The SecTester shard has been released with v1.1.0 being the latest!
The shard allows you to run security tests as part of the Specs flow, integrating a comprehensive security scanner directly into the development process.
What do we got?
New formatting of issues
New options for spec control
require "sec_tester"
it "tests my app for XSS" do
server = HTTP::Server.new do |context|
name = URI.decode_www_form(context.request.query_params["name"]?.to_s)
context.response.content_type = "text/html"
context.response << <<-EOF
<html>
<body>
<h1>Hello, world!</h1>
<p>#{name}</p>
</body>
</html>
EOF
end
addr = server.bind_unused_port
spawn do
server.listen
end
tester = SecTester::Test.new
tester.run_check(
scan_name: "UnitTestingScan - XSS",
test_name: "xss",
target: SecTester::Target.new("http://#{addr}/?name=jhon")
)
ensure
server.try &.close
tester.try &.cleanup
end
Example of usage in the CI
steps:
- name: Install npm and Repeater
run: |
apt update
apt-get install -y libnode-dev node-gyp libssl-dev
apt-get install -y nodejs npm
npm install -g @neuralegion/nexploit-cli --unsafe-perm=true
- name: Run tests
env:
NEXPLOIT_TOKEN: ${{ secrets.NEXPLOIT_TOKEN }}
run: crystal spec