Nullify CLI

Nullify CLI dynamically tests and fuzzes your endpoints for security vulnerabilities.

Getting Started

Download the latest release or build from source
See our quickstart guide for more info

Usage

Usage: nullify [--host HOST] [--verbose] [--debug] [--nullify-token NULLIFY-TOKEN] [--github-token GITHUB-TOKEN] <command> [<args>]

Options:
  --host HOST            The base URL of your Nullify API instance [default: api.nullify.ai]
  --verbose, -v          Enable verbose logging
  --debug, -d            Enable debug logging
  --nullify-token NULLIFY-TOKEN
                         Nullify API token
  --github-token GITHUB-TOKEN
                         GitHub actions job token to exchange for a Nullify API token
  --help, -h             display this help and exit
  --version              display version and exit

Commands:
  dast                   Test the given app for bugs and vulnerabilities

Usage: DAST Scans

Usage: nullify dast [--app-name APP-NAME] [--spec-path SPEC-PATH] [--target-host TARGET-HOST] [--header HEADER] [--github-owner GITHUB-OWNER] [--github-repo GITHUB-REPO] [--local] [--image-label IMAGE-LABEL] [--force-pull] [--use-host-network]

Options:
  --app-name APP-NAME    The unique name of the app to be scanned, you can set this to anything e.g. Core API
  --spec-path SPEC-PATH
                         The file path to the OpenAPI file (both yaml and json are supported) e.g. ./openapi.yaml
  --target-host TARGET-HOST
                         The base URL of the API to be scanned e.g. https://api.nullify.ai
  --header HEADER        List of headers for the DAST agent to authenticate with your API, separated by commas e.g. "Authorization: Bearer 1234,X-Custom-Header: abcxyz"
  --github-owner GITHUB-OWNER
                         The GitHub username or organisation
  --github-repo GITHUB-REPO
                         The repository name to create the Nullify issue dashboard in e.g. cli
  --local                Test the given app locally for bugs and vulnerabilities in private networks
  --image-label IMAGE-LABEL
                         Version of the DAST local image that is used for scanning [default: latest]
  --force-pull           Force a docker pull of the latest version of the DAST local image
  --use-host-network     Use the host network for the DAST local scan

Global options:
  --host HOST            The base URL of your Nullify API instance [default: api.nullify.ai]
  --verbose, -v          Enable verbose logging
  --debug, -d            Enable debug logging
  --nullify-token NULLIFY-TOKEN
                         Nullify API token
  --github-token GITHUB-TOKEN
                         GitHub actions job token to exchange for a Nullify API token
  --help, -h             display this help and exit
  --version              display version and exit

Usage: Authentication

The Nullify CLI need to authenticate with the Nullify API.

This can be done in the following ways:

Using the --nullify-token option
Using the NULLIFY_TOKEN environment variable

Example DAST Scan

Cloud Hosted Scan:

nullify dast \
  --app-name      "My REST API" \
  --spec-path     "./openapi.json" \
  --target-host   "https://api.myapp1234.dev" \
  --github-owner  "my-username" \
  --github-repo   "my-repo" \
  --header        "Authorization: Bearer 1234,X-Custom-Header: abcxyz"

Locally Hosted Scan:

nullify dast \
  --app-name      "My REST API" \
  --spec-path     "./openapi.json" \
  --target-host   "https://api.myapp1234.dev" \
  --github-owner  "my-username" \
  --github-repo   "my-repo" \
  --header        "Authorization: Bearer 1234,X-Custom-Header: abcxyz" \
  --local

Same Machine Scan:

nullify dast \
  --app-name      "My REST API" \
  --spec-path     "./openapi.json" \
  --target-host   "https://api.myapp1234.dev" \
  --github-owner  "my-username" \
  --github-repo   "my-repo" \
  --header        "Authorization: Bearer 1234,X-Custom-Header: abcxyz" \
  --use-host-network \
  --local

The locally hosted scan can be run from within private networks to test private APIs.

Global Options

Name	Description	Required	Default
`host`	The base URL of your Nullify API instance, e.g. https://api.nullify.ai	`false`	https://api.nullify.ai
`verbose`	Enable verbose logging	`false`
`debug`	Enable debug logging	`false`
`nullify-token`	Nullify API token	`false`
`github-token`	GitHub actions job token to exchange for a Nullify API token	`false`
`help`	Display help and exit	`false`
`version`	Display version and exit	`false`

DAST Options

Name	Description	Required	Default
`app-name`	The unique name of the app to be scanned, e.g. Core API	`true`
`spec-path`	The file path to the OpenAPI file (both yaml and json are supported), e.g. ./openapi.yaml	`true`
`target-host`	The base URL of the API to be scanned, e.g. https://api.nullify.ai	`true`
`github-owner`	The GitHub username or organisation to create the Nullify issue dashboard in, e.g. nullify-platform	`true`
`github-repo`	The repository name to create the Nullify issue dashboard in, e.g. cli	`true`
`header`	List of headers for the DAST agent to authenticate with your API, string seperated by commas	`false`
`local`	Test the given app locally for bugs and vulnerabilities in private networks	`false`
`version`	Version of the DAST local image that is used for scanning [default: ]	`false`	latest

# README