> For the complete CircleCI developer hub index, see [llms.txt](https://circleci.com/developer/llms.txt)

# neuralegion/nexploit

Nexploit is a Machine Learning powered Interactive Application Security Testing (IAST) solution. Automating a cyber-security specialist’s critical thinking process to scan any target and find real vulnerabilities, including logical-flow problems, with no false positives.
This orb allows you to use Nexploit power in your CI.

Setup
Note - An active subscription for Nexploit is needed for usage of this extension.

Get API Key
In NexPloit Dashboard navigate to the "Organization" tab and scroll to the "Manage your application API keys" section.
Press "Create new API key" button and enter any suitable name (circleci key e.g.) Note - Make sure to backup the API key, it can't be restored.

Using a pre-recorded HAR file
Upload the file using a simple curl command:

```sh
$ curl -X POST "https://nexploit.app/api/v1/files?discard=true"     \
    -H "Content-Type: multipart/form-data"                          \
    -H "Authorization: Api-Key yufn0f6.yourapikeykuj069zopv0b1i"    \
    -F "har=@/path/to/the/file.har"
{"ids":["6xkFraa5ecfmHhxTEnabZg"]}
```

This id will then be used for the File ID field.
When setup is complete, the new scan will start automatically and be visible in your Nexploit account.

## Commands

### install

Installs nexploit-cli util to the environment. You need this util for  working with nexploit API. `nexploit-cli` requires Node v12 to be installed.


### new-scan-curl

Start a new Nexploit scan using just a curl

| Parameter | Type | Default | Description |
|---|---|---|---|
| `api_key` | env_var_name | NEXPLOIT_API_KEY | Api Key. You can get it on "Organization" tab in Nexploit app |
| `scan_name` | string |  | Name for a scan |
| `hostname` | string | https://nexploit.app | Just leave the default value unless you use a special solution |
| `fileId` | string |  | Get it with the help of curl `curl -X POST "https://nexploit.app/api/v1/files?discard=true" -H "Content-Type: multipart/form-data" -H "Authorization: Api-Key yufn0f6.yourapikeykuj069zopv0b1i" -F "har=@/path/to/the/file.har"
`. This command will return you an id for the File ID field. |
| `protocol` | enum |  |  |
| `discovery_types` | string | "archive" | Array. Can be: "archive", "crawler", "oas". Specify separated by commas and every item in quotes |
| `hosts_filter` | string |  | Array. Specify separated by commas and every item in quotes |
| `crawler_urls` | string |  | Crawler URLs. Specify separated by commas and every item in quotes |
| `module` | enum | core |  |
| `type` | enum | appscan |  |

### new-scan

Start a new Nexploit scan using nexploit-cli. Requires npm

| Parameter | Type | Default | Description |
|---|---|---|---|
| `api_key` | env_var_name | NEXPLOIT_API_KEY | Api Key. You can get it on "Organization" tab in Nexploit app |
| `scan_name` | string |  | Name for a scan |
| `protocol` | enum |  |  |
| `archive` | string |  | Path to the archive |
| `hostname` | string | https://nexploit.app | Just leave the default value unless you use a special solution |
| `type` | enum | appscan |  |
| `discovery_types` | string | "archive" | Array. Can be: "archive", "crawler", "oas". Specify separated by commas and every item in quotes |
| `crawlers` | string |  | Crawler URLs. Specify separated by commas without spaces |
| `host_filters` | string |  | Array. Specify separated by commas without spaces |
| `headers` | string |  | Array. Specify separated by semicolons without spaces |

### polling-status

Allows to poll status and wait for issues.

| Parameter | Type | Default | Description |
|---|---|---|---|
| `api_key` | env_var_name | NEXPLOIT_API_KEY | Api Key. You can get it on "Organization" tab in Nexploit app |
| `scan_id` | string |  | Scan id to rerun |
| `interval` | integer | 5000 | Period of time between the end of a timeout period or completion of
a scan status request, and the next request for status
 |
| `hostname` | string | https://nexploit.app | Just leave the default value unless you use a special solution |
| `failure_on` | enum | first-issue |  |

### retest-scan

Perhaps the most convenient way to start a scan. Start a new scan, using web UI at https://nexploit.app. You can get scan id from address bar. You should use this id to rerun the scan.


| Parameter | Type | Default | Description |
|---|---|---|---|
| `api_key` | env_var_name | NEXPLOIT_API_KEY | Api Key. You can get it on "Organization" tab in Nexploit app |
| `scan_id` | string |  | Scan id to rerun |
| `hostname` | string | https://nexploit.app | Just leave the default value unless you use a special solution |

## Jobs

### retest-and-poll

Restart scan and poll its status


| Parameter | Type | Default | Description |
|---|---|---|---|
| `api_key` | env_var_name | NEXPLOIT_API_KEY | Api Key. You can get it on "Organization" tab in Nexploit app |
| `scan_id` | string |  | Scan id to rerun |
| `hostname` | string | https://nexploit.app | Just leave the default value unless you use a special solution |
| `interval` | integer | 5000 | Period of time between the end of a timeout period or completion of a scan status request, and the next request for status
 |
| `failure_on` | enum | first-issue |  |
| `executor_image` | string | neuralegion/nexploit-cli | Docker image name |
| `executor_tag` | string | latest | Docker image tag |

## Executors

### default

Default environment for Nexploit. This is a small Alpine-based Docker image with a low resource class.


| Parameter | Type | Default | Description |
|---|---|---|---|
| `image` | string | neuralegion/nexploit-cli | Docker image name |
| `tag` | string | latest | Docker image tag |

## Examples

### new-scan-curl

Run a new scan using just curl and Nexploit API

```yaml
version: 2.1
orbs:
  nexploit: neuralegion/nexploit@2.0
jobs:
  build:
    machine: true
    steps:
      - nexploit/new-scan-curl:
          scan_name: My new curl scan
          fileId: 27SJV96JZKdWYjsUCM9M1B
          discovery_types: '"archive", "crawler"'
          protocol: http
```

### new-scan

Run a new scan using npm util

```yaml
version: 2.1
orbs:
  nexploit: neuralegion/nexploit@2.0
jobs:
  build:
    machine: true
    steps:
      - nexploit/scan:
          scan_name: CircleCI Scan
          api_key: NEXPLOIT_API_KEY
          discovery_types: crawler
          crawlers: https://www.random1.org/,https://www.random2.org/
          host_filters: random1.org,random2.org
          headers: 'Content-Type: application/json;Keep-Alive: timeout=5, max=1000'
          type: appscan
          protocol: http
```

### nexploit_job

Retest a scan and wait for results

```yaml
version: 2.1
orbs:
  nexploit: neuralegion/nexploit@2.0
workflows:
  your-workflow:
    jobs:
      - nexploit/retest-and-poll:
          scan_id: 7MeuiCeFc25WdJBamaaTG
          api_key: NEXPLOIT_API_KEY
```