# NeuroSploit — Integrations Setup Guide (v3.5.3) Connect NeuroSploit to **GitHub**, **GitLab** and **Jira** so it can review private repositories and Pull Requests, watch branches for new code, and file a Jira **card per vulnerability**. > ⚠️ **Authorized testing only.** Use integrations against code/projects you own or > are explicitly permitted to test. --- ## Table of contents 1. [How it works (config & secrets)](#1-how-it-works) 2. [The `/integrations` command](#2-the-integrations-command) 3. [GitHub](#3-github) 4. [GitLab](#4-gitlab) 5. [Jira](#5-jira) 6. [Recipes](#6-recipes) 7. [Troubleshooting](#7-troubleshooting) --- ## 1. How it works - Integration config is **per project**, stored at `/.neurosploit/integrations.json`. - **Secrets are never written to disk.** The config only stores the **name** of the environment variable that holds each token (e.g. `GITHUB_TOKEN`). The real value is read from your environment at use time. Keep tokens in your shell / secret manager, not in the repo. - Enable/disable per integration; each is independent. Default env-var names (configurable): | Integration | Token env var(s) | |-------------|------------------| | GitHub | `GITHUB_TOKEN` | | GitLab | `GITLAB_TOKEN` | | Jira | `JIRA_EMAIL` + `JIRA_API_TOKEN` | --- ## 2. The `/integrations` command In the **REPL** (`neurosploit` with no args): ``` /integrations # show status of all three /integrations enable github # toggle on (also: gitlab | jira) /integrations disable jira # toggle off /integrations setup jira # interactive: base URL, project key, issue type /integrations setup gitlab # set the GitLab base (gitlab.com or self-hosted) /integrations setup github # set the API base (change only for GitHub Enterprise) ``` From the **CLI**: ```bash neurosploit integrations # show status neurosploit integrations enable github # enable / disable ``` `show` prints whether each is on and whether the token env var is currently set (`✓ token` / `⚠ token env not set`). --- ## 3. GitHub **a. Create a token.** GitHub → *Settings → Developer settings → Personal access tokens*. A classic PAT with the **`repo`** scope (read access to the private repos you'll test) is enough. Fine-grained tokens also work (grant *Contents: Read* and, for PR comments, *Pull requests: Read & write*). **b. Export it and enable:** ```bash export GITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxx neurosploit integrations enable github ``` **c. What you can now do:** - **Clone & review a private repo** (token is injected into the clone URL, never printed): ```bash neurosploit whitebox https://github.com/myorg/private-app \ --subscription --model anthropic:claude-opus-4-8 -v ``` - **Review a Pull Request's code** — clones the PR head (`refs/pull/N/head`): ```bash neurosploit pr myorg/private-app 128 \ --subscription --model anthropic:claude-opus-4-8 --comment ``` - `--comment` posts a Markdown findings summary back on the PR. - `--jira` also opens a card per finding (needs Jira configured). - **Watch a branch** and re-review on every new commit: ```bash neurosploit watch myorg/private-app --branch main --interval 300 \ --subscription --model anthropic:claude-opus-4-8 ``` It polls the branch tip via the GitHub API and runs a white-box review whenever the SHA changes (Ctrl-C to stop). **GitHub Enterprise:** `/integrations setup github` and set the API base to your GHE URL (e.g. `https://ghe.mycorp.com/api/v3`). --- ## 4. GitLab **a. Create a token.** GitLab → *Preferences → Access Tokens* (or a project/group token) with the **`read_repository`** scope (add `api` if you want more later). **b. Export it and enable:** ```bash export GITLAB_TOKEN=glpat-xxxxxxxxxxxxxxxxxxxx neurosploit integrations enable gitlab # self-hosted? set the base: # /integrations setup gitlab → https://gitlab.mycorp.com ``` **c. Review a private GitLab repo** (token-injected clone, works in whitebox & greybox): ```bash neurosploit whitebox https://gitlab.com/myorg/private-svc \ --subscription --model anthropic:claude-opus-4-8 -v ``` > To review a specific Merge Request, check out its source branch and point > `whitebox` at that clone, or pass the MR source branch URL. --- ## 5. Jira **a. Create an API token.** https://id.atlassian.com/manage-profile/security/api-tokens → *Create API token*. Note the email of the Atlassian account that owns it. **b. Export credentials:** ```bash export JIRA_EMAIL=you@yourorg.com export JIRA_API_TOKEN=xxxxxxxxxxxxxxxxxxxx ``` **c. Configure base URL + project (once):** ``` # in the REPL: /integrations setup jira Jira base URL (https://your-org.atlassian.net): https://yourorg.atlassian.net Jira project key (e.g. SEC): SEC Issue type [Bug]: Bug ``` This enables Jira and saves the base URL / project key / issue type to `.neurosploit/integrations.json` (no secrets). **d. Open cards.** Add `--jira` to any engagement (or `pr` / `watch`). One card is created per **validated** finding, with severity, CVSS, CWE, location, PoC, evidence and remediation: ```bash neurosploit whitebox https://github.com/myorg/app --jira \ --subscription --model anthropic:claude-opus-4-8 -v ``` The created issue keys are printed (e.g. `🪪 Jira cards opened: SEC-481, SEC-482`). > Uses the Jira REST API (`POST /rest/api/2/issue`) with Basic auth > (`JIRA_EMAIL` : `JIRA_API_TOKEN`). The `issuetype` must exist in your project > (use `Vulnerability` if your project defines it). --- ## 6. Recipes **PR gate in CI** (block a PR if Critical/High findings appear): ```bash export GITHUB_TOKEN=... # CI secret neurosploit integrations enable github neurosploit pr "$REPO" "$PR_NUMBER" --model anthropic:claude-opus-4-8 --comment --jira ``` **Nightly drift review** of a private app, filing Jira cards: ```bash neurosploit integrations enable github neurosploit integrations enable jira neurosploit watch myorg/app --branch main --interval 3600 --jira \ --model anthropic:claude-opus-4-8 ``` **Local private-repo audit** (no PR), cards to Jira: ```bash neurosploit whitebox https://github.com/myorg/app --jira \ --subscription --model anthropic:claude-opus-4-8 -v ``` --- ## 7. Troubleshooting - **`⚠ token env not set`** — the integration is enabled but the env var isn't exported in this shell. Export it (`export GITHUB_TOKEN=...`) and re-run. - **`git clone failed` on a private repo** — confirm the token scope (`repo` / `read_repository`) and that the integration is enabled (`neurosploit integrations`). The token is only injected when the matching integration is on. - **`jira create failed: 400`** — the `issuetype` name doesn't exist in the project, or a required field is enforced. Try `Bug`, or set your project's type via `/integrations setup jira`. - **`jira ... not set`** — export `JIRA_EMAIL` and `JIRA_API_TOKEN`. - **GitHub comment fails (403/404)** — the token needs *Pull requests: write* (fine-grained) or `repo` (classic), and you must have access to the repo. - **Tokens in CI** — pass them as masked secrets; NeuroSploit never logs or stores token values.