Merge pull request #1 from unionfindbee/first

Adding root endpoint + unit tests + code coverage

.github/workflows/mapi.yml

@@ -0,0 +1,86 @@
+name: 'Mayhem for API'
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+  schedule:
+    - cron: '0 2 * * *' # run at 2 AM UTC
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Create environment to run API
+    - name: Set up Node
+      uses: actions/setup-node@v3
+      with:
+        node-version: 18
+
+    - name: Install dependencies
+      run: npm install
+
+
+    - name: Run unit tests
+      run: npx nyc --reporter=lcov --report-dir=./coverage/unit mocha test.js
+
+
+    - name: Upload unit test coverage to Codecov
+      uses: codecov/codecov-action@v3
+      with:
+        files: coverage/unit/lcov.info
+        flags: unit-tests
+        fail_ci_if_error: true
+
+
+    # Run API in test mode. We configured test mode to output stacktraces in
+    # the error responses to improve the output of Mayhem for API.
+    - name: Run API
+      env:
+        FASTAPI_ENV: test
+      run: npx nyc node app.js &
+
+    # Run Mayhem for API
+    - name: Run Mayhem for API to check for vulnerabilities
+      uses: ForAllSecure/mapi-action@v2
+      continue-on-error: true
+      with:
+        mayhem-url: https://app.mayhem.security
+        mayhem-token: ${{ secrets.MAYHEM_TOKEN }}
+        api-url: http://localhost:3000
+        api-spec: openapi.yaml
+        sarif-report: mapi.sarif
+        html-report: mapi.html
+        target: forallsecure-demo/mapi-node-example/node
+
+    # Kill python if it's still running, ignoring any errors
+    - name: Shut down API
+      run: pgrep node | xargs kill || true; sleep 5
+
+    - name: Generate coverage
+      run: npx nyc report --reporter=lcov --report-dir=./coverage/mayhem
+
+    - name: Upload Mayhem coverage to Codecov
+      uses: codecov/codecov-action@v3
+      with:
+        name: mayhem
+        files: coverage/mayhem/lcov.info
+        flags: vulnerability-tests
+        fail_ci_if_error: true
+
+    # Archive HTML report
+    - name: Archive Mayhem for API report
+      uses: actions/upload-artifact@v3
+      with:
+        name: mapi-report
+        path: mapi.html
+
+    # Upload SARIF file (only available on public repos or github enterprise)
+    - name: Upload SARIF file
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: mapi.sarif

README.md

@@ -1,2 +1,109 @@
-# mapi-node-example
-An example of how to use Mayhem's API functionality with a Node.js application
+# Mayhem for API: Node.js Express Application Example
+
+[![Mayhem for API](https://mayhem4api.forallsecure.com/api/v1/api-target/forallsecure/forallsecure-mapi-action-examples/badge/icon.svg?scm_branch=main)](https://mayhem4api.forallsecure.com/forallsecure/forallsecure-mapi-action-examples/latest-job?scm_branch=main)
+
+[![Mayhem for API](https://mayhem4api.forallsecure.com/downloads/img/mapi-logo-full-color.svg)](http://mayhem4api.forallsecure.com/signup)
+
+## About Mayhem for API
+
+🧪 Modern App Testing: Mayhem for API is a dynamic testing tool that
+catches reliability, performance and security bugs before they hit
+production.
+
+🧑‍💻 For Developers, by developers: The engineers building
+software are the best equipped to fix bugs, including security bugs. As
+engineers ourselves, we're building tools that we wish existed to make
+our job easier!
+
+🤖 Simple to Automate in CI: Tests belong in CI, running on every commit
+and PRs. We make it easy, and provide results right in your PRs where
+you want them. Adding Mayhem for API to a DevOps pipeline is easy.
+
+Want to try it? [Get started for free!](https://www.mayhem.security/get-started)!
+
+## Example GitHub Actions Integration
+
+This repository contains a simple Node.js Express API application being tested by Mayhem for API.
+
+### Starting a Mayhem for API scan in Github Actions
+
+To scan your Node.js API with Mayhem for API in CI, you need to:
+1) Start your API
+2) Start the Mayhem for API scan
+
+In GitHub actions, those steps translate to:
+
+```yaml
+    # Run API in test mode. Configured to output stacktraces in
+    # the error responses to improve the output of Mayhem for API.
+    - name: Run API
+      run: node src/app.js &
+
+    # Run Mayhem for API
+    - name: Run Mayhem for API to check for vulnerabilities
+      uses: ForAllSecure/mapi-action@v2
+      with:
+        mayhem-url: https://app.mayhem.security
+        mayhem-token: ${{ secrets.MAYHEM_TOKEN }}
+        api-url: http://localhost:3000
+        api-spec: http://localhost:3000/api-docs
+```
+This repo contains a full example workflow for reference.
+
+## Reports
+Mayhem for API generates reports when you pass sarif-report or html-report to the input. Make sure to pass continue-on-error to the Mayhem for API step if you want to process the reports in follow-up steps.
+
+### Artifact HTML Report
+
+![sample report](https://mayhem4api.forallsecure.com/downloads/img/sample-report.png)
+
+To artifact the report in your build, add this step to your pipeline:
+
+```yaml
+- name: Run Mayhem for API to check for vulnerabilities
+  uses: ForAllSecure/mapi-action@v2
+  continue-on-error: true
+  with:
+    mayhem-url: https://app.mayhem.security
+    mayhem-token: ${{ secrets.MAYHEM_TOKEN }}
+    api-url: http://localhost:3000 # <- update this
+    api-spec: your-openapi-spec-or-postman-collection.json # <- update this
+    html-report: mapi.html
+
+# Archive HTML report
+- name: Archive Mayhem for API report
+  uses: actions/upload-artifact@v3
+  with:
+    name: mapi-report
+    path: mapi.html
+```
+
+## GitHub Code Scanning support
+![GitHub Code Scanning support](http://mayhem4api.forallsecure.com/downloads/img/sarif-github.png)
+
+Uploading SARIF reports to GitHub allows you to see any issue found by
+Mayhem for API right on your PR, as well as in the "Security" tab of
+your repository. This currently requires you to have a GitHub Enterprise
+Plan or have a public repository. To upload the SARIF report, add this
+step to your pipeline:
+
+```yaml
+- name: Run Mayhem for API to check for vulnerabilities
+  uses: ForAllSecure/mapi-action@v2
+  continue-on-error: true
+  with:
+    mayhem-url: https://app.mayhem.security
+    mayhem-token: ${{ secrets.MAYHEM_TOKEN }}
+    api-url: http://localhost:3000 # <- update this
+    api-spec: your-openapi-spec-or-postman-collection.json # <- update this
+    sarif-report: mapi.sarif
+
+# Upload SARIF file (only available on public repos or github enterprise)
+- name: Upload SARIF file
+  uses: github/codeql-action/upload-sarif@v2
+  with:
+    sarif_file: mapi.sarif
+```
+
+## CI Workflow Example for Node.js Application
+Refer to the mapi.yml in this repository for a full example of integrating Mayhem for API with a Node.js Express application, including setting up the environment, running the application, and integrating the testing workflow.

app.js

@@ -0,0 +1,39 @@
+const express = require('express');
+const sqlite3 = require('sqlite3').verbose(); // Verbose for easier debugging
+const app = express();
+const port = 3000;
+
+// Create an in-memory database
+const db = new sqlite3.Database(':memory:', (err) => {
+    if (err) {
+      return console.error(err.message);
+    }
+    console.log('Connected to the in-memory SQLite database.');
+  });
+
+  // Create a table
+  db.run('CREATE TABLE users (email TEXT, password TEXT)', (err) => {
+    if (err) {
+      return console.error(err.message);
+    }
+    console.log('Table created.');
+  });
+
+
+app.get('/', (req, res) => {
+  res.send('Hello, World!');
+});
+
+  const server = app.listen(port, () => {
+    console.log(`Listening at http://localhost:${port}`);
+  });
+
+  module.exports = {
+    app: app,       // Export app for testing
+    server: server, // Export server instance for testing
+    db: db          // Export SQLite db instance for testing
+  };
+
+
+
+

openapi.yaml

@@ -0,0 +1,24 @@
+openapi: 3.0.0
+info:
+  title: Simple User Application API
+  description: API for a basic user application with login functionality.
+  version: 1.0.0
+servers:
+  - url: http://localhost:3000
+    description: Development server
+
+paths:
+  /:
+    get:
+      summary: Home endpoint
+      description: Returns a greeting message.
+      responses:
+        '200':
+          description: A simple greeting message
+          content:
+            text/html:
+              schema:
+                type: string
+                example: Hello, World!
+
+