in quotes
No
''
string
crawler_urls
Crawler URLs. Specify separated by commas and every item in quotes
No
''
string
module
-
No
core
enum
type
-
No
appscan
enum

new-scan

Start a new Nexploit scan using nexploit-cli. Requires npm

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
api_key
Api Key. You can get it on "Organization" tab in Nexploit app
No
NEXPLOIT_API_KEY
env_var_name
scan_name
Name for a scan
Yes
-
string
protocol
-
Yes
-
enum
archive
Path to the archive
No
''
string
hostname
Just leave the default value unless you use a special solution
No
https://nexploit.app
string
type
-
No
appscan
enum
discovery_types
Array. Can be: "archive", "crawler", "oas". Specify separated by commas and every item in quotes
No
'"archive"'
string
crawlers
Crawler URLs. Specify separated by commas without spaces
No
''
string
host_filters
Array. Specify separated by commas without spaces
No
''
string
headers
Array. Specify separated by semicolons without spaces
No
''
string

polling-status

Allows to poll status and wait for issues.

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
api_key
Api Key. You can get it on "Organization" tab in Nexploit app
No
NEXPLOIT_API_KEY
env_var_name
scan_id
Scan id to rerun
Yes
-
string
interval
Period of time between the end of a timeout period or completion of a scan status request, and the next request for status
No
5000
integer
hostname
Just leave the default value unless you use a special solution
No
https://nexploit.app
string
failure_on
-
No
first-issue
enum

retest-scan

Perhaps the most convenient way to start a scan. Start a new scan, using web UI at https://nexploit.app. You can get scan id from address bar. You should use this id to rerun the scan.

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
api_key
Api Key. You can get it on "Organization" tab in Nexploit app
No
NEXPLOIT_API_KEY
env_var_name
scan_id
Scan id to rerun
Yes
-
string
hostname
Just leave the default value unless you use a special solution
No
https://nexploit.app
string

Executors

default

Default environment for Nexploit. This is a small Alpine-based Docker image with a low resource class.

Show executor Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
image
Docker image name
No
neuralegion/nexploit-cli
string
tag
Docker image tag
No
latest
string

