Skip to content

RemakingEden/Nuclei-Shift-Left-POC

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

99 Commits

.github

.github

 
 

bin

bin

 
 

config

config

 
 

controllers

controllers

 
 

migrations

migrations

 
 

models

models

 
 

nuclei/templates

nuclei/templates

 
 

public/stylesheets

public/stylesheets

 
 

routes

routes

 
 

seeders

seeders

 
 

tests

tests

 
 

views

views

 
 

.eslintrc.js

.eslintrc.js

 
 

.gitignore

.gitignore

 
 

.sequalizerc

.sequalizerc

 
 

LICENSE.md

LICENSE.md

 
 

README.md

README.md

 
 

SECURITY.md

SECURITY.md

 
 

app.js

app.js

 
 

docker-compose.yml

docker-compose.yml

 
 

jest.config.ts

jest.config.ts

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

sonar-project.properties

sonar-project.properties

 
 

Repository files navigation

Shift Left Nuclei POC

Open in Visual Studio Code

This repo accompanies a blog post which you can find here Shifting Left with Nuclei: A Tester's Experience.

It is a clone of a REST API I created with the addition of Nuclei to try to understand it a little more, the original repo is here.

In this repo I have implemented Nuclei the really interesting DAST (Dynamic Application Security Testing) tool.

I have often looked at DAST tools and saw how complicated they can be with shift left ideas. At their core they often want to be ran in as realistic an environment as possible but running these in pre-prod/prod can lead to a weird roll back situation needed. Although this could be very useful to test how the application is deployed etc.

In this repo I want to look at taking Nuclei and DAST to as early a point as possible and seeing how much value can be gained. I will be entirely hand writing templates to look for common security misconfigurations in an API.

Below is the content from the origin README detailing how to use the REST API.

Eden is a mock plant shop. It is an example of a very basic REST API with integration tests. My hope is to make a test framework that can be scaled.

Installation

Ensure you have Node & NPM installed.

npm install
docker-compose up -d

Usage

See the package.json for all available commands

# Set up the database

# Create the db
npm run db:create

# Set up the tables
npm run migrate

# Set up some very basic seeded data 
npm run seed
# General server use

# Start the server using nodemon
npm start 

# returns all plants
curl localhost:3000/api/plants

# returns a specific plant
curl localhost:3000/api/plants/1

# Adds a plant to the db
curl -X POST localhost:3000/api/plants\
    -H 'Content-Type: application/json'\
   -d '{"species": "Boston Fern","colour": "Green","size": "S","season": true}'

# Update a plant in the db
curl -X PUT localhost:3000/api/plants/1\
    -H 'Content-Type: application/json'\
   -d '{"species": "Cactus","colour": "Purple","size": "L","season": false}'

# Delete a plant in the db
curl -X DELETE localhost:3000/api/plants/1
# Using the test suite

# Run all tests
npm test

# Update the snapshots
npm test -- -u

# Start Jest in interactive watch mode
npm test -- --watch

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

Please make sure to update tests as appropriate.

License

MIT

About

An example of how Nuclei can be used in a simple CI/CD pipeline as early in the SDLC as possible

Resources

Readme

License

MIT license

Security policy

Security policy
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages