Generate apps with SecTester #743
Conversation
| require "lucky_sec_tester" | ||
|
|
||
| # Signup for a `NEXTPLOT_TOKEN` at | ||
| # [NeuraLegion](https://app.neuralegion.com/signup) |
There was a problem hiding this comment.
The company name is now called Bright, but as of this comment, the Github org and this URL are still pointed to NeuraLegion... I don't want to confuse people, so this will need to change once the company's name is fully moved over.
|
@jwoertink if we need to configure the API key for Lucky let me know and I can make sure the Lucky Org in Bright app has multiple engines to run all needed parallel scans :) |
|
Is SecTester free for private source? |
|
@grepsedawk yeha :) you can signup for an API key for free https://app.neuralegion.com/signup |
| @@ -17,7 +17,7 @@ describe "Initializing a new web project" do | |||
| File.delete("test-project/.env") | |||
| compile_and_run_specs_on_test_project | |||
| File.read("test-project/Procfile").should contain "test_project" | |||
| File.read(".github/workflows/ci.yml").should contain "postgres" | |||
| File.read("test-project/.github/workflows/ci.yml").should contain "postgres" | |||
There was a problem hiding this comment.
turns out this has been wrong for a while 😅
…them so they only run for the CI
|
@jwoertink I saw you're using node12 which should be OK, I verified in the docs that it's supported: https://docs.brightsec.com/docs/installation-options#npm So anything 10-14 should be good, I also looked for the |
|
That touch happens on the LuckySecTester shard itself Since that shard doesn't actually need to run any nexploit checks. I can use a newer version of node, but it just seems like the |
|
@jwoertink can we try and re-run using latest luckyframework/lucky_sec_tester@346ceb3 ? |
… we turn down to medium threshold. Also pussing a full URL to the Target for the javascript checks
| scan_with_cleanup do |scanner| | ||
| api_headers = HTTP::Headers{"Content-Type" => "application/json", "Accept" => "application/json"} | ||
| target = scanner.build_target(Api::SignIns::Create, headers: api_headers) do |t| | ||
| t.body = {"user" => {"email" => "aa%40aa.com", "password" => "123456789"}}.to_json |
There was a problem hiding this comment.
@jwoertink as this is a JSON API call, do we actually need to encode the @ here?
|
it's green!!! |
| - uses: actions/setup-node@v3.1.0 | ||
| with: | ||
| node-version: "12.x" |
There was a problem hiding this comment.
Just use the node that comes installed on ubuntu-latest
| push: | ||
| branches: [main] | ||
| pull_request: |
There was a problem hiding this comment.
This was causing this to run on every single commit. It should be a separate PR, but I needed it to quiet down with all the testing.
.github/workflows/weekly.yml
Outdated
| - uses: actions/setup-node@v3.1.0 | ||
| with: | ||
| node-version: "12.x" |
There was a problem hiding this comment.
this actually needs to go away
| @@ -0,0 +1,23 @@ | |||
| require "../spec_helper" | |||
|
|
|||
| {% if env("RUN_SEC_TESTER_SPECS") == "1" %} | |||
There was a problem hiding this comment.
Anyone that wants to run this spec locally would need a Bright API key... That's not really going to happen, so we can treat this like the Heroku specs. As long as this spec passes in CI, and the rest pass locally, we should be fine
|
Amazing work @jwoertink! 🟢 light! |
| @@ -22,7 +22,7 @@ print_done | |||
| <%- end -%> | |||
|
|
|||
| notice "Installing shards" | |||
| shards install | indent | |||
| shards install --ignore-crystal-version | indent | |||
There was a problem hiding this comment.
Is this a "hey i need this to work for now" contribution which should be removed? Or should this be kept in?
There was a problem hiding this comment.
This was a tough one... Without it, all tests again < 1.2.2 fail because of https://github.com/luckyframework/lucky_sec_tester/blob/346ceb3567110e433863dd1997afcec6243db3e5/shard.yml#L7 That's an easy one to drop down, but then we can only drop down to 1.1.1 https://github.com/NeuraLegion/sec_tester/blob/9db160150b4cc15ebb6d6722a25ee55a5c5af3ce/shard.yml#L7 and CLI tests against 1.0.0
lucky_cli/.github/workflows/ci.yml
Line 35 in 89be926
Do I just raise the min test to 1.1.1 for CLI since 1.4 comes out tomorrow? Then I could update the other shard, and remove this
There was a problem hiding this comment.
Alright, I updated the LuckySecTester to be >=1.1.1. It would still fail due to checking 1.0.0. So I still have to either use the flag, or drop 1.0.0 support 🤔 I'm sort of ok with going with the latter. I feel like once 1.4.0 drops, few people will be wanting to upgrade Lucky and continue using 1.0.0....
There was a problem hiding this comment.
I don't have any reason not to have this flag in there, I was just curious. It's complicated, and I get that.
Fixes #740
Right now this is in WIP to get things rolling, but a few questions still need answering...
Major parts left to handle:
NEXPLOIT_TOKENto exist, and it doesn't. Also, even if we did, this would end up connecting to Bright on each PR, and nightly run.-Dwith_sec_tests, but only if you've added that in./cc. @bararchy