DEV Community: JEFFERSON ROSAS CHAMBILLA The latest articles on DEV Community by JEFFERSON ROSAS CHAMBILLA (@jefferson_rosas). https://dev.to/jefferson_rosas https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3525228%2Fe40c364f-086f-4737-a797-4b39b61c13fb.png DEV Community: JEFFERSON ROSAS CHAMBILLA https://dev.to/jefferson_rosas en Math & Calculator MCP Server JEFFERSON ROSAS CHAMBILLA Thu, 04 Dec 2025 14:59:32 +0000 https://dev.to/jefferson_rosas/math-calculator-mcp-server-32e2 https://dev.to/jefferson_rosas/math-calculator-mcp-server-32e2 <p>A powerful <strong>Model Context Protocol (MCP) Server</strong> that provides advanced mathematical utilities and calculator tools for AI assistants like Claude and other MCP-compatible clients.</p> <h2> 📖 About </h2> <p>This MCP server exposes mathematical tools that AI assistants can use to perform calculations, statistical analysis, unit conversions, and more. Built with the Model Context Protocol SDK, it seamlessly integrates with Claude Desktop, VSCode, and other MCP clients.</p> <p><strong>Author:</strong> Jefferson Rosas Chambilla<br><br> <strong>Repository:</strong> <a href="https://github.com/Ankluna72/Math-Calculator-MCP-Server-" rel="noopener noreferrer">https://github.com/Ankluna72/Math-Calculator-MCP-Server-</a></p> <h2> ✨ Features </h2> <h3> 🔢 Basic Calculator </h3> <ul> <li>Addition, subtraction, multiplication, division</li> <li>Power, square root, modulo operations</li> <li>Error handling (division by zero, invalid operations)</li> </ul> <h3> 📊 Statistical Analysis </h3> <ul> <li>Mean, median, mode</li> <li>Standard deviation and variance</li> <li>Complete statistical summaries</li> </ul> <h3> 🔄 Unit Conversions </h3> <ul> <li> <strong>Length:</strong> meters, kilometers, miles, feet, inches</li> <li> <strong>Weight:</strong> kilograms, grams, pounds, ounces</li> <li> <strong>Temperature:</strong> Celsius, Fahrenheit, Kelvin</li> </ul> <h3> 📐 Equation Solver </h3> <ul> <li>Quadratic equation solver (ax² + bx + c = 0)</li> <li>Handles real and complex solutions</li> <li>Discriminant analysis</li> </ul> <h3> 💯 Percentage Calculator </h3> <ul> <li>Percentage of a number</li> <li>Percentage increase/decrease</li> <li>"What percentage is X of Y?"</li> </ul> <h3> 📏 Trigonometry </h3> <ul> <li>Sin, cos, tan (and inverse functions)</li> <li>Angle calculations in degrees</li> <li>Precise floating-point results</li> </ul> <h2> 🚀 Installation </h2> <h3> Prerequisites </h3> <ul> <li>Node.js &gt;= 18.0.0</li> <li>npm or yarn</li> </ul> <h3> Clone and Install </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/Ankluna72/Math-Calculator-MCP-Server-.git <span class="nb">cd </span>Math-Calculator-MCP-Server- npm <span class="nb">install </span>npm run build </code></pre> </div> <h2> ⚙️ Configuration </h2> <h3> For Claude Desktop </h3> <p>Add to your Claude Desktop config file (<code>claude_desktop_config.json</code>):</p> <p><strong>Windows:</strong> <code>%APPDATA%\Claude\claude_desktop_config.json</code><br><br> <strong>macOS:</strong> <code>~/Library/Application Support/Claude/claude_desktop_config.json</code><br><br> <strong>Linux:</strong> <code>~/.config/Claude/claude_desktop_config.json</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"math-calculator"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"node"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"C:</span><span class="se">\\</span><span class="s2">path</span><span class="se">\\</span><span class="s2">to</span><span class="se">\\</span><span class="s2">Math-Calculator-MCP-Server-</span><span class="se">\\</span><span class="s2">dist</span><span class="se">\\</span><span class="s2">index.js"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> For VSCode with Cline Extension </h3> <p>Add to VSCode settings (<code>.vscode/settings.json</code> or User Settings):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"mcp.servers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"math-calculator"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"node"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"C:</span><span class="se">\\</span><span class="s2">path</span><span class="se">\\</span><span class="s2">to</span><span class="se">\\</span><span class="s2">Math-Calculator-MCP-Server-</span><span class="se">\\</span><span class="s2">dist</span><span class="se">\\</span><span class="s2">index.js"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> 📚 Usage Examples </h2> <p>Once configured, your AI assistant can use these tools automatically. Here are some example requests:</p> <h3> Basic Calculations </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"Calculate 25 * 4" "What is the square root of 144?" "Divide 100 by 7" </code></pre> </div> <h3> Statistics </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"Calculate the mean of [10, 20, 30, 40, 50]" "Find median and mode for these numbers: [5, 3, 5, 2, 8, 5]" "Give me all statistics for [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]" </code></pre> </div> <h3> Unit Conversions </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"Convert 100 kilometers to miles" "How many pounds is 75 kilograms?" "Convert 32 Fahrenheit to Celsius" </code></pre> </div> <h3> Solve Equations </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"Solve x² - 5x + 6 = 0" "Find solutions for 2x² + 3x - 2 = 0" </code></pre> </div> <h3> Percentages </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"What is 15% of 200?" "Increase 50 by 20%" "What percentage is 25 of 200?" </code></pre> </div> <h3> Trigonometry </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"Calculate sin(30°)" "What is cos(45°)?" "Find tan(60°)" </code></pre> </div> <h2> 🛠️ Available Tools </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>calculate</code></td> <td>Basic arithmetic operations</td> </tr> <tr> <td><code>statistics</code></td> <td>Statistical analysis of number arrays</td> </tr> <tr> <td><code>convert_units</code></td> <td>Convert between different units</td> </tr> <tr> <td><code>solve_equation</code></td> <td>Solve quadratic equations</td> </tr> <tr> <td><code>percentage</code></td> <td>Percentage calculations</td> </tr> <tr> <td><code>trigonometry</code></td> <td>Trigonometric functions</td> </tr> </tbody> </table></div> <h2> 📁 Project Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Math-Calculator-MCP-Server-/ ├── src/ │ └── index.ts # Main MCP server implementation ├── dist/ # Compiled JavaScript (after build) ├── package.json # Project dependencies ├── tsconfig.json # TypeScript configuration ├── .gitignore └── README.md </code></pre> </div> <h2> 🔧 Development </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install dependencies</span> npm <span class="nb">install</span> <span class="c"># Build the project</span> npm run build <span class="c"># Development mode (watch for changes)</span> npm run dev <span class="c"># Start the server</span> npm start </code></pre> </div> <h2> 🧪 Testing </h2> <p>You can test the server manually using <code>stdio</code> communication:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm start </code></pre> </div> <p>Then send MCP protocol messages via stdin to test tool execution.</p> <h2> 📝 License </h2> <p>MIT License - see LICENSE file for details</p> <h2> 🤝 Contributing </h2> <p>Contributions are welcome! Please feel free to submit a Pull Request.</p> <ol> <li>Fork the repository</li> <li>Create your feature branch (<code>git checkout -b feature/AmazingFeature</code>)</li> <li>Commit your changes (<code>git commit -m 'Add some AmazingFeature'</code>)</li> <li>Push to the branch (<code>git push origin feature/AmazingFeature</code>)</li> <li>Open a Pull Request</li> </ol> <h2> 📧 Contact </h2> <p><strong>Jefferson Rosas Chambilla</strong></p> <ul> <li>GitHub: <a href="https://github.com/Ankluna72" rel="noopener noreferrer">@Ankluna72</a> </li> <li>Repository: <a href="https://github.com/Ankluna72/Math-Calculator-MCP-Server-" rel="noopener noreferrer">Math-Calculator-MCP-Server-</a> </li> </ul> <h2> 🌟 Acknowledgments </h2> <ul> <li>Built with the <a href="https://github.com/modelcontextprotocol/sdk" rel="noopener noreferrer">Model Context Protocol SDK</a> </li> <li>Inspired by the need for mathematical tools in AI assistants</li> <li>Thanks to Anthropic for developing the MCP standard</li> </ul> mcp calculator math serverless TestRail Manager: Automatiza tu Gestión de Pruebas con Python JEFFERSON ROSAS CHAMBILLA Fri, 21 Nov 2025 00:58:05 +0000 https://dev.to/jefferson_rosas/testrail-manager-automatiza-tu-gestion-de-pruebas-con-python-2ba https://dev.to/jefferson_rosas/testrail-manager-automatiza-tu-gestion-de-pruebas-con-python-2ba <h1> 🚀 TestRail Manager: Automatiza tu Gestión de Pruebas con Python </h1> <p>¿Cansado de gestionar manualmente tus casos de prueba en TestRail? ¿Quieres automatizar el reporte de resultados desde tus tests? <strong>TestRail Manager</strong> es la solución que necesitas.</p> <h2> 🎯 ¿Qué es TestRail Manager? </h2> <p><strong>TestRail Manager</strong> es una librería Python completa que te permite interactuar con la API de TestRail de forma simple y eficiente. Con ella puedes:</p> <p>✅ Crear y gestionar proyectos, suites y casos de prueba<br><br> ✅ Ejecutar test runs automáticamente<br><br> ✅ Reportar resultados desde tus frameworks de testing (pytest, unittest, etc.)<br><br> ✅ Generar métricas y reportes detallados<br><br> ✅ Integrar TestRail en tu pipeline CI/CD </p> <h2> 💡 ¿Por qué la creé? </h2> <p>Como QA Engineer, me encontraba constantemente:</p> <ul> <li>📝 <strong>Creando casos de prueba manualmente</strong> en TestRail</li> <li>🔄 <strong>Actualizando resultados uno por uno</strong> después de cada ejecución</li> <li>📊 <strong>Generando reportes manualmente</strong> para los stakeholders</li> <li>🤯 <strong>Perdiendo tiempo</strong> en tareas repetitivas</li> </ul> <p>Necesitaba una forma de <strong>automatizar todo este proceso</strong> y mantener TestRail sincronizado con mis test automatizados. Así nació <strong>TestRail Manager</strong>.</p> <h2> 🛠️ Instalación Rápida </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Clonar el repositorio</span> git clone https://github.com/Ankluna72/Gestion-de-pruebas-TestRail-Rosas.git <span class="nb">cd </span>Gestion-de-pruebas-TestRail-Rosas <span class="c"># Instalar dependencias</span> pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt <span class="c"># Configurar credenciales</span> copy .env.example .env <span class="c"># Edita .env con tus credenciales de TestRail</span> </code></pre> </div> <h2> 🚦 Inicio Rápido </h2> <h3> 1️⃣ Configuración Básica </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">testrail_manager</span> <span class="kn">import</span> <span class="n">TestRailManager</span> <span class="kn">from</span> <span class="n">config</span> <span class="kn">import</span> <span class="n">TestRailConfig</span> <span class="c1"># Inicializar el manager </span><span class="n">manager</span> <span class="o">=</span> <span class="nc">TestRailManager</span><span class="p">(</span> <span class="n">base_url</span><span class="o">=</span><span class="sh">"</span><span class="s">https://tu-empresa.testrail.io</span><span class="sh">"</span><span class="p">,</span> <span class="n">username</span><span class="o">=</span><span class="sh">"</span><span class="s">tu-email@ejemplo.com</span><span class="sh">"</span><span class="p">,</span> <span class="n">api_key</span><span class="o">=</span><span class="sh">"</span><span class="s">tu-api-key</span><span class="sh">"</span> <span class="p">)</span> </code></pre> </div> <h3> 2️⃣ Crear un Caso de Prueba </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Crear un caso de prueba con pasos detallados </span><span class="n">case</span> <span class="o">=</span> <span class="n">manager</span><span class="p">.