From 883e38f2dfa699f8c83dfde99c8b9186e6ee5424 Mon Sep 17 00:00:00 2001 From: wehub-resource-sync Date: Mon, 13 Jul 2026 09:57:07 +0000 Subject: [PATCH] docs: make Chinese README the default --- README.md | 168 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 87 insertions(+), 81 deletions(-) diff --git a/README.md b/README.md index 390d04d..71f334b 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,9 @@ + +> [!NOTE] +> 本文档由 WeHub 基于上游 README 翻译整理,属于社区翻译,非官方中文文档。 +> [English](./README.en.md) · [原始项目](https://github.com/usestrix/strix) · [上游 README](https://github.com/usestrix/strix/blob/HEAD/README.md) +> 原作者、版权与许可证归属以原始项目及本仓库 LICENSE 文件为准。 +

Strix Banner @@ -8,7 +14,7 @@ # Strix -### The open-source AI pentesting tool. Autonomous AI hackers that find and fix your app’s vulnerabilities. +### 开源 AI 渗透测试工具。自主 AI 黑客可发现并修复你应用中的漏洞。
@@ -34,22 +40,22 @@ > [!TIP] -> **New!** Strix integrates seamlessly with GitHub Actions and CI/CD pipelines. Automatically scan for vulnerabilities on every pull request and block insecure code before it reaches production - [Get started with no setup required](https://app.strix.ai). +> **全新!** Strix 可与 GitHub Actions 和 CI/CD 流水线无缝集成。在每次拉取请求时自动扫描漏洞,并在不安全代码进入生产环境前将其拦截 - [无需配置即可开始](https://app.strix.ai). --- -## Strix Overview +## Strix 概览 -Strix are autonomous AI penetration testing agents that act just like real hackers - they run your code dynamically, find vulnerabilities, and validate them through actual proofs-of-concept. Built for developers and security teams who need fast, accurate security testing without the overhead of manual pentesting or the false positives of static analysis tools. +Strix 是自主 AI 渗透测试智能体,其行为与真实黑客如出一辙——它们会动态运行你的代码、发现漏洞,并通过实际的概念验证(proof-of-concept,PoC)加以验证。面向需要快速、准确安全测试的开发者和安全团队而构建,无需承担手动渗透测试的开销,也避免了静态分析工具常见的误报。 -**Key Capabilities:** +**核心能力:** -- **Full pentesting toolkit** - reconnaissance, exploitation, and validation out of the box -- **Multi-agent orchestration** - teams of AI pentesters that collaborate and scale -- **Real exploit validation** - working PoCs, not false positives like legacy vulnerability scanners -- **Developer‑first CLI** - actionable findings with remediation guidance -- **Auto‑fix & reporting** - generate patches and compliance-ready pentest reports +- **完整渗透测试工具包** - 开箱即用的侦察、利用与验证能力 +- **多智能体编排** - 协作并可扩展的 AI 渗透测试团队 +- **真实漏洞利用验证** - 提供可用的 PoC,而非传统漏洞扫描器那样的误报 +- **开发者优先 CLI** - 提供可操作的发现结果与修复指导 +- **自动修复与报告** - 生成补丁及符合合规要求的渗透测试报告
@@ -62,20 +68,20 @@ Strix are autonomous AI penetration testing agents that act just like real hacke -## Use Cases +## 使用场景 -- **Application Security Testing** - Detect and validate critical vulnerabilities in your applications -- **Rapid Penetration Testing** - Get penetration tests done in hours, not weeks, with compliance reports -- **Bug Bounty Automation** - Automate bug bounty research and generate PoCs for faster reporting -- **CI/CD Integration** - Run tests in CI/CD to block vulnerabilities before reaching production +- **应用安全测试** - 检测并验证应用中的关键漏洞 +- **快速渗透测试** - 在数小时而非数周内完成渗透测试,并生成合规报告 +- **漏洞赏金自动化** - 自动化漏洞赏金研究,生成 PoC 以加快报告速度 +- **CI/CD 集成** - 在 CI/CD 中运行测试,在漏洞进入生产环境前将其拦截 -## 🚀 Quick Start +## 🚀 快速开始 -**Prerequisites:** -- Docker (running) -- An LLM API key from any [supported provider](https://docs.strix.ai/llm-providers/overview) (OpenAI, Anthropic, Google, etc.) +**前置条件:** +- Docker(已运行) +- 来自任意[受支持提供商](https://docs.strix.ai/llm-providers/overview) (OpenAI、Anthropic、Google 等) 的 LLM API 密钥 -### Installation & First Scan +### 安装与首次扫描 ```bash # Install Strix @@ -90,64 +96,64 @@ strix --target ./app-directory ``` > [!NOTE] -> First run automatically pulls the sandbox Docker image. Results are saved to `strix_runs/` +> 首次运行会自动拉取沙箱 Docker 镜像。