Orb Source

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 # This code is licensed from CircleCI to the user under the MIT license. # See here for details: https://circleci.com/developer/orbs/licensing version: 2.1 description: |- Nexploit is a Machine Learning powered Interactive Application Security Testing (IAST) solution. Automating a cyber-security specialist’s critical thinking process to scan any target and find real vulnerabilities, including logical-flow problems, with no false positives. This orb allows you to use Nexploit power in your CI. Setup Note - An active subscription for Nexploit is needed for usage of this extension. Get API Key In NexPloit Dashboard navigate to the "Organization" tab and scroll to the "Manage your application API keys" section. Press "Create new API key" button and enter any suitable name (circleci key e.g.) Note - Make sure to backup the API key, it can't be restored. Using a pre-recorded HAR file Upload the file using a simple curl command: ```sh $ curl -X POST "https://nexploit.app/api/v1/files?discard=true" \ -H "Content-Type: multipart/form-data" \ -H "Authorization: Api-Key yufn0f6.yourapikeykuj069zopv0b1i" \ -F "har=@/path/to/the/file.har" {"ids":["6xkFraa5ecfmHhxTEnabZg"]} ``` This id will then be used for the File ID field. When setup is complete, the new scan will start automatically and be visible in your Nexploit account. display: home_url: https://neuralegion.com source_url: https://github.com/NeuraLegion/circleci-orb examples: new-scan-curl: description: Run a new scan using just curl and Nexploit API usage: version: 2.1 orbs: nexploit: neuralegion/nexploit@2.0 jobs: build: machine: true steps: - nexploit/new-scan-curl: scan_name: My new curl scan fileId: 27SJV96JZKdWYjsUCM9M1B discovery_types: '"archive", "crawler"' protocol: http new-scan: description: Run a new scan using npm util usage: version: 2.1 orbs: nexploit: neuralegion/nexploit@2.0 jobs: build: machine: true steps: - nexploit/scan: scan_name: CircleCI Scan api_key: NEXPLOIT_API_KEY discovery_types: 'crawler' crawlers: 'https://www.random1.org/,https://www.random2.org/' host_filters: 'random1.org,random2.org' headers: 'Content-Type: application/json;Keep-Alive: timeout=5, max=1000' type: appscan protocol: http nexploit_job: description: Retest a scan and wait for results usage: version: 2.1 orbs: nexploit: neuralegion/nexploit@2.0 workflows: your-workflow: jobs: - nexploit/retest-and-poll: scan_id: 7MeuiCeFc25WdJBamaaTG api_key: NEXPLOIT_API_KEY commands: install: description: > Installs nexploit-cli util to the environment. You need this util for working with nexploit API. `nexploit-cli` requires Node v12 to be installed. steps: - run: name: Install nexploit-cli command: | if which npm > /dev/null then if which nexploit-cli > /dev/null then echo "nexploit-cli is already installed" else npm config set registry http://registry.npmjs.org/ npm install @neuralegion/nexploit-cli -g fi else echo "You need to install Node v12" exit 1 fi new-scan-curl: description: Start a new Nexploit scan using just a curl parameters: api_key: type: env_var_name default: NEXPLOIT_API_KEY description: 'Api Key. You can get it on "Organization" tab in Nexploit app' scan_name: type: string description: Name for a scan hostname: type: string default: https://nexploit.app description: Just leave the default value unless you use a special solution fileId: type: string default: '' description: |- Get it with the help of curl `curl -X POST "https://nexploit.app/api/v1/files?discard=true" -H "Content-Type: multipart/form-data" -H "Authorization: Api-Key yufn0f6.yourapikeykuj069zopv0b1i" -F "har=@/path/to/the/file.har" `. This command will return you an id for the File ID field. protocol: type: enum enum: - http - websocket discovery_types: description: 'Array. Can be: "archive", "crawler", "oas". Specify separated by commas and every item in quotes' default: '"archive"' type: string hosts_filter: description: 'Array. Specify separated by commas and every item in quotes' default: '' type: string crawler_urls: description: 'Crawler URLs. Specify separated by commas and every item in quotes' default: '' type: string module: type: enum default: core enum: - core - exploratory type: type: enum default: appscan enum: - appscan - protoscan steps: - run: command: |- curl "<< parameters.hostname >>/api/v1/scans" \ -H "Content-Type: application/json" \ -H "Authorization: Api-Key $<< parameters.api_key >>" \ -d '{ "name": "<< parameters.scan_name >>", "protocol": "<< parameters.protocol >>", "type": "<< parameters.type >>", "discoveryTypes": [<< parameters.discovery_types >>], <<# parameters.fileId >>"fileId": "<< parameters.fileId >>",<</ parameters.fileId >> <<# parameters.crawler_urls >>"crawlerUrls": "<< parameters.crawler_urls >>",<</ parameters.crawler_urls >> "hostsFilter": [<< parameters.hosts_filter >>], "module": "<< parameters.module >>" }' new-scan: description: 'Start a new Nexploit scan using nexploit-cli. Requires npm' parameters: api_key: type: env_var_name default: NEXPLOIT_API_KEY description: 'Api Key. You can get it on "Organization" tab in Nexploit app' scan_name: type: string description: Name for a scan protocol: type: enum enum: - http - websocket archive: type: string default: '' description: Path to the archive hostname: type: string