</span><span class="nf">create_case</span><span class="p">(</span> <span class="n">section_id</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">title</span><span class="o">=</span><span class="sh">"</span><span class="s">Login exitoso con credenciales válidas</span><span class="sh">"</span><span class="p">,</span> <span class="n">type_id</span><span class="o">=</span><span class="n">TestRailConfig</span><span class="p">.</span><span class="n">TYPE_FUNCTIONAL</span><span class="p">,</span> <span class="n">priority_id</span><span class="o">=</span><span class="n">TestRailConfig</span><span class="p">.</span><span class="n">PRIORITY_HIGH</span><span class="p">,</span> <span class="n">custom_steps</span><span class="o">=</span><span class="p">[</span> <span class="p">{</span> <span class="sh">'</span><span class="s">content</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">1. Abrir página de login</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">expected</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Se muestra formulario de login</span><span class="sh">'</span> <span class="p">},</span> <span class="p">{</span> <span class="sh">'</span><span class="s">content</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">2. Ingresar credenciales válidas</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">expected</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Las credenciales son aceptadas</span><span class="sh">'</span> <span class="p">},</span> <span class="p">{</span> <span class="sh">'</span><span class="s">content</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">3. Hacer clic en </span><span class="sh">"</span><span class="s">Iniciar sesión</span><span class="sh">"'</span><span class="p">,</span> <span class="sh">'</span><span class="s">expected</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Usuario es redirigido al dashboard</span><span class="sh">'</span> <span class="p">}</span> <span class="p">],</span> <span class="n">estimate</span><span class="o">=</span><span class="sh">'</span><span class="s">2m</span><span class="sh">'</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">✓ Caso creado con ID: </span><span class="si">{</span><span class="n">case</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> 3️⃣ Ejecutar un Test Run </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="c1"># Crear test run </span><span class="n">run</span> <span class="o">=</span> <span class="n">manager</span><span class="p">.</span><span class="nf">create_run</span><span class="p">(</span> <span class="n">project_id</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">suite_id</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">Test Run - </span><span class="si">{</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="n">strftime</span><span class="p">(</span><span class="sh">'</span><span class="s">%Y-%m-%d %H</span><span class="si">:</span><span class="o">%</span><span class="n">M</span><span class="sh">'</span><span class="s">)</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Ejecución automatizada</span><span class="sh">"</span><span class="p">,</span> <span class="n">include_all</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">✓ Test Run creado: </span><span class="si">{</span><span class="n">run</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> 4️⃣ Reportar Resultados </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Reportar resultado exitoso </span><span class="n">result</span> <span class="o">=</span> <span class="n">manager</span><span class="p">.</span><span class="nf">add_result_for_case</span><span class="p">(</span> <span class="n">run_id</span><span class="o">=</span><span class="n">run</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">],</span> <span class="n">case_id</span><span class="o">=</span><span class="n">case</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">],</span> <span class="n">status_id</span><span class="o">=</span><span class="n">TestRailConfig</span><span class="p">.</span><span class="n">STATUS_PASSED</span><span class="p">,</span> <span class="n">comment</span><span class="o">=</span><span class="sh">"</span><span class="s">✓ Prueba ejecutada exitosamente</span><span class="sh">"</span><span class="p">,</span> <span class="n">elapsed</span><span class="o">=</span><span class="sh">"</span><span class="s">2m 30s</span><span class="sh">"</span><span class="p">,</span> <span class="n">version</span><span class="o">=</span><span class="sh">"</span><span class="s">v1.2.3</span><span class="sh">"</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">✓ Resultado reportado</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> 5️⃣ Generar Métricas </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Obtener estadísticas del run </span><span class="n">stats</span> <span class="o">=</span> <span class="n">manager</span><span class="p">.