结果将保存至 `strix_runs/` --- -## ☁️ Strix Platform +## ☁️ Strix 平台 -Try the Strix full-stack penetration testing platform at **[app.strix.ai](https://app.strix.ai)** - sign up for free, connect your repos and domains, and launch a pentest in minutes. +在 **[app.strix.ai](https://app.strix.ai)** 免费注册,连接你的代码仓库与域名,数分钟内即可启动渗透测试,体验 Strix 全栈渗透测试平台。 -- **Validated findings with PoCs** - every vulnerability includes a working proof-of-concept exploit and reproduction steps -- **One-click autofix** - AI-generated security patches as ready-to-merge pull requests -- **Continuous pentesting** - always-on vulnerability scanning that keeps pace with your deployments -- **DevSecOps integrations** - GitHub, GitLab, Bitbucket, Slack, Jira, Linear, and CI/CD pipelines -- **Continuous learning** - AI that builds on past findings, adapts to your codebase, and reduces false positives over time +- **经 PoC 验证的发现** - 每个漏洞均包含可用的概念验证利用代码与复现步骤 +- **一键自动修复** - AI 生成的安全补丁,以可直接合并的拉取请求形式提供 +- **持续渗透测试** - 始终在线的漏洞扫描,与你的部署节奏保持同步 +- **DevSecOps 集成** - 支持 GitHub、GitLab、Bitbucket、Slack、Jira、Linear 及 CI/CD 流水线 +- **持续学习** - AI 会基于历史发现持续积累,适配你的代码库,并随时间减少误报 -[**Start your first pentest →**](https://app.strix.ai) +[**启动你的首次渗透测试 →**](https://app.strix.ai) --- -## ✨ Features +## ✨ 功能特性 -### Agentic Pentesting Tools +### 智能体渗透测试工具 -Strix agents come equipped with a comprehensive offensive security toolkit - the same tools used by professional penetration testers and ethical hackers: +Strix 智能体配备全面的进攻性安全工具包——与专业渗透测试人员和道德黑客使用的工具相同: -- **HTTP Interception Proxy** - Full request/response manipulation and analysis with Caido -- **Browser Exploitation** - Automated browser for testing XSS, CSRF, clickjacking, and auth bypass flows -- **Shell & Command Execution** - Interactive terminal for exploit development and post-exploitation -- **Custom Exploit Runtime** - Python sandbox for writing and validating proof-of-concept exploits -- **Reconnaissance & OSINT** - Automated attack surface mapping, subdomain enumeration, and fingerprinting -- **Static & Dynamic Code Analysis** - SAST + DAST capabilities for comprehensive application security testing -- **Vulnerability Knowledge Base** - Structured findings with CVSS scoring and OWASP classification +- **HTTP 拦截代理** - 借助 Caido 实现完整的请求/响应操控与分析 +- **浏览器利用** - 自动化浏览器,用于测试 XSS、CSRF、点击劫持及认证绕过流程 +- **Shell 与命令执行** - 交互式终端,用于漏洞利用开发与后渗透操作 +- **自定义漏洞利用运行时** - Python 沙箱,用于编写并验证概念验证漏洞利用代码 +- **侦察与 OSINT** - 自动化攻击面映射、子域名枚举与指纹识别 +- **静态与动态代码分析** - SAST + DAST 能力,实现全面的应用安全测试 +- **漏洞知识库** - 结构化发现结果,附带 CVSS 评分与 OWASP 分类 -### Comprehensive Vulnerability Scanner +### 全面漏洞扫描器 -Strix identifies, validates, and exploits a wide range of security vulnerabilities across the OWASP Top 10 and beyond: +Strix 可识别、验证并利用 OWASP Top 10 及更广范围内的各类安全漏洞: -- **Broken Access Control** - IDOR, privilege escalation, auth bypass -- **Injection