default: https://nexploit.app description: Just leave the default value unless you use a special solution type: type: enum default: appscan enum: - appscan - protoscan discovery_types: description: 'Array. Can be: "archive", "crawler", "oas". Specify separated by commas and every item in quotes' default: '"archive"' type: string crawlers: description: 'Crawler URLs. Specify separated by commas without spaces' default: '' type: string host_filters: description: 'Array. Specify separated by commas without spaces' default: '' type: string headers: description: 'Array. Specify separated by semicolons without spaces' default: '' type: string steps: - run: command: > crawlers="<< parameters.crawlers >>" crawlers_list=`echo "--crawler=${crawlers//,/" --crawler="}"` echo $crawlers_list host_filters="<< parameters.host_filters >>" host_filters_list=`echo "--host-filter=${host_filters//,/" --host-filter="}"` echo $host_filters_list headers="<< parameters.headers >>" headers_list=`echo "--header=${headers//;/" --header="}"` echo $headers_list command="nexploit-cli scan:run --name=<< parameters.scan_name >> <<# parameters.archive >>--archive=<< parameters.archive >><</parameters.archive >> --protocol=<< parameters.protocol >> --api-key=$<< parameters.api_key >> --api=<< parameters.hostname >> --type=<< parameters.type >> --discard=false --discovery=<< parameters.discovery_types >> <<# parameters.crawlers >>$crawlers_list<</parameters.crawlers >> <<# parameters.host_filters >>$host_filters_list<</parameters.host_filters >> <<# parameters.headers >>$headers_list<</parameters.headers >>" echo $command scan_id=`($command)` echo "Your scan is available on << parameters.hostname >>/scans/$scan_id" polling-status: description: Allows to poll status and wait for issues. parameters: api_key: type: env_var_name default: NEXPLOIT_API_KEY description: 'Api Key. You can get it on "Organization" tab in Nexploit app' scan_id: type: string description: Scan id to rerun interval: type: integer default: 5000 description: | Period of time between the end of a timeout period or completion of a scan status request, and the next request for status hostname: type: string default: https://nexploit.app description: Just leave the default value unless you use a special solution failure_on: type: enum default: first-issue enum: - first-issue - first-medium-severity-issue - first-high-severity-issue steps: - run: command: | nexploit-cli scan:polling << parameters.scan_id >> \ --failure-on=<< parameters.failure_on >> \ --api-key=$<< parameters.api_key >> \ --api=<< parameters.hostname >> \ --interval=<< parameters.interval >> retest-scan: description: > Perhaps the most convenient way to start a scan. Start a new scan, using web UI at https://nexploit.app. You can get scan id from address bar. You should use this id to rerun the scan. parameters: api_key: type: env_var_name default: NEXPLOIT_API_KEY description: 'Api Key. You can get it on "Organization" tab in Nexploit app' scan_id: type: string description: Scan id to rerun hostname: type: string default: https://nexploit.app description: Just leave the default value unless you use a special solution steps: - run: command: | nexploit-cli \ scan:retest << parameters.scan_id >> \ --api-key=$<< parameters.api_key >> \ --api=<< parameters.hostname >> executors: default: description: > Default environment for Nexploit. This is a small Alpine-based Docker image with a low resource class. parameters: image: type: string default: neuralegion/nexploit-cli description: Docker image name tag: type: string default: latest description: Docker image tag resource_class: small docker: - image: <<parameters.image>>:<<parameters.tag>> jobs: retest-and-poll: description: > Restart scan and poll its status executor: name: default image: << parameters.executor_image >> tag: << parameters.executor_tag >> parameters: api_key: type: env_var_name default: NEXPLOIT_API_KEY description: 'Api Key. You can get it on "Organization" tab in Nexploit app' scan_id: type: string description: Scan id to rerun hostname: type: string default: https://nexploit.app description: Just leave the default value unless you use a special solution interval: type: integer default: 5000 description: > Period of time between the end of a timeout period or completion of a scan status request, and the next request for status failure_on: type: enum default: first-issue enum: - first-issue - first-medium-severity-issue - first-high-severity-issue executor_image: type: string default: neuralegion/nexploit-cli description: Docker image name executor_tag: type: string default: latest description: Docker image tag steps: - run: name: Retest an exesting scan and wait for results command: | scan_id=$(nexploit-cli scan:retest << parameters.scan_id >> \ --api-key=$<< parameters.api_key >> \ --api=<< parameters.hostname >>) echo "Your scan is available on << parameters.hostname >>/scans/$scan_id" echo "Waiting for issues..." nexploit-cli scan:polling $scan_id \ --failure-on=<< parameters.failure_on >> \ --api-key=$<< parameters.api_key >> \ --api=<< parameters.hostname >> \ --interval=<< parameters.interval >>
Developer Updates
Get tips to optimize your builds
Or join our research panel and give feedback
By submitting this form, you are agreeing to ourTerms of UseandPrivacy Policy.