</span><span class="nf">get_run_statistics</span><span class="p">(</span><span class="n">run_id</span><span class="o">=</span><span class="n">run</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">])</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Total de pruebas: </span><span class="si">{</span><span class="n">stats</span><span class="p">[</span><span class="sh">'</span><span class="s">total_tests</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">✓ Pasadas: </span><span class="si">{</span><span class="n">stats</span><span class="p">[</span><span class="sh">'</span><span class="s">passed</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">✗ Fallidas: </span><span class="si">{</span><span class="n">stats</span><span class="p">[</span><span class="sh">'</span><span class="s">failed</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Tasa de éxito: </span><span class="si">{</span><span class="n">stats</span><span class="p">[</span><span class="sh">'</span><span class="s">pass_rate</span><span class="sh">'</span><span class="p">]</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">%</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> 🔥 Caso de Uso Real: Integración con pytest </h2> <p>Una de las funcionalidades más potentes es la integración con pytest para reportar automáticamente los resultados a TestRail.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">pytest</span> <span class="kn">from</span> <span class="n">testrail_manager</span> <span class="kn">import</span> <span class="n">TestRailManager</span> <span class="kn">from</span> <span class="n">config</span> <span class="kn">import</span> <span class="n">TestRailConfig</span> <span class="c1"># Configurar TestRail </span><span class="n">testrail</span> <span class="o">=</span> <span class="nc">TestRailManager</span><span class="p">(</span> <span class="n">base_url</span><span class="o">=</span><span class="n">TestRailConfig</span><span class="p">.</span><span class="n">BASE_URL</span><span class="p">,</span> <span class="n">username</span><span class="o">=</span><span class="n">TestRailConfig</span><span class="p">.</span><span class="n">USERNAME</span><span class="p">,</span> <span class="n">api_key</span><span class="o">=</span><span class="n">TestRailConfig</span><span class="p">.</span><span class="n">API_KEY</span> <span class="p">)</span> <span class="k">class</span> <span class="nc">TestLogin</span><span class="p">:</span> <span class="k">def</span> <span class="nf">test_login_exitoso</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="c1"># Tu lógica de test </span> <span class="n">resultado</span> <span class="o">=</span> <span class="nf">perform_login</span><span class="p">(</span><span class="sh">"</span><span class="s">user@test.com</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">password123</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Reportar a TestRail automáticamente </span> <span class="n">testrail</span><span class="p">.</span><span class="nf">add_result_for_case</span><span class="p">(</span> <span class="n">run_id</span><span class="o">=</span><span class="mi">123</span><span class="p">,</span> <span class="n">case_id</span><span class="o">=</span><span class="mi">456</span><span class="p">,</span> <span class="n">status_id</span><span class="o">=</span><span class="mi">1</span> <span class="k">if</span> <span class="n">resultado</span> <span class="k">else</span> <span class="mi">5</span><span class="p">,</span> <span class="n">comment</span><span class="o">=</span><span class="sh">"</span><span class="s">Test ejecutado desde pytest</span><span class="sh">"</span><span class="p">,</span> <span class="n">elapsed</span><span class="o">=</span><span class="sh">"</span><span class="s">500ms</span><span class="sh">"</span> <span class="p">)</span> <span class="k">assert</span> <span class="n">resultado</span> <span class="o">==</span> <span class="bp">True</span> </code></pre> </div> <h2> 📊 Ejemplo Completo: Pipeline de Testing </h2> <p>Aquí un ejemplo de cómo usar TestRail Manager en un pipeline completo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">testrail_manager</span> <span class="kn">import</span> <span class="n">TestRailManager</span> <span class="kn">from</span> <span class="n">config</span> <span class="kn">import</span> <span class="n">TestRailConfig</span> <span class="kn">import</span> <span class="n">time</span> <span class="c1"># 1. Inicializar </span><span class="n">manager</span> <span class="o">=</span> <span class="nc">TestRailManager</span><span class="p">(</span> <span class="n">base_url</span><span class="o">=</span><span class="n">TestRailConfig</span><span class="p">.</span><span class="n">BASE_URL</span><span class="p">,</span> <span class="n">username</span><span class="o">=</span><span class="n">TestRailConfig</span><span class="p">.</span><span class="n">USERNAME</span><span class="p">,</span> <span class="n">api_key</span><span class="o">=</span><span class="n">TestRailConfig</span><span class="p">.</span><span class="n">API_KEY</span> <span class="p">)</span> <span class="c1"># 2. Crear test run </span><span class="n">run</span> <span class="o">=</span> <span class="n">manager</span><span class="p">.</span><span class="nf">create_run</span><span class="p">(</span> <span class="n">project_id</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">suite_id</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">Regression Suite - Nightly</span><span class="sh">"</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Ejecución nocturna automática</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># 3. Obtener tests </span><span class="n">tests</span> <span class="o">=</span> <span class="n">manager</span><span class="p">.