This project is currently in its early development stage and serves as a Proof of Concept (POC) to showcase how a RAG (Retrieve, Answer, Generate) framework can be used to generate security test scenarios. It takes an API Spec Yaml as input and leverages state-of-the-art open source RAG tools to produce security bola-oriented Karate DSL test scenarios. Please note that due to the experimental nature of this project, there might be instances of "spaghetti code" here and there. Your understanding and contributions are highly appreciated.
This project is a Karate DSL test generator that uses AI to create and verify Karate test scripts for API endpoints.
In this project, there are particular scripts, that needs to be run prior to the main project script rag_karate_test_gen.py other than the perequisites for the environment, there are a few other requirments that are required for the script to correctly produce test cases.
This repository, also contains, utility scripts like chroma_viewer.py used to peak into different collections for self-check.
- Python 3.10+
- Java 11+ (for running Karate tests)
- ChromaDB
- Langfuse
- HuggingFace Embeddings
- GPT4ALL or other LLM Wrapper for Server integration
- Mistral 7B Model or other of choise
- Docker
-
Install the required Python packages:
pip install -r requirements.txt -
Set up the necessary instances and environment variables or update the configuration files with:
- LLM API endpoint
- Langfuse API keys
- ChromaDB connection details
-
Ensure you have a running instance of ChromaDB with a collection named "karate_dsl_features".
Before generating tests, you need to have the api framgments in the vectorDB.
- Start the OasParser Service;
- Run
python oasparser file.yamlfor parsing the file and producing the json file fragments; - Run the
oas_fragment_store.pyto store the fragments into the chromaDB.
-
Upload any relevant files to
knowledgebasefolder. -
Run the
bola_store.pyfor -
Run the
oas_fragment_store.pyfor API YAML parsing and storing the json framgents in the corresponding dir. -
Generate Karate tests:
python rag_karate_test_gen.pyThis will generate Karate test scripts based on the API endpoints in your OpenAPI specification.
rag_karate_test_gen.py: Main script for generating Karate testskarate_compatibility_verifier.py: Script for verifying and correcting Karate test syntaxkarate_security_test_template.py: Template for security-focused Karate testskarate_llm_test_gen.py: LLM integration for test generationkarate_test_framework.py: Framework for running Karate tests
- The project uses RAG (Retrieval-Augmented Generation) to create relevant test scenarios.
- Langfuse is used for tracing and monitoring the LLM calls.
- The generated tests are automatically verified for Karate DSL compatibility.
- Make sure to review and customize the generated tests as needed for your specific API endpoints.
- There are certain optional params, or other options in running and executing different parts of the project.
For testing with the below use cases, please refer to their repositories, for guidance on instalation an usage.
Check https://github.com/erev0s/VAmPI for intalation and usage details.
Check https://github.com/OWASP/crAPI for intalation and usage details.
Check https://github.com/juice-shop/juice-shop for intalation and usage details.
-
Running the karate test framework, skipping the fragment creation:
python3 rag_karate_test_gen.py skipFragmentCreationThis will run the Karate Test Framework with the generated and verified test scripts.
-
Running the karate test framework docker file -> See oasparser/README.md
- [] Docker compose file with all the services and use cases;
- [] Support for Commercial LLMs;
- [] Tutorial on how to setup everything step by step locally.