Skip to content

An example of how Nuclei can be used in a simple CI/CD pipeline as early in the SDLC as possible

License

Notifications You must be signed in to change notification settings

RemakingEden/Nuclei-Shift-Left-POC

Repository files navigation

Shift Left Nuclei POC

Open in Visual Studio Code

This repo accompanies a blog post which you can find here Shifting Left with Nuclei: A Tester's Experience.

It is a clone of a REST API I created with the addition of Nuclei to try to understand it a little more, the original repo is here.

In this repo I have implemented Nuclei the really interesting DAST (Dynamic Application Security Testing) tool.

I have often looked at DAST tools and saw how complicated they can be with shift left ideas. At their core they often want to be ran in as realistic an environment as possible but running these in pre-prod/prod can lead to a weird roll back situation needed. Although this could be very useful to test how the application is deployed etc.

In this repo I want to look at taking Nuclei and DAST to as early a point as possible and seeing how much value can be gained. I will be entirely hand writing templates to look for common security misconfigurations in an API.

Below is the content from the origin README detailing how to use the REST API.


Eden is a mock plant shop. It is an example of a very basic REST API with integration tests. My hope is to make a test framework that can be scaled.

Installation

Ensure you have Node & NPM installed.

npm install
docker-compose up -d

Usage

See the package.json for all available commands

# Set up the database

# Create the db
npm run db:create

# Set up the tables
npm run migrate

# Set up some very basic seeded data 
npm run seed
# General server use

# Start the server using nodemon
npm start 

# returns all plants
curl localhost:3000/api/plants

# returns a specific plant
curl localhost:3000/api/plants/1

# Adds a plant to the db
curl -X POST localhost:3000/api/plants\
    -H 'Content-Type: application/json'\
   -d '{"species": "Boston Fern","colour": "Green","size": "S","season": true}'

# Update a plant in the db
curl -X PUT localhost:3000/api/plants/1\
    -H 'Content-Type: application/json'\
   -d '{"species": "Cactus","colour": "Purple","size": "L","season": false}'

# Delete a plant in the db
curl -X DELETE localhost:3000/api/plants/1
# Using the test suite

# Run all tests
npm test

# Update the snapshots
npm test -- -u

# Start Jest in interactive watch mode
npm test -- --watch

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

Please make sure to update tests as appropriate.

License

MIT

About

An example of how Nuclei can be used in a simple CI/CD pipeline as early in the SDLC as possible

Resources

License

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •