ci: integrate Bright CI pipeline for security tests and remediation [qwen3-768; 161 eps; max-tokens-limit]

.brightsec/tests/get-rest-chatbot-status.test.ts

@@ -0,0 +1,36 @@
+import { test, before, after } from 'node:test';
+import { SecRunner } from '@sectester/runner';
+import { AttackParamLocation, HttpMethod } from '@sectester/scan';
+
+const timeout = 40 * 60 * 1000;
+const baseUrl = process.env.BRIGHT_TARGET_URL!;
+
+let runner!: SecRunner;
+
+before(async () => {
+  runner = new SecRunner({
+    hostname: process.env.BRIGHT_HOSTNAME!,
+    projectId: process.env.BRIGHT_PROJECT_ID!
+  });
+
+  await runner.init();
+});
+
+after(() => runner.clear());
+
+test('GET /rest/chatbot/status', { signal: AbortSignal.timeout(timeout) }, async () => {
+  await runner
+    .createScan({
+      tests: ['jwt'],
+      attackParamLocations: [AttackParamLocation.HEADER],
+      starMetadata: {}
+    })
+    .setFailFast(false)
+    .timeout(timeout)
+    .run({
+      method: HttpMethod.GET,
+      url: `${baseUrl}/rest/chatbot/status`,
+      headers: { 'Authorization': 'Bearer <token>' },
+      auth: process.env.BRIGHT_AUTH_ID
+    });
+});

.brightsec/tests/get-rest-products-search.test.ts

@@ -0,0 +1,35 @@
+import { test, before, after } from 'node:test';
+import { SecRunner } from '@sectester/runner';
+import { AttackParamLocation, HttpMethod } from '@sectester/scan';
+
+const timeout = 40 * 60 * 1000;
+const baseUrl = process.env.BRIGHT_TARGET_URL!;
+
+let runner!: SecRunner;
+
+before(async () => {
+  runner = new SecRunner({
+    hostname: process.env.BRIGHT_HOSTNAME!,
+    projectId: process.env.BRIGHT_PROJECT_ID!
+  });
+
+  await runner.init();
+});
+
+after(() => runner.clear());
+
+test('GET /rest/products/search?q=:query', { signal: AbortSignal.timeout(timeout) }, async () => {
+  await runner
+    .createScan({
+      tests: ['sqli'],
+      attackParamLocations: [AttackParamLocation.QUERY],
+      starMetadata: {}
+    })
+    .setFailFast(false)
+    .timeout(timeout)
+    .run({
+      method: HttpMethod.GET,
+      url: `${baseUrl}/rest/products/search?q=apple`,
+      auth: process.env.BRIGHT_AUTH_ID
+    });
+});

.brightsec/tests/get-rest-user-authentication-details.test.ts

@@ -0,0 +1,35 @@
+import { test, before, after } from 'node:test';
+import { SecRunner } from '@sectester/runner';
+import { AttackParamLocation, HttpMethod } from '@sectester/scan';
+
+const timeout = 40 * 60 * 1000;
+const baseUrl = process.env.BRIGHT_TARGET_URL!;
+
+let runner!: SecRunner;
+
+before(async () => {
+  runner = new SecRunner({
+    hostname: process.env.BRIGHT_HOSTNAME!,
+    projectId: process.env.BRIGHT_PROJECT_ID!
+  });
+
+  await runner.init();
+});
+
+after(() => runner.clear());
+
+test('GET /rest/user/authentication-details', { signal: AbortSignal.timeout(timeout) }, async () => {
+  await runner
+    .createScan({
+      tests: ['jwt'],
+      attackParamLocations: [AttackParamLocation.QUERY, AttackParamLocation.HEADER],
+      starMetadata: {}
+    })
+    .setFailFast(false)
+    .timeout(timeout)
+    .run({
+      method: HttpMethod.GET,
+      url: `${baseUrl}/rest/user/authentication-details`,
+      auth: process.env.BRIGHT_AUTH_ID
+    });
+});

.brightsec/tests/post-api-addresss.test.ts

@@ -0,0 +1,43 @@
+import { test, before, after } from 'node:test';
+import { SecRunner } from '@sectester/runner';
+import { AttackParamLocation, HttpMethod } from '@sectester/scan';
+
+const timeout = 40 * 60 * 1000;
+const baseUrl = process.env.BRIGHT_TARGET_URL!;
+
+let runner!: SecRunner;
+
+before(async () => {
+  runner = new SecRunner({
+    hostname: process.env.BRIGHT_HOSTNAME!,
+    projectId: process.env.BRIGHT_PROJECT_ID!
+  });
+
+  await runner.init();
+});
+
+after(() => runner.clear());
+
+test('POST /api/addresss', { signal: AbortSignal.timeout(timeout) }, async () => {
+  await runner
+    .createScan({
+      tests: ['id_enumeration'],
+      attackParamLocations: [AttackParamLocation.BODY],
+      starMetadata: {}
+    })
+    .setFailFast(false)
+    .timeout(timeout)
+    .run({
+      method: HttpMethod.POST,
+      url: `${baseUrl}/api/Addresss`,
+      body: {
+        UserId: 123,
+        street: '123 Main St',
+        city: 'Metropolis',
+        state: 'NY',
+        zip: '12345'
+      },
+      headers: { 'Content-Type': 'application/json' },
+      auth: process.env.BRIGHT_AUTH_ID
+    });
+});