</span><span class="nf">get_tests</span><span class="p">(</span><span class="n">run</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">])</span> <span class="c1"># 4. Ejecutar y reportar </span><span class="k">for</span> <span class="n">test</span> <span class="ow">in</span> <span class="n">tests</span><span class="p">:</span> <span class="n">start_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Ejecutar tu test aquí </span> <span class="n">result</span> <span class="o">=</span> <span class="nf">execute_test</span><span class="p">(</span><span class="n">test</span><span class="p">[</span><span class="sh">'</span><span class="s">case_id</span><span class="sh">'</span><span class="p">])</span> <span class="c1"># Reportar éxito </span> <span class="n">manager</span><span class="p">.</span><span class="nf">add_result</span><span class="p">(</span> <span class="n">test_id</span><span class="o">=</span><span class="n">test</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">],</span> <span class="n">status_id</span><span class="o">=</span><span class="n">TestRailConfig</span><span class="p">.</span><span class="n">STATUS_PASSED</span><span class="p">,</span> <span class="n">comment</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">✓ Test pasó correctamente</span><span class="sh">"</span><span class="p">,</span> <span class="n">elapsed</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">start_time</span><span class="p">)</span><span class="si">}</span><span class="s">s</span><span class="sh">"</span> <span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="c1"># Reportar fallo </span> <span class="n">manager</span><span class="p">.</span><span class="nf">add_result</span><span class="p">(</span> <span class="n">test_id</span><span class="o">=</span><span class="n">test</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">],</span> <span class="n">status_id</span><span class="o">=</span><span class="n">TestRailConfig</span><span class="p">.</span><span class="n">STATUS_FAILED</span><span class="p">,</span> <span class="n">comment</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">✗ Error: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">elapsed</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">start_time</span><span class="p">)</span><span class="si">}</span><span class="s">s</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># 5. Generar reporte </span><span class="n">stats</span> <span class="o">=</span> <span class="n">manager</span><span class="p">.</span><span class="nf">get_run_statistics</span><span class="p">(</span><span class="n">run</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">])</span> <span class="n">manager</span><span class="p">.</span><span class="nf">generate_run_report</span><span class="p">(</span><span class="n">run</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">],</span> <span class="sh">'</span><span class="s">report.txt</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># 6. Cerrar run </span><span class="n">manager</span><span class="p">.</span><span class="nf">close_run</span><span class="p">(</span><span class="n">run</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">])</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">✅ Pipeline completado - Tasa de éxito: </span><span class="si">{</span><span class="n">stats</span><span class="p">[</span><span class="sh">'</span><span class="s">pass_rate</span><span class="sh">'</span><span class="p">]</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">%</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> 🎁 Características Destacadas </h2> <h3> 🔧 API Completa </h3> <p>La librería cubre prácticamente toda la API de TestRail:</p> <ul> <li> <strong>Proyectos</strong>: Crear, listar, obtener detalles</li> <li> <strong>Suites</strong>: Organizar casos en suites de prueba</li> <li> <strong>Secciones</strong>: Estructurar casos en secciones</li> <li> <strong>Casos</strong>: CRUD completo con campos personalizados</li> <li> <strong>Test Runs</strong>: Gestión completa de ejecuciones</li> <li> <strong>Resultados</strong>: Reporte individual o en lote</li> <li> <strong>Métricas</strong>: Estadísticas y reportes automáticos</li> </ul> <h3> 🛡️ Manejo Robusto de Errores </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">try</span><span class="p">:</span> <span class="n">case</span> <span class="o">=</span> <span class="n">manager</span><span class="p">.</span><span class="nf">create_case</span><span class="p">(</span> <span class="n">section_id</span><span class="o">=</span><span class="mi">999999</span><span class="p">,</span> <span class="c1"># ID inexistente </span> <span class="n">title</span><span class="o">=</span><span class="sh">"</span><span class="s">Test Case</span><span class="sh">"</span> <span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Salida: Error en la petición a TestRail: 404 Not Found </span></code></pre> </div> <h3> 📦 Ejemplos Incluidos </h3> <p>El repositorio incluye 4 ejemplos prácticos listos para usar:</p> <ol> <li> <strong><code>example_basic.py</code></strong> - Operaciones fundamentales</li> <li> <strong><code>example_create_test_run.py</code></strong> - Crear y ejecutar test runs</li> <li> <strong><code>example_manage_cases.py</code></strong> - Gestión de casos de