You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat: secure credentials — LLM never receives credential values
Adds --credentials KEY=VALUE[,...] and --credentials-file path.json CLI
flags so authorization secrets (usernames, passwords, API keys) can be
supplied to a scan without the LLM ever seeing the actual values.
How it works:
- Credential names are listed in the system prompt so the LLM knows
what is available.
- The LLM writes {{NAME}} placeholders in any tool input (shell commands,
HTTP bodies, file writes, etc.).
- Before the tool executes the framework substitutes the real value; after
execution, any credential values in the output are replaced with
[CREDENTIAL:NAME] before the LLM sees the result.
- The LLM therefore never handles the actual secret at any point in the
conversation history.
Changes:
- strix/interface/main.py: --credentials / --credentials-file flags with
full validation (_parse_credentials helper)
- strix/interface/cli.py, tui/app.py: forward credentials into scan_config
- strix/core/inputs.py: add credential_names to system prompt context;
skip parallel_tool_calls=False when routing via proxy to avoid a Bedrock
tool_choice.type error
- strix/core/runner.py: place credentials dict in runtime context so all
tool wrappers can read them via ctx.context["credentials"]
- strix/tools/credentials/tool.py: substitute_credentials() and
scrub_credentials() pure utilities
- strix/agents/factory.py: _wrap_credential_substitution() applied to
_BASE_TOOLS, exec_command, write_stdin, and filesystem tools; uses
dataclasses.replace for singleton FunctionTools, in-place mutation for
subclasses (e.g. ViewImageTool) that override __init__
- strix/agents/prompts/system_prompt.jinja: CREDENTIALS AVAILABLE block
explains {{NAME}} placeholder syntax using {% raw %} so Jinja does not
evaluate the braces as template expressions
- pyproject.toml: pytest dev dependency and ruff per-file ignores
- tests: 31 tests covering CLI parsing, scope context, substitution,
scrubbing, and wrapper integration
- docs: README, cli.mdx, instructions.mdx updated to document the new
flags and remove inline secret examples
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Custom instructions for the scan. Use for credentials, focus areas, or specific testing approaches.
19
+
Custom instructions for the scan. Use for focus areas or specific testing approaches (e.g., "Focus on IDOR and auth bypass"). For credentials, use `--credentials` or `--credentials-file` instead.
Comma-separated `KEY=VALUE` credential pairs kept out of the LLM conversation. Reference credentials by name in `--instruction` (e.g., `"Log in using USERNAME and PASSWORD"`). Example: `--credentials USERNAME=admin,PASSWORD=secret`. File values from `--credentials-file` load first; inline values override on key collision.
Path to a JSON file of credential key-value pairs (e.g., `{"USERNAME": "admin"}`). Values are kept out of the LLM conversation. Inline `--credentials` values override file values on key collision.
Copy file name to clipboardExpand all lines: docs/usage/instructions.mdx
+25-8Lines changed: 25 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@ title: "Custom Instructions"
3
3
description: "Guide Strix with custom testing instructions"
4
4
---
5
5
6
-
Use instructions to provide context, credentials, or focus areas for your scan.
6
+
Use instructions to provide context, focus areas, or specific testing approaches for your scan. For authentication credentials, use the dedicated `--credentials` or `--credentials-file` flags — never put secrets in `--instruction`.
Pass credentials separately from instructions using `--credentials` or `--credentials-file`. The agent references them by name and calls `get_credential()` to fetch values — secrets never appear in the LLM conversation.
Be specific. Good instructions help Strix prioritize the most valuable attack paths.
89
+
Be specific. Good instructions help Strix prioritize the most valuable attack paths. Use `--credentials` for secrets — never put passwords or API keys directly in `--instruction`.
To use a credential, write {%raw%}{{NAME}}{%endraw%} as a placeholder directly in any tool input (e.g. {%raw%}`curl -u {{USERNAME}}:{{PASSWORD}} http://target`{%endraw%}). The real value is substituted before the tool executes — you never see or handle the actual secret. Use the exact name listed above, case-sensitive.
74
+
{%endif%}
67
75
68
76
AUTHORIZATION STATUS:
69
77
- You have FULL AUTHORIZATION for authorized security validation on in-scope targets to help secure the target systems/app
0 commit comments