Nullify-Platform / cli

Nullify CLI Tool
https://github.com/Nullify-Platform
MIT License
2 stars 2 forks source link

Nullify

Nullify CLI

GitHub release Release Status Documentation License

OpenSSF Scorecard Go Report Card

Nullify CLI dynamically tests and fuzzes your endpoints for security vulnerabilities.

Getting Started

Usage

Usage: nullify [--host HOST] [--verbose] [--debug] [--nullify-token NULLIFY-TOKEN] [--github-token GITHUB-TOKEN] <command> [<args>]

Options:
  --host HOST            The base URL of your Nullify API instance [default: api.nullify.ai]
  --verbose, -v          Enable verbose logging
  --debug, -d            Enable debug logging
  --nullify-token NULLIFY-TOKEN
                         Nullify API token
  --github-token GITHUB-TOKEN
                         GitHub actions job token to exchange for a Nullify API token
  --help, -h             display this help and exit
  --version              display version and exit

Commands:
  dast                   Test the given app for bugs and vulnerabilities

Usage: DAST Scans

Usage: nullify dast [--app-name APP-NAME] [--spec-path SPEC-PATH] [--target-host TARGET-HOST] [--header HEADER] [--github-owner GITHUB-OWNER] [--github-repo GITHUB-REPO] [--local] [--image-label IMAGE-LABEL] [--force-pull] [--use-host-network]

Options:
  --app-name APP-NAME    The unique name of the app to be scanned, you can set this to anything e.g. Core API
  --spec-path SPEC-PATH
                         The file path to the OpenAPI file (both yaml and json are supported) e.g. ./openapi.yaml
  --target-host TARGET-HOST
                         The base URL of the API to be scanned e.g. https://api.nullify.ai
  --header HEADER        List of headers for the DAST agent to authenticate with your API, separated by commas e.g. "Authorization: Bearer 1234,X-Custom-Header: abcxyz"
  --github-owner GITHUB-OWNER
                         The GitHub username or organisation
  --github-repo GITHUB-REPO
                         The repository name to create the Nullify issue dashboard in e.g. cli
  --local                Test the given app locally for bugs and vulnerabilities in private networks
  --image-label IMAGE-LABEL
                         Version of the DAST local image that is used for scanning [default: latest]
  --force-pull           Force a docker pull of the latest version of the DAST local image
  --use-host-network     Use the host network for the DAST local scan

Global options:
  --host HOST            The base URL of your Nullify API instance [default: api.nullify.ai]
  --verbose, -v          Enable verbose logging
  --debug, -d            Enable debug logging
  --nullify-token NULLIFY-TOKEN
                         Nullify API token
  --github-token GITHUB-TOKEN
                         GitHub actions job token to exchange for a Nullify API token
  --help, -h             display this help and exit
  --version              display version and exit

Usage: Authentication

The Nullify CLI need to authenticate with the Nullify API.

This can be done in the following ways:

Example DAST Scan

Cloud Hosted Scan:

nullify dast \
  --app-name      "My REST API" \
  --spec-path     "./openapi.json" \
  --target-host   "https://api.myapp1234.dev" \
  --github-owner  "my-username" \
  --github-repo   "my-repo" \
  --header        "Authorization: Bearer 1234,X-Custom-Header: abcxyz"

Locally Hosted Scan:

nullify dast \
  --app-name      "My REST API" \
  --spec-path     "./openapi.json" \
  --target-host   "https://api.myapp1234.dev" \
  --github-owner  "my-username" \
  --github-repo   "my-repo" \
  --header        "Authorization: Bearer 1234,X-Custom-Header: abcxyz" \
  --local

Same Machine Scan:

nullify dast \
  --app-name      "My REST API" \
  --spec-path     "./openapi.json" \
  --target-host   "https://api.myapp1234.dev" \
  --github-owner  "my-username" \
  --github-repo   "my-repo" \
  --header        "Authorization: Bearer 1234,X-Custom-Header: abcxyz" \
  --use-host-network \
  --local

The locally hosted scan can be run from within private networks to test private APIs.

Global Options

Name Description Required Default
host The base URL of your Nullify API instance, e.g. https://api.nullify.ai false https://api.nullify.ai
verbose Enable verbose logging false
debug Enable debug logging false
nullify-token Nullify API token false
github-token GitHub actions job token to exchange for a Nullify API token false
help Display help and exit false
version Display version and exit false

DAST Options

Name Description Required Default
app-name The unique name of the app to be scanned, e.g. Core API true
spec-path The file path to the OpenAPI file (both yaml and json are supported), e.g. ./openapi.yaml true
target-host The base URL of the API to be scanned, e.g. https://api.nullify.ai true
github-owner The GitHub username or organisation to create the Nullify issue dashboard in, e.g. nullify-platform true
github-repo The repository name to create the Nullify issue dashboard in, e.g. cli true
header List of headers for the DAST agent to authenticate with your API, string seperated by commas false
local Test the given app locally for bugs and vulnerabilities in private networks false
version Version of the DAST local image that is used for scanning [default: ] false latest