Attacks** - SQL injection, NoSQL injection, OS command injection, SSTI -- **Server-Side Vulnerabilities** - SSRF, XXE, insecure deserialization, RCE -- **Client-Side Attacks** - XSS (stored/reflected/DOM), prototype pollution, CSRF -- **Business Logic Flaws** - Race conditions, payment manipulation, workflow bypass -- **Authentication & Session** - JWT attacks, session fixation, credential stuffing vectors -- **Infrastructure & Cloud** - Misconfigurations, exposed services, cloud security issues -- **API Security** - Broken authentication, mass assignment, rate limiting bypass +- **访问控制失效** - IDOR、权限提升、认证绕过 +- **注入攻击** - SQL 注入、NoSQL 注入、操作系统命令注入、SSTI +- **服务端漏洞** - SSRF、XXE、不安全的反序列化、RCE +- **客户端攻击** - XSS(存储型/反射型/DOM)、原型污染、CSRF +- **业务逻辑缺陷** - 竞态条件、支付操纵、工作流绕过 +- **认证与会话** - JWT 攻击、会话固定、凭证填充向量 +- **基础设施与云** - 配置错误、暴露服务、云安全问题 +- **API 安全** - 认证失效、批量赋值、速率限制绕过 -### Graph of Agents (Multi-Agent Pentesting) +### 智能体图谱(多智能体渗透测试) -Advanced multi-agent orchestration for comprehensive automated penetration testing: +先进的多智能体编排,实现全面的自动化渗透测试: -- **Distributed Pentesting** - Specialized AI agents for recon, exploitation, and post-exploitation -- **Scalable Security Testing** - Parallel execution across multiple targets for fast, comprehensive coverage -- **Dynamic Coordination** - Agents share discoveries, chain vulnerabilities, and collaborate like a red team +- **分布式渗透测试** - 专用于侦察、利用与后渗透的 AI 智能体 +- **可扩展安全测试** - 跨多个目标并行执行,实现快速、全面的覆盖 +- **动态协同** - 智能体共享发现、串联漏洞,像红队一样协作 --- -## Usage Examples +## 使用示例 -### Basic Usage +### 基础用法 ```bash # Scan a local codebase @@ -160,7 +166,7 @@ strix --target https://github.com/org/repo strix --target https://your-app.com ``` -### Advanced Testing Scenarios +### 高级测试场景 ```bash # Grey-box authenticated testing @@ -185,17 +191,17 @@ strix --target api.your-app.com --instruction-file ./instruction.md strix -n --target ./ --scan-mode quick --scope-mode diff --diff-base origin/main ``` -### Headless Mode +### 无头模式(Headless Mode) -Run Strix programmatically without interactive UI using the `-n/--non-interactive` flag - perfect for servers and automated jobs. The CLI prints real-time vulnerability findings and the final report before exiting. Exits with non-zero code when vulnerabilities are found. +使用 `-n/--non-interactive` 标志,即可在无需交互式 UI 的情况下以编程方式运行 Strix,非常适合服务器与自动化任务。CLI 会实时打印漏洞发现结果,并在退出前输出最终报告。若发现漏洞,进程将以非零退出码退出。 ```bash strix -n --target https://your-app.com ``` -### CI/CD (GitHub Actions) +### CI/CD(GitHub Actions) -Strix can be added to your pipeline to run a security test on pull requests with a lightweight GitHub Actions workflow: +可将 Strix 集成到你的流水线中,通过轻量级 GitHub Actions 工作流对 Pull Request 执行安全测试: ```yaml name: strix-penetration-test @@ -223,11 +229,11 @@ jobs: ``` > [!TIP] -> In CI pull request runs, Strix automatically scopes quick reviews to changed files. -> If diff-scope cannot resolve, ensure checkout uses full history (`fetch-depth: 0`) or pass -> `--diff-base` explicitly. +> 在 CI 的 Pull Request 运行中,Strix 会自动将快速审查范围限定为已变更文件。 +> 若 diff-scope 无法解析,请确保 checkout 使用完整历史(`fetch-depth: 0`),或显式传入 +> `--diff-base`。 -### Configuration +### 配置 ```bash export STRIX_LLM="openai/gpt-5.4" @@ -240,42 +246,42 @@ export STRIX_REASONING_EFFORT="high" # control thinking effort (default: high, ``` > [!NOTE] -> Strix automatically saves your configuration to `~/.strix/cli-config.json`, so you don't have to re-enter it on every run. +> Strix 会自动将配置保存到 `~/.strix/cli-config.json`,因此你无需在每次运行时重新输入。 -**Recommended models for best results:** +**推荐模型(效果最佳):** - [OpenAI GPT-5.4](https://openai.com/api/) - `openai/gpt-5.4` - [Anthropic Claude Sonnet 4.6](https://claude.com/platform/api) - `anthropic/claude-sonnet-4-6` - [Google Gemini 3 Pro Preview](https://cloud.google.com/vertex-ai) - `vertex_ai/gemini-3-pro-preview` -See the [LLM Providers documentation](https://docs.strix.ai/llm-providers/overview) for all supported providers including Vertex AI, Bedrock, Azure, and local models. +请参阅 [LLM 提供商文档](https://docs.strix.ai/llm-providers/overview),了解所有受支持的提供商,包括 Vertex AI、Bedrock、Azure 及本地模型。 -## Enterprise Pentesting +## 企业级渗透测试 -Get the same Strix experience with [enterprise-grade](https://strix.ai/demo) controls: SSO (SAML/OIDC), custom compliance-ready penetration testing reports (SOC 2, ISO 27001, PCI DSS), dedicated support & SLA, custom deployment options (VPC/self-hosted), BYOK model support, and tailored AI pentesting agents optimized for your environment. [Learn more](https://strix.ai/demo). +以 [企业级](https://strix.ai/demo) 管控获得同样的 Strix 体验:SSO(SAML/OIDC)、可定制的合规就绪渗透测试报告(SOC 2、ISO 27001、PCI DSS)、专属支持与 SLA、自定义部署选项(VPC/自托管)、BYOK 模型支持,以及针对你的环境优化的定制 AI 渗透测试智能体。[了解更多](https://strix.ai/demo). -## Documentation +## 文档 -Full documentation is available at **[docs.strix.ai](https://docs.strix.ai)** - including detailed guides for usage, CI/CD integrations, skills, and advanced configuration. +完整文档请参阅 **[docs.strix.ai](https://docs.strix.ai)** —— 其中包含用法、CI/CD 集成、技能(skills)及高级配置的详细指南。 -## Contributing +## 贡献 -We welcome contributions of code, docs, and new skills - check out our [Contributing Guide](https://docs.strix.ai/contributing) to get started or open a [pull request](https://github.com/usestrix/strix/pulls)/[issue](https://github.com/usestrix/strix/issues). +欢迎贡献代码、文档与新技能——查看我们的 [贡献指南](https://docs.strix.ai/contributing) 入门,或提交 [Pull Request](https://github.com/usestrix/strix/pulls)/[issue](https://github.com/usestrix/strix/issues). -## Join Our Community +## 加入社区 -Have questions? Found a bug? Want to contribute? **[Join our Discord!](https://discord.gg/strix-ai)** +有问题?发现 Bug?想参与贡献?**[加入我们的 Discord!](https://discord.gg/strix-ai)** -## Support the Project +## 支持本项目 -**Love Strix?** Give us a ⭐ on GitHub! +**喜欢 Strix?** 请在 GitHub 上给我们点个 ⭐! -## Acknowledgements +## 致谢 -Strix builds on the incredible work of open-source projects like [LiteLLM](https://github.com/BerriAI/litellm), [Caido](https://github.com/caido/caido), [Nuclei](https://github.com/projectdiscovery/nuclei), [Playwright](https://github.com/microsoft/playwright), and [Textual](https://github.com/Textualize/textual). Huge thanks to their maintainers! +Strix 建立在 [LiteLLM](https://github.com/BerriAI/litellm),、[Caido](https://github.com/caido/caido),、[Nuclei](https://github.com/projectdiscovery/nuclei),、[Playwright](https://github.com/microsoft/playwright), 和 [Textual](https://github.com/Textualize/textual). 等优秀开源项目的卓越工作之上。衷心感谢各位维护者! > [!WARNING] -> Only test apps you own or have permission to test. You are responsible for using Strix ethically and legally. +> 仅对你拥有或已获授权测试的应用进行测试。你须对以合乎道德与法律的方式使用 Strix 负责。