ci: integrate Bright CI pipeline for security testing and remediation

.brightsec/tests/get-api-goto.test.ts

@@ -0,0 +1,34 @@
+import { test, before, after } from 'node:test';
+import { SecRunner } from '@sectester/runner';
+import { AttackParamLocation, HttpMethod } from '@sectester/scan';
+
+const timeout = 40 * 60 * 1000;
+const baseUrl = process.env.BRIGHT_TARGET_URL!;
+
+let runner!: SecRunner;
+
+before(async () => {
+  runner = new SecRunner({
+    hostname: process.env.BRIGHT_HOSTNAME!,
+    projectId: process.env.BRIGHT_PROJECT_ID!
+  });
+
+  await runner.init();
+});
+
+after(() => runner.clear());
+
+test('GET /api/goto', { signal: AbortSignal.timeout(timeout) }, async () => {
+  await runner
+    .createScan({
+      tests: ['unvalidated_redirect'],
+      attackParamLocations: [AttackParamLocation.QUERY],
+      starMetadata: { databases: ['PostgreSQL'] }
+    })
+    .setFailFast(false)
+    .timeout(timeout)
+    .run({
+      method: HttpMethod.GET,
+      url: `${baseUrl}/api/goto?url=https://google.com`
+    });
+});

.brightsec/tests/get-api-products-latest.test.ts

@@ -0,0 +1,35 @@
+import { test, before, after } from 'node:test';
+import { SecRunner } from '@sectester/runner';
+import { AttackParamLocation, HttpMethod } from '@sectester/scan';
+
+const timeout = 40 * 60 * 1000;
+const baseUrl = process.env.BRIGHT_TARGET_URL!;
+
+let runner!: SecRunner;
+
+before(async () => {
+  runner = new SecRunner({
+    hostname: process.env.BRIGHT_HOSTNAME!,
+    projectId: process.env.BRIGHT_PROJECT_ID!
+  });
+
+  await runner.init();
+});
+
+after(() => runner.clear());
+
+test('GET /api/products/latest', { signal: AbortSignal.timeout(timeout) }, async () => {
+  await runner
+    .createScan({
+      tests: ['business_constraint_bypass'],
+      attackParamLocations: [AttackParamLocation.QUERY],
+      starMetadata: { databases: ['PostgreSQL'] },
+      skipStaticParams: false
+    })
+    .setFailFast(false)
+    .timeout(timeout)
+    .run({
+      method: HttpMethod.GET,
+      url: `${baseUrl}/api/products/latest?limit=3`
+    });
+});

.brightsec/tests/get-graphql.test.ts

@@ -0,0 +1,34 @@
+import { test, before, after } from 'node:test';
+import { SecRunner } from '@sectester/runner';
+import { AttackParamLocation, HttpMethod } from '@sectester/scan';
+
+const timeout = 40 * 60 * 1000;
+const baseUrl = process.env.BRIGHT_TARGET_URL!;
+
+let runner!: SecRunner;
+
+before(async () => {
+  runner = new SecRunner({
+    hostname: process.env.BRIGHT_HOSTNAME!,
+    projectId: process.env.BRIGHT_PROJECT_ID!
+  });
+
+  await runner.init();
+});
+
+after(() => runner.clear());
+
+test('GET /graphql', { signal: AbortSignal.timeout(timeout) }, async () => {
+  await runner
+    .createScan({
+      tests: ['graphql_introspection'],
+      attackParamLocations: [AttackParamLocation.QUERY],
+      starMetadata: { databases: ['PostgreSQL'] }
+    })
+    .setFailFast(false)
+    .timeout(timeout)
+    .run({
+      method: HttpMethod.GET,
+      url: `${baseUrl}/graphql?query={test}`
+    });
+});

.brightsec/tests/post-graphql-view-product.test.ts

@@ -0,0 +1,39 @@
+import { test, before, after } from 'node:test';
+import { SecRunner } from '@sectester/runner';
+import { AttackParamLocation, HttpMethod } from '@sectester/scan';
+
+const timeout = 40 * 60 * 1000;
+const baseUrl = process.env.BRIGHT_TARGET_URL!;
+
+let runner!: SecRunner;
+
+before(async () => {
+  runner = new SecRunner({
+    hostname: process.env.BRIGHT_HOSTNAME!,
+    projectId: process.env.BRIGHT_PROJECT_ID!
+  });
+
+  await runner.init();
+});
+
+after(() => runner.clear());
+
+test('POST /graphql viewProduct', { signal: AbortSignal.timeout(timeout) }, async () => {
+  await runner
+    .createScan({
+      tests: ['graphql_introspection'],
+      attackParamLocations: [AttackParamLocation.BODY],
+      starMetadata: { databases: ['PostgreSQL'] }
+    })
+    .setFailFast(false)
+    .timeout(timeout)
+    .run({
+      method: HttpMethod.POST,
+      url: `${baseUrl}/graphql`,
+      body: {
+        query: "mutation viewProduct($productName: String!) { viewProduct(productName: $productName) }",
+        variables: { productName: "Sample Product" }
+      },
+      headers: { 'Content-Type': 'application/json' }
+    });
+});

.github/workflows/bright.yml

@@ -0,0 +1,69 @@
+name: Bright
+
+on:
+  pull_request:
+    branches:
+      - '**'
+
+permissions:
+  checks: write
+  contents: read
+  id-token: write
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js 18.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: 18.x
+
+      - name: Install application dependencies
+        run: npm ci --no-audit
+
+      - name: Start application
+        env:
+          CHAT_API_MAX_TOKENS: 200
+          CHAT_API_MODEL: smollm:135m
+          CHAT_API_TOKEN: ""
+          CHAT_API_URL: http://ollama:11434/v1/chat/completions
+          KC_BOOTSTRAP_ADMIN_PASSWORD: Pa55w0rd
+          KC_BOOTSTRAP_ADMIN_USERNAME: admin
+          KC_DB: postgres
+          KC_DB_PASSWORD: password
+          KC_DB_URL: jdbc:postgresql://keycloak-db:5432/keycloak
+          KC_DB_USERNAME: keycloak
+          POSTGRES_DB: bc
+          POSTGRES_PASSWORD: bc
+          POSTGRES_USER: bc
+          URL: http://localhost:3000
+        run: docker compose -f compose.local.yml up --wait
+
+      - name: Verify application readiness
+        run: |
+          until nc -zv 127.0.0.1 3000; do
+            echo "Waiting for application to be ready..."
+            sleep 5
+          done
+
+      - name: Setup Node.js 22.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22.x
+
+      - name: Install SecTesterJS dependencies
+        run: npm i --save=false --prefix .brightsec @sectester/core @sectester/repeater @sectester/scan @sectester/runner @sectester/reporter
+
+      - name: Run security tests
+        env:
+          BRIGHT_HOSTNAME: ${{ vars.BRIGHT_HOSTNAME }}
+          BRIGHT_PROJECT_ID: ${{ vars.BRIGHT_PROJECT_ID }}
+          BRIGHT_AUTH_ID: ${{ vars.BRIGHT_AUTH_ID }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRIGHT_TOKEN: ${{ secrets.BRIGHT_TOKEN }}
+          BRIGHT_TARGET_URL: http://127.0.0.1:3000
+        run: node --experimental-transform-types --experimental-strip-types --experimental-detect-module --disable-warning=MODULE_TYPELESS_PACKAGE_JSON --disable-warning=ExperimentalWarning --test-force-exit --test-concurrency=4 --test .brightsec/tests/*.test.ts

.github/workflows/build_and_push_stable.yml

@@ -1,41 +1,37 @@
 name: "Build and Push Docker Image (On Push to Stable)"
-
 on:
-  push:
-    branches:
-      - stable
+  workflow_dispatch:
+# on:
+#   push:
+#     branches:
+#       - stable
 
 jobs:
   docker-build-push:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-
       - name: Login to DockerHub
         run: |
           docker login --username=${{ vars.DOCKERHUB_DULL_USER }} --password=${{ secrets.DOCKERHUB_DULL_TOKEN }}
-
       - name: Generate timestamp
         id: timestamp
         run: echo "TIMESTAMP=$(date +%Y%m%d%H%M%S)" >> $GITHUB_ENV
-
       - name: Generate short SHA
         id: sha
         run: echo "SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-6)" >> $GITHUB_ENV
-
       - name: Build and tag Docker images
         run: |
           for TAG_PREFIX in stable unstable; do
             docker build -t bramkor/pureflow:${TAG_PREFIX} .
             docker tag bramkor/pureflow:${TAG_PREFIX} bramkor/pureflow:${TAG_PREFIX}-${{ env.SHORT_SHA }}
             docker tag bramkor/pureflow:${TAG_PREFIX} bramkor/pureflow:${TAG_PREFIX}-${{ env.SHORT_SHA }}-${{ env.TIMESTAMP }}
           done
-
       - name: Push Docker images
-        run: |
+        run: |-
           for TAG_PREFIX in stable unstable; do
             docker push bramkor/pureflow:${TAG_PREFIX}
             docker push bramkor/pureflow:${TAG_PREFIX}-${{ env.SHORT_SHA }}
             docker push bramkor/pureflow:${TAG_PREFIX}-${{ env.SHORT_SHA }}-${{ env.TIMESTAMP }}
-          done
+          done

.github/workflows/build_and_push_unstable.yml

@@ -1,31 +1,29 @@
 name: "Build and Push Docker Image (Manual)"
 on:
   workflow_dispatch:
-    inputs:
-      tag_prefix:
-        description: 'Tag prefix to use (defaults to unstable)'
-        required: false
-        default: 'unstable'
+# on:
+#   workflow_dispatch:
+#     inputs:
+#       tag_prefix:
+#         description: 'Tag prefix to use (defaults to unstable)'
+#         required: false
+#         default: 'unstable'
 
 jobs:
   docker-build-push:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-
       - name: Login to DockerHub
         run: |
           docker login --username=${{ vars.DOCKERHUB_DULL_USER }} --password=${{ secrets.DOCKERHUB_DULL_TOKEN }}
-
       - name: Generate timestamp
         id: timestamp
         run: echo "TIMESTAMP=$(date +%Y%m%d%H%M%S)" >> $GITHUB_ENV
-
       - name: Generate short SHA
         id: sha
         run: echo "SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-6)" >> $GITHUB_ENV
-
       - name: Set tag prefix
         id: set_tag_prefix
         run: |
@@ -36,13 +34,11 @@ jobs:
             TAG_PREFIX="${{ github.event.inputs.tag_prefix }}"
           fi
           echo "TAG_PREFIX=${TAG_PREFIX}" >> $GITHUB_ENV
-
       - name: Build Docker image
         run: |
           docker build -t dull/pureflow:${{ env.TAG_PREFIX }} .
           docker tag dull/pureflow:${{ env.TAG_PREFIX }} brdullc/pureflow:${{ env.TAG_PREFIX }}-${{ env.SHORT_SHA }}
           docker tag dull/pureflow:${{ env.TAG_PREFIX }} brdullc/pureflow:${{ env.TAG_PREFIX }}-${{ env.SHORT_SHA }}-${{ env.TIMESTAMP }}
-
       - name: Push Docker images
         run: |
           docker push dull/pureflow:${{ env.TAG_PREFIX }}

.github/workflows/check-client.yml

@@ -1,26 +1,23 @@
 name: "React Front-End CI checks"
-
 on:
-  pull_request:
-    branches:
-      - '**'
-
-  push:
-    branches:
-      - stable
-      - unstable
-
-    paths:
-      - 'client/**'
-      - '.github/workflows/*client.yml'
+  workflow_dispatch:
+# on:
+#   pull_request:
+#     branches:
+#       - '**'
+#   push:
+#     branches:
+#       - stable
+#       - unstable
+#     paths:
+#       - 'client/**'
+#       - '.github/workflows/*client.yml'
 
 env:
   HUSKY: 0
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
-
 jobs:
   check:
     runs-on: ubuntu-latest
@@ -30,23 +27,17 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-
       - name: Setup Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
-
       - name: Disable prepare script (husky)
         run: npm pkg delete scripts.prepare
-
       - name: Install dependencies
         run: npm ci --prefix=client --no-audit
-
       - name: Check format
         run: npm run format --prefix=client
-
       - name: Lint
         run: npm run lint --prefix=client
-
       - name: Build
         run: npm run build --prefix=client