.brightsec/tests/post-api-products.test.ts

@@ -0,0 +1,46 @@
+import { test, before, after } from 'node:test';
+import { SecRunner } from '@sectester/runner';
+import { AttackParamLocation, HttpMethod } from '@sectester/scan';
+
+const timeout = 40 * 60 * 1000;
+const baseUrl = process.env.BRIGHT_TARGET_URL!;
+
+let runner!: SecRunner;
+
+before(async () => {
+  runner = new SecRunner({
+    hostname: process.env.BRIGHT_HOSTNAME!,
+    projectId: process.env.BRIGHT_PROJECT_ID!
+  });
+
+  await runner.init();
+});
+
+after(() => runner.clear());
+
+test('POST /api/products', { signal: AbortSignal.timeout(timeout) }, async () => {
+  await runner
+    .createScan({
+      tests: ['sqli'],
+      attackParamLocations: [AttackParamLocation.BODY, AttackParamLocation.HEADER],
+      starMetadata: {}
+    })
+    .setFailFast(false)
+    .timeout(timeout)
+    .run({
+      method: HttpMethod.POST,
+      url: `${baseUrl}/api/Products`,
+      body: {
+        name: 'Sample Product',
+        description: 'A sample product description.',
+        price: 19.99,
+        deluxePrice: 29.99,
+        image: 'sample-image.png'
+      },
+      headers: {
+        'Content-Type': 'application/json',
+        'X-Recruiting': '<recruiting@example.com>'
+      },
+      auth: process.env.BRIGHT_AUTH_ID
+    });
+});

.brightsec/tests/post-rest-products-reviews.test.ts

@@ -0,0 +1,40 @@
+import { test, before, after } from 'node:test';
+import { SecRunner } from '@sectester/runner';
+import { AttackParamLocation, HttpMethod } from '@sectester/scan';
+
+const timeout = 40 * 60 * 1000;
+const baseUrl = process.env.BRIGHT_TARGET_URL!;
+
+let runner!: SecRunner;
+
+before(async () => {
+  runner = new SecRunner({
+    hostname: process.env.BRIGHT_HOSTNAME!,
+    projectId: process.env.BRIGHT_PROJECT_ID!
+  });
+
+  await runner.init();
+});
+
+after(() => runner.clear());
+
+test('POST /rest/products/reviews', { signal: AbortSignal.timeout(timeout) }, async () => {
+  await runner
+    .createScan({
+      tests: ['nosql'],
+      attackParamLocations: [AttackParamLocation.BODY],
+      starMetadata: {}
+    })
+    .setFailFast(false)
+    .timeout(timeout)
+    .run({
+      method: HttpMethod.POST,
+      url: `${baseUrl}/rest/products/reviews`,
+      body: {
+        message: 'Great product!',
+        author: 'user@example.com'
+      },
+      headers: { 'Content-Type': 'application/json' },
+      auth: process.env.BRIGHT_AUTH_ID
+    });
+});

.github/workflows/bright.yml

@@ -0,0 +1,63 @@
+name: Bright
+on:
+  pull_request:
+    branches:
+      - '**'
+
+permissions:
+  checks: write
+  contents: read
+  id-token: write
+
+jobs:
+  test:
+    name: test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js 22.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22.x
+
+      - name: Install application dependencies
+        run: |
+          npm install --ignore-scripts
+          cd frontend
+          npm install --ignore-scripts --legacy-peer-deps
+
+      - name: Build Docker image and start application
+        run: |
+          docker build -t juice-shop .
+          docker run -d -p 3000:3000 --name juice-shop-app juice-shop
+
+      - name: Wait for application to be ready
+        run: |
+          until nc -zv 127.0.0.1 3000; do
+            echo "Waiting for application to be ready..."
+            sleep 5
+          done
+
+      - name: Set up Node.js latest
+        uses: actions/setup-node@v4
+        with:
+          node-version: '>=22'
+
+      - name: Install SecTesterJS dependencies
+        run: npm i --save=false --prefix .brightsec @sectester/core @sectester/repeater @sectester/scan @sectester/runner @sectester/reporter
+
+      - name: Run security tests
+        env:
+          BRIGHT_HOSTNAME: ${{ vars.BRIGHT_HOSTNAME }}
+          BRIGHT_PROJECT_ID: ${{ vars.BRIGHT_PROJECT_ID }}
+          BRIGHT_AUTH_ID: ${{ vars.BRIGHT_AUTH_ID }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRIGHT_TOKEN: ${{ secrets.BRIGHT_TOKEN }}
+          BRIGHT_TARGET_URL: http://127.0.0.1:3000
+        run: |
+          node --experimental-transform-types --experimental-strip-types --experimental-detect-module --disable-warning=MODULE_TYPELESS_PACKAGE_JSON --disable-warning=ExperimentalWarning --test-force-exit --test-concurrency=4 --test .brightsec/tests/*.test.ts
+
+      - name: Clean up
+        run: docker stop juice-shop-app && docker rm juice-shop-app

.github/workflows/ci.yml

@@ -1,22 +1,25 @@
 name: "CI/CD Pipeline"
 on:
-  push:
-    branches-ignore:
-      - l10n_develop
-      - gh-pages
-    paths-ignore:
-      - '*.md'
-      - 'LICENSE'
-      - 'monitoring/grafana-dashboard.json'
-      - 'screenshots/**'
-    tags-ignore:
-      - '*'
-  pull_request:
-    paths-ignore:
-      - '*.md'
-      - 'LICENSE'
-      - 'data/static/i18n/*.json'
-      - 'frontend/src/assets/i18n/*.json'
+  workflow_dispatch:
+# on:
+#   push:
+#     branches-ignore:
+#       - l10n_develop
+#       - gh-pages
+#     paths-ignore:
+#       - '*.md'
+#       - 'LICENSE'
+#       - 'monitoring/grafana-dashboard.json'
+#       - 'screenshots/**'
+#     tags-ignore:
+#       - '*'
+#   pull_request:
+#     paths-ignore:
+#       - '*.md'
+#       - 'LICENSE'
+#       - 'data/static/i18n/*.json'
+#       - 'frontend/src/assets/i18n/*.json'
+
 env:
   NODE_DEFAULT_VERSION: 22
   NODE_OPTIONS: "--max_old_space_size=4096"
@@ -40,18 +43,8 @@ jobs:
         run: npm run lint
       - name: "Lint customization configs"
         run: >
-          npm run lint:config -- -f ./config/7ms.yml &&
-          npm run lint:config -- -f ./config/addo.yml &&
-          npm run lint:config -- -f ./config/bodgeit.yml &&
-          npm run lint:config -- -f ./config/ctf.yml &&
-          npm run lint:config -- -f ./config/default.yml &&
-          npm run lint:config -- -f ./config/fbctf.yml &&
-          npm run lint:config -- -f ./config/juicebox.yml &&
-          npm run lint:config -- -f ./config/mozilla.yml &&
-          npm run lint:config -- -f ./config/oss.yml &&
-          npm run lint:config -- -f ./config/quiet.yml &&
-          npm run lint:config -- -f ./config/tutorial.yml &&
-          npm run lint:config -- -f ./config/unsafe.yml
+          npm run lint:config -- -f ./config/7ms.yml && npm run lint:config -- -f ./config/addo.yml && npm run lint:config -- -f ./config/bodgeit.yml && npm run lint:config -- -f ./config/ctf.yml && npm run lint:config -- -f ./config/default.yml && npm run lint:config -- -f ./config/fbctf.yml && npm run lint:config -- -f ./config/juicebox.yml && npm run lint:config -- -f ./config/mozilla.yml && npm run lint:config -- -f ./config/oss.yml && npm run lint:config -- -f ./config/quiet.yml && npm run lint:config -- -f ./config/tutorial.yml && npm run lint:config -- -f ./config/unsafe.yml
+
   coding-challenge-rsn:
     runs-on: windows-latest
     steps:
@@ -184,17 +177,8 @@ jobs:
           timeout_minutes: 30
           max_attempts: 3
           command: >
-            NODE_ENV=7ms npm run test:server &&
-            NODE_ENV=addo npm run test:server &&
-            NODE_ENV=bodgeit npm run test:server &&
-            NODE_ENV=ctf npm run test:server &&
-            NODE_ENV=fbctf npm run test:server &&
-            NODE_ENV=juicebox npm run test:server &&
-            NODE_ENV=mozilla npm run test:server &&
-            NODE_ENV=oss npm run test:server &&
-            NODE_ENV=quiet npm run test:server &&
-            NODE_ENV=tutorial npm run test:server &&
-            NODE_ENV=unsafe npm run test:server
+            NODE_ENV=7ms npm run test:server && NODE_ENV=addo npm run test:server && NODE_ENV=bodgeit npm run test:server && NODE_ENV=ctf npm run test:server && NODE_ENV=fbctf npm run test:server && NODE_ENV=juicebox npm run test:server && NODE_ENV=mozilla npm run test:server && NODE_ENV=oss npm run test:server && NODE_ENV=quiet npm run test:server && NODE_ENV=tutorial npm run test:server && NODE_ENV=unsafe npm run test:server
+
   e2e:
     runs-on: ${{ matrix.os }}
     strategy: