npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

sentinel-ast

v1.4.21

Published

Sentinel automated security testing framework

Downloads

81

Readme

npm License Build Status

Sentinel

Sentinel is a framework that enables automated security testing via a suite of industry standard test frameworks and security tools.

It is built on Cucumber and Node.js. This allows for security test cases to be defined in Gherkin/BDD syntax making them human readable and self documenting. The idea is that we make security testing a concept that is approachable(tests written by developers, testers, security guys), repeatable(when integrated with your CI/CD pipelines) and auditable(when used to gather evidence in compliancy initiatives).

Sentinel was inspired by existing security frameworks(Gauntlt, Mittn, BDD-Security) but we felt the need to provide our own flavour to security testing with a modern javascript and docker based environment.

Features

Sentinel is currently integrated with

  • Automated security scanners - Open Zap, SSLyze and snyk to find security vulnerabilities in your web applications.
  • Selenium/WebDriver and Node.js for implementing browser and API based automated tests.
  • Docker/Compose that enables drop-in isolation of integrated components during runtime. It also enables what we call the Bring-Your-Own-Container(s) feature, which gives consumers of Sentinel the capability to attach their web applications/services as containers onto Sentinels' networking infrastructure.
  • Reporting tools.

It has been designed from ground-up to be completely extensible.

Quickstart

We want to get you off the ground and started as quick as possible in just a few steps. Running commands below on your shell will install Node.js, Docker and Sentinel running security tests against a local containerized website.

sh -c "$(curl -fsSL https://raw.githubusercontent.com/nintexplatform/sentinel/master/bin/install-dependencies.sh)"
git clone https://github.com/nintexplatform/sentinel-example.git && cd sentinel-example
npm install 
npm run test

On Linux, run the install-dependencies script under sudo for root privileges.

Once the tests have completed, you can find a generated report under sentinel-example/report directory

We've introduced an example use case of Sentinel in the sentinel-example repo

Getting Started

To install the framework:

  1. Install prequisites
  2. Install Sentinel via npm

Install Prerequisites

These prerequisites must be installed first.

  1. Node.js Version 7+
  2. Docker
  3. Docker Compose

Alternatively, for Docker + Compose, you can also install Docker for Mac or Windows which is a fast and easy way to get Docker + Compose.

-or-

Use our quick-install script

sh -c "$(curl -fsSL https://raw.githubusercontent.com/nintexplatform/sentinel/master/bin/install-dependencies.sh)"

Install Sentinel via npm

npm install -g sentinel-ast

From this point, see the For Developers section below on how to use Sentinel.

For Developers

Sentinel CLI

Getting Sentinel to run is simple and done primarily through a global(if npm installed with -g) CLI.

sentinel

  Usage: sentinel [options] [command]


  Options:

    -V, --version  output the version number
    -h, --help     output usage information


  Commands:

    init                             Initializes configuration & test templates in the current directory
    run-compose [COMMAND] [ARGS...]  Runs docker compose commands
    run-cucumber [options] [DIR]     Runs cucumber tests
    start-services [options]         Starts services in its containers
    stop-services [options]          Stops services and its containers
sentinel init
  • From an empty directory, you should always run this command first. It initializes the current directory with a default config.env, feature templates and config json files.
  • The default parameters in config.env are explained below. They should be configured prior to starting up the services.
sentinel start-services
  • This command starts all integrated services as containers.
sentinel stop-services
  • This command stops all containers hosting integrated services.
sentinel run-compose
  • This command proxies the CLI arguments to Docker compose.
sentinel run-cucumber
  • This command proxies the CLI arguments to Cucumber-js.

Integrations

The framework ships with a few integrated components out of the box. If they are hosted within containers, we refer to them as services.

Cucumber Report

Adds cucumber hooks to create a report at the end of a test run.
Integrates the Cucumber Html Reporter

Slack

Adds hooks to post results at the end of a test run to Slack.

Node

This is a general purpose Node.js container that tests are run in.
It reads environment variables from config.env Node Version 7+

Selenium WebDriver

The node Selenium WebDriver package.
It has cucumber hooks to configure the webdriver and adds the driver instance to the world.
It also has a docker service for running a chrome container for remote control of the browser.

SSLyze

A service which can be used for running a SSLyze scan against a host.
GitHub

Zap

A service which hosts OWASP ZAP.
GitHub

Snyk

A service which can be used for packages and dependency scanning projects. snyk.io

Enabling integrations

Enabling integrations and loading up additional services is managed via a config file. It needs to be created in the root folder of the project that references Sentinel, as .sentinel.json

Sample .sentinel.json :

{
  "integrations": {
    "whitelist": [
      "node",
      "docker",
      "cucumber-report",
      "selenium",
      "sslyze",
      "zap"
    ],
    "customServices": [
        "./nodegoat-app/docker-compose.yml"
    ]
  }
}

Extensibility

Extending the framework starts with packaging your new component as a sub-directory within the /integration directory. These components can hook into the Sentinel runtime in a number of ways.

  • Cucumber support files
    Any files found in a components cucumber folder gets required when starting tests.
    This can be used to add step definitions, modify the world, add hooks etc.
    (Refer to /integration/selenium)
  • Docker container/service
    Required binaries, cli tools, etc can be exposed as a webservice by adding a compose-*.yml file in the integrations folder. This lets you define containers that can host the cli and allows test code to use REST calls to access it by service name. (Refer to /integration/sslyze)
  • Javascript module
    You can create reusable Page Objects or interfaces needed to communicate to services by including the classes and exporting them from the index.js in the framework's root directory. By doing so, consumers of the Sentinel framework can have access to these objects at runtime.
    (Refer to /integration/zap)

Environment Variables

| Integration | Name | Description | Required | Default / Optional Values | |---------------------|-----------------------------|--------------------------------|----------|-------------| | sslyze | SSLYZE_SERVER_URL | Url to sslyze api server | false | http://sslyze:8081/ | | zap | ZAP_SERVER_URL | Url to zap api server | false | http://zap:8080/ | | zap | ZAP_MAX_DEPTH | zap crawling max depth | false | 5 | | zap | ZAP_THREAD_DEPTH | zap thread number | false | 5 | | snyk | SNYK_TOKEN | Auth token for snyk| false | | | snyk | SNYK_URL | Url to snyk api server | false | http://snyk:8086/ | | application | AUT_SERVER_URL | Url to application under test | true | https://nodegoat:4000 | | selenium | SELENIUM_BROWSER | Webdriver capabilities | false | chrome | | selenium | SELENIUM_REMOTE_URL | Webdriver url | true | http://selenium:4444/wd/hub | | selenium | SELENIUM_REMOTE_CAPABILITY | For remote selenium services | false | ./remoteSelenium.config.template.json | | selenium | WEBDRIVER_PAGE_TIMEOUT | Webdriver page load timeout | false | 45000 | | selenium | WEBDRIVER_LONG_TIMEOUT | Timeout for long running step | false | 30000 | | selenium | EXECUTION_ENVIRONMENT | For zap proxy | false | local (default) / proxy / remote | | cucumber | FEATURE_DIR | Feature file location | false | ./features/ | | cucumber | CUCUMBER_LONG_TIMEOUT | timeout for cucumber steps | false | 30000 | | cucumber-report | CUCUMBER_REPORT_DIR | path to store reports | false | ./report/ | | slack | SLACK_FEATURE | ON or OFF the process | false | 'ON' / 'OFF' (default) |
| slack | SLACK_WEBHOOK_URI | Specify the Incoming webhooks url - Reference | false | - |