Skip to main content
Osmedeus provides 140+ utility functions via a Goja JavaScript runtime. Functions can be used in workflow steps, conditions, and evaluated from the CLI or API.

Usage

In Steps

- name: log-start
  type: function
  function: log_info("Scanning {{target}}")

- name: check-file
  type: function
  functions:
    - log_info("Checking files")
    - file_exists("{{Output}}/data.txt")

In Conditions

- name: scan
  type: bash
  pre_condition: 'file_length("{{Output}}/hosts.txt") > 0'
  command: nuclei -l {{Output}}/hosts.txt

In Flow Conditions

modules:
  - name: vuln-scan
    path: modules/vuln.yaml
    condition: 'file_exists("{{Output}}/live.txt")'

Function Step Types

Single Function

- name: log
  type: function
  function: log_info("Message")

Multiple Functions (Sequential)

- name: setup
  type: function
  functions:
    - log_info("Step 1")
    - log_info("Step 2")
    - log_info("Step 3")

Parallel Functions

- name: parallel-checks
  type: function
  parallel_functions:
    - file_length("{{Output}}/file1.txt")
    - file_length("{{Output}}/file2.txt")
    - file_length("{{Output}}/file3.txt")

Return Values

Functions return values that can be:

Used in Exports

- name: count-lines
  type: function
  function: file_length("{{Output}}/hosts.txt")
  exports:
    host_count: "{{result}}"

Used in Conditions

- name: scan
  type: bash
  pre_condition: 'file_length("{{Output}}/hosts.txt") > 0'
  command: scan {{Output}}/hosts.txt

Used in Decision Routing

- name: check
  type: function
  function: file_exists("{{Output}}/critical.txt")
  exports:
    has_critical: "{{result}}"
  decision:
    switch: "{{has_critical}}"
    cases:
      "true": { goto: handle-critical }
    default: { goto: continue-normal }

CLI Evaluation

Basic Evaluation

# List all functions
osmedeus func list

# Evaluate a function
osmedeus func e 'file_exists("/path/to/file")'

# With target variable
osmedeus func e 'log_info("Scanning " + target)' -t example.com

# With custom parameters
osmedeus func e 'log_info(prefix + target)' -t example.com --params 'prefix=test_'

Script Source Priority

The CLI determines the script to execute in this order:
  1. --function-file - Read script from file
  2. -f/--function - Function name with remaining args as arguments
  3. Positional argument - Direct expression after e or eval
  4. -e/--eval - Script via flag
  5. --stdin - Read from stdin

Bulk Processing

Process multiple targets from a file: 
# Process targets from file
osmedeus func e 'log_info("Processing: " + target)' -T targets.txt

# With concurrency
osmedeus func e 'http_get("https://" + target)' -T targets.txt -c 10

# Using function files
osmedeus func e --function-file check.js -T targets.txt -c 5

# With parameters
osmedeus func e 'log_info(prefix + target)' -T targets.txt --params 'prefix=test_' -c 5

Function List Options

# List all functions
osmedeus func list

# Search/filter functions
osmedeus func list -s "event"
osmedeus func list -s "file"

# Show examples
osmedeus func list --example

# Custom column width
osmedeus func list --width 80

API Evaluation

Evaluate functions via REST API: 
curl -X POST http://localhost:8002/osm/api/functions/eval \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"script": "file_length(\"/path/to/file\")"}'
List available functions: 
curl http://localhost:8002/osm/api/functions/list \
  -H "Authorization: Bearer $TOKEN"

Context Variables

Functions have access to execution context: 
// Built-in variables are available
log_info("Target: " + target)
log_info("Output: " + "{{Output}}")

// Exports from previous steps
log_info("Previous result: " + "{{previous_export}}")

Error Handling

Functions that fail don’t stop workflow execution unless you configure error handling: 
- name: risky-function
  type: function
  function: read_file("/possibly/missing/file.txt")
  on_error:
    - action: log
      message: "Function failed"
    - action: continue

Function Categories

Osmedeus provides 140+ functions organized into 24 categories:
CategoryDescriptionCount
FileFile/directory operations, grep, glob20
StringString manipulation, regex matching15
Type ConversionParse/convert between types4
Type DetectionDetect input types (file, url, ip, etc.)1
UtilityGeneral utilities (len, exec, sleep)9
LoggingLog messages with level prefixes4
Color PrintingColored terminal output4
Runtime VariablesGet/set runtime variables2
HTTPHTTP requests and IP resolution4
GenerationRandom strings and UUIDs2
EncodingBase64 encode/decode2
Data QueryJQ-style JSON querying2
NotificationTelegram and webhook notifications4
Event GenerationStructured event generation2
CDN/StorageCloud storage operations (S3-compatible)9
Unix CommandsWrappers for sort, wget, git, tar, etc.10
Archive (Go)Pure Go zip/unzip implementations2
DiffFile comparison and diff extraction1
OutputSave content, JSONL/CSV conversion5
URL ProcessingURL deduplication and filtering1
MarkdownMarkdown rendering and conversion6
DatabaseAsset/vuln import, queries, stats42
InstallerDownload packages via go-getter/Nix3
EnvironmentEnvironment variable operations2

Best Practices

  1. Use functions for conditions 
    pre_condition: 'file_exists("{{Output}}/input.txt")'
  2. Log meaningful messages 
    function: log_info("Found " + host_count + " hosts for {{Target}}")
  3. Export function results 
    exports:
  line_count: "{{result}}"
  4. Handle missing files gracefully 
    pre_condition: 'file_exists("{{Output}}/data.txt")'
  5. Use appropriate logging levels
    • log_debug for verbose debugging
    • log_info for informational messages
    • log_warn for warnings
    • log_error for errors
  6. Leverage bulk processing for testing 
    # Test a function against many targets
osmedeus func e 'http_get("https://" + target + "/api/health")' -T domains.txt -c 20

Next Steps