prueba</li> <li> <strong><code>example_integration_pytest.py</code></strong> - Integración con pytest</li> </ol> <h2> 🏗️ Arquitectura del Proyecto </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>testrail-manager/ │ ├── testrail_manager.py # Clase principal ├── config.py # Configuración ├── requirements.txt # Dependencias ├── .env.example # Plantilla de credenciales │ ├── examples/ # Ejemplos prácticos │ ├── example_basic.py │ ├── example_create_test_run.py │ ├── example_manage_cases.py │ └── example_integration_pytest.py │ └── README.md # Documentación completa </code></pre> </div> <h2> 🔐 Seguridad </h2> <p>La herramienta sigue las mejores prácticas de seguridad:</p> <p>✅ <strong>Credenciales en variables de entorno</strong> (nunca en el código)<br><br> ✅ <strong><code>.gitignore</code> configurado</strong> para evitar exposición<br><br> ✅ <strong>Manejo seguro de API Keys</strong><br><br> ✅ <strong>Validación de configuración</strong> antes de ejecutar<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Configuración segura con .env </span><span class="n">TESTRAIL_URL</span><span class="o">=</span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">tu</span><span class="o">-</span><span class="n">empresa</span><span class="p">.</span><span class="n">testrail</span><span class="p">.</span><span class="n">io</span> <span class="n">TESTRAIL_USERNAME</span><span class="o">=</span><span class="n">tu</span><span class="o">-</span><span class="n">email</span><span class="nd">@ejemplo.com</span> <span class="n">TESTRAIL_API_KEY</span><span class="o">=</span><span class="n">tu</span><span class="o">-</span><span class="n">api</span><span class="o">-</span><span class="n">key</span> </code></pre> </div> <h2> 📈 Métricas y Reportes </h2> <p>Genera reportes detallados automáticamente:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Obtener estadísticas </span><span class="n">stats</span> <span class="o">=</span> <span class="n">manager</span><span class="p">.</span><span class="nf">get_run_statistics</span><span class="p">(</span><span class="n">run_id</span><span class="o">=</span><span class="mi">123</span><span class="p">)</span> <span class="c1"># Generar reporte </span><span class="n">report</span> <span class="o">=</span> <span class="n">manager</span><span class="p">.</span><span class="nf">generate_run_report</span><span class="p">(</span> <span class="n">run_id</span><span class="o">=</span><span class="mi">123</span><span class="p">,</span> <span class="n">output_file</span><span class="o">=</span><span class="sh">'</span><span class="s">test_report.txt</span><span class="sh">'</span> <span class="p">)</span> </code></pre> </div> <p><strong>Salida del reporte:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>============================================================ REPORTE DE TEST RUN - Regression Suite ============================================================ Run ID: 123 Fecha: 2025-11-20 10:30:00 RESUMEN DE PRUEBAS: ============================================================ Total de pruebas: 50 Pasadas: 45 (90.00%) Fallidas: 3 Bloqueadas: 1 Para re-probar: 0 Sin probar: 1 </code></pre> </div> <h2> 🚀 Casos de Uso </h2> <h3> 1. CI/CD Integration </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># GitHub Actions ejemplo</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Tests and Report to TestRail</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run tests</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pytest</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Report to TestRail</span> <span class="na">run</span><span class="pi">:</span> <span class="s">python report_to_testrail.py</span> <span class="na">env</span><span class="pi">:</span> <span class="na">TESTRAIL_URL</span><span class="pi">:</span> <span class="s">${{ secrets.TESTRAIL_URL }}</span> <span class="na">TESTRAIL_USERNAME</span><span class="pi">:</span> <span class="s">${{ secrets.TESTRAIL_USERNAME }}</span> <span class="na">TESTRAIL_API_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.TESTRAIL_API_KEY }}</span> </code></pre> </div> <h3> 2. Selenium Integration </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">selenium</span> <span class="kn">import</span> <span class="n">webdriver</span> <span class="kn">from</span> <span class="n">testrail_manager</span> <span class="kn">import</span> <span class="n">TestRailManager</span> <span class="n">driver</span> <span class="o">=</span> <span class="n">webdriver</span><span class="p">.</span><span class="nc">Chrome</span><span class="p">()</span> <span class="n">manager</span> <span class="o">=</span> <span class="nc">TestRailManager</span><span class="p">(...)</span> <span class="k">try</span><span class="p">:</span> <span class="n">driver</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">https://app.com/login</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># ... tu test ... </span> <span class="n">manager</span><span class="p">.</span><span class="nf">add_result_for_case</span><span class="p">(</span> <span class="n">run_id</span><span class="o">=</span><span class="mi">123</span><span class="p">,</span> <span class="n">case_id</span><span class="o">=</span><span class="mi">456</span><span class="p">,</span> <span class="n">status_id</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">comment</span><span class="o">=</span><span class="sh">"</span><span class="s">✓ Selenium test passed</span><span class="sh">"</span> <span class="p">)</span> <span class="k">finally</span><span class="p">:</span> <span class="n">driver</span><span class="p">.</span><span class="nf">quit</span><span class="p">()</span> </code></pre> </div> <h3> 3. Scheduled Reports </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Script para generar reportes diarios </span><span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">from</span> <span class="n">testrail_manager</span> <span class="kn">import</span> <span class="n">TestRailManager</span> <span class="n">manager</span> <span class="o">=</span> <span class="nc">TestRailManager</span><span class="p">(...)</span> <span class="c1"># Obtener runs activos </span><span class="n">runs</span> <span class="o">=</span> <span class="n">manager</span><span class="p">.</span><span class="nf">get_runs</span><span class="p">(</span><span class="n">project_id</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="k">for</span> <span class="n">run</span> <span class="ow">in</span> <span class="n">runs</span><span class="p">:</span> <span class="k">if</span> <span class="n">run</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">is_completed</span><span class="sh">'</span><span class="p">)</span> <span class="o">==</span> <span class="bp">False</span><span class="p">:</span> <span class="n">stats</span> <span class="o">=</span> <span class="n">manager</span><span class="p">.</span><span class="nf">get_run_statistics</span><span class="p">(</span><span class="n">run</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">])</span> <span class="c1"># Enviar por email, Slack, etc. </span> <span class="nf">send_notification</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Run: </span><span class="si">{</span><span class="n">run</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Progress: </span><span class="si">{</span><span class="n">stats</span><span class="p">[</span><span class="sh">'</span><span class="s">pass_rate</span><span class="sh">'</span><span class="p">]</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">%</span><span class="sh">"</span> <span class="p">)</span> </code></pre> </div> <h2> 📚 Recursos Adicionales </h2> <h3> 🔗 Enlaces Útiles </h3> <ul> <li>📦 <strong>Repositorio</strong>: <a href="https://github.com/Ankluna72/Gestion-de-pruebas-TestRail-Rosas" rel="noopener noreferrer">GitHub - TestRail Manager</a> </li> <li>📖 <strong>Documentación Completa</strong>: Ver README.md en el repo</li> <li>🐛 <strong>Reportar Issues</strong>: <a href="https://github.com/Ankluna72/Gestion-de-pruebas-TestRail-Rosas/issues" rel="noopener noreferrer">GitHub Issues</a> </li> <li>📘 <strong>TestRail API Docs</strong>: <a href="https://www.gurock.com/testrail/docs/api" rel="noopener noreferrer">Documentación oficial</a> </li> </ul> <h3> 💻 Requisitos </h3> <ul> <li>Python 3.7+</li> <li>TestRail (cuenta con acceso a API)</li> <li> <code>requests</code> &gt;= 2.25.0</li> <li> <code>python-dotenv</code> &gt;= 0.19.0</li> </ul> <h2> 🎯 Próximos Pasos </h2> <p>Estoy trabajando en nuevas características:</p> <ul> <li>[ ] Soporte para attachments en resultados</li> <li>[ ] CLI tool para operaciones comunes</li> <li>[ ] Dashboard web para visualizar métricas</li> <li>[ ] Exportación a PDF/Excel</li> <li>[ ] Webhooks para notificaciones en tiempo real</li> </ul> <h2> 🤝 Contribuciones </h2> <p>¡Las contribuciones son bienvenidas! Si tienes ideas o encuentras bugs:</p> <ol> <li>🍴 Fork el repositorio</li> <li>🔨 Crea tu feature branch</li> <li>✅ Haz commit de tus cambios</li> <li>🚀 Push a la rama</li> <li>📬 Abre un Pull Request</li> </ol> <h2> 💬 Feedback </h2> <p>¿Qué te parece la herramienta? ¿La usarías en tus proyectos? Déjame tus comentarios abajo 👇</p> <p>Si te resultó útil:</p> <ul> <li>⭐ Dale una estrella en GitHub</li> <li>🔄 Compártelo con tu equipo</li> <li>💬 Déjame saber cómo la estás usando</li> </ul> <h2> 📞 Contacto </h2> <ul> <li> <strong>GitHub</strong>: <a href="https://github.com/Ankluna72" rel="noopener noreferrer">@Ankluna72</a> </li> <li> <strong>Proyecto</strong>: <a href="https://github.com/Ankluna72/Gestion-de-pruebas-TestRail-Rosas" rel="noopener noreferrer">TestRail Manager</a> </li> </ul> <h2> 🎬 Conclusión </h2> <p><strong>TestRail Manager</strong> es una herramienta completa que te permite:</p> <p>✅ <strong>Ahorrar tiempo</strong> automatizando tareas repetitivas<br><br> ✅ <strong>Mejorar la calidad</strong> con mejor trazabilidad<br><br> ✅ <strong>Integrar</strong> TestRail en tu pipeline de CI/CD<br><br> ✅ <strong>Generar reportes</strong> automáticos y detallados </p> <p>¿Listo para automatizar tu gestión de pruebas? 🚀</p> <p>👉 <strong><a href="https://github.com/Ankluna72/Gestion-de-pruebas-TestRail-Rosas" rel="noopener noreferrer">Prueba TestRail Manager ahora</a></strong></p> <p><strong>Tags:</strong> #testing #python #automation #testrail #qa #devops #cicd #pytest #selenium</p> <p><em>Desarrollado con ❤️ para la comunidad de QA</em></p> testing python automation testrail [Boost] JEFFERSON ROSAS CHAMBILLA Fri, 17 Oct 2025 02:08:35 +0000 https://dev.to/jefferson_rosas/-4j9o https://dev.to/jefferson_rosas/-4j9o <div class="ltag__link"> <a href="/jefferson_rosas" class="ltag__link__link"> <div class="ltag__link__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3525228%2Fe40c364f-086f-4737-a797-4b39b61c13fb.png" alt="jefferson_rosas"> </div> </a> <a href="https://dev.to/jefferson_rosas/applying-postman-for-api-testing-real-world-examples-11p2" class="ltag__link__link"> <div class="ltag__link__content"> <h2>Applying Postman for API Testing: Real-World Examples</h2> <h3>JEFFERSON ROSAS CHAMBILLA ・ Oct 17</h3> <div class="ltag__link__taglist"> <span class="ltag__link__tag">#webdev</span> </div> </div> </a> </div> webdev Applying Postman for API Testing: Real-World Examples JEFFERSON ROSAS CHAMBILLA Fri, 17 Oct 2025 01:57:20 +0000 https://dev.to/jefferson_rosas/applying-postman-for-api-testing-real-world-examples-11p2 https://dev.to/jefferson_rosas/applying-postman-for-api-testing-real-world-examples-11p2 <h1> Applying Postman for API Testing: Real-World Examples </h1> <p>API testing is a critical part of modern software development, ensuring that APIs are reliable, performant, and secure. Among the top tools for API testing in 2022, Postman stands out for its user-friendly interface and robust features, making it ideal for both beginners and experienced testers. In this article, we’ll explore how to apply Postman as an API testing framework, with real-world code examples to demonstrate its power. This is inspired by insights from <a href="https://alicealdaine.medium.com/top-10-api-testing-tools-rest-soap-services-5395cb03cfa9" rel="noopener noreferrer">Alice Aldaine’s article on API testing tools</a>.</p> <h2> Why Postman? </h2> <p>Postman is a versatile tool that supports REST API testing without requiring extensive coding knowledge. Its key features include:</p> <ul> <li> <strong>Ease of Use</strong>: A rich interface for creating and managing API requests.</li> <li> <strong>Automation</strong>: Supports automated testing with JavaScript-based scripts.</li> <li> <strong>Integrations</strong>: Works with Swagger, RAML, and CI/CD pipelines.</li> <li> <strong>Collaboration</strong>: Allows teams to share collections of requests and responses.</li> </ul> <p>Whether you’re testing a public API or building your own, Postman simplifies the process. Let’s dive into real-world examples to see it in action.</p> <h2> Setting Up Postman </h2> <p>To get started, download Postman from <a href="https://www.getpostman.com/" rel="noopener noreferrer">getpostman.com</a> and install it on your system (Mac, Windows, or Linux). The free tier is sufficient for most testing needs, though paid plans ($12/user/month) offer advanced collaboration features.</p> <p>Once installed, create a new <strong>Collection</strong> to organize your API requests. For this article, we’ll test the <a href="https://jsonplaceholder.typicode.com/" rel="noopener noreferrer">JSONPlaceholder API</a>, a free fake API for testing.</p> <h2> Real-World Example 1: Testing a GET Request </h2> <p>Let’s test a GET request to retrieve a list of users from JSONPlaceholder.</p> <ol> <li> <p><strong>Create a Request</strong>:</p> <ul> <li>In Postman, click <strong>New</strong> &gt; <strong>Request</strong>.</li> <li>Name it “Get Users” and save it to your collection.</li> <li>Set the request URL to <code>https://jsonplaceholder.typicode.com/users</code>.</li> </ul> </li> <li> <p><strong>Send the Request</strong>:</p> <ul> <li>Click <strong>Send</strong> to execute the GET request.</li> <li>You should see a JSON response with a list of user objects.</li> </ul> </li> <li><p><strong>Add Tests</strong>:<br> Postman allows you to write JavaScript test scripts to validate responses. In the <strong>Tests</strong> tab of the request, add the following script:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="nx">pm</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="dl">"</span><span class="s2">Status code is 200</span><span class="dl">"</span><span class="p">,</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nx">to</span><span class="p">.</span><span class="nx">have</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">);</span> <span class="p">});</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="dl">"</span><span class="s2">Response contains users</span><span class="dl">"</span><span class="p">,</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">jsonData</span> <span class="o">=</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="nx">jsonData</span><span class="p">).</span><span class="nx">to</span><span class="p">.</span><span class="nx">be</span><span class="p">.</span><span class="nf">an</span><span class="p">(</span><span class="dl">'</span><span class="s1">array</span><span class="dl">'</span><span class="p">).</span><span class="nx">that</span><span class="p">.</span><span class="nx">is</span><span class="p">.</span><span class="nx">not</span><span class="p">.</span><span class="nx">empty</span><span class="p">;</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="nx">jsonData</span><span class="p">[</span><span class="mi">0</span><span class="p">]).</span><span class="nx">to</span><span class="p">.</span><span class="nx">have</span><span class="p">.</span><span class="nf">property</span><span class="p">(</span><span class="dl">'</span><span class="s1">name</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>This script checks:</p> <ul> <li>The response status is 200 (OK).</li> <li>The response is a non-empty array.</li> <li>The first user object has a <code>name</code> property.</li> </ul> <ol> <li> <strong>Run the Test</strong>: <ul> <li>Send the request again. The <strong>Test Results</strong> tab will show the test outcomes (e.g., “2/2 tests passed”).</li> </ul> </li> </ol> <p>This example is typical in real-world scenarios where you verify that an API returns expected data structures, such as user lists in a social media app.</p> <h2> Real-World Example 2: Testing a POST Request </h2> <p>Now, let’s test creating a new post, simulating a scenario where a user submits content to a blog platform.</p> <ol> <li> <strong>Create a POST Request</strong>: <ul> <li>Create a new request named “Create Post”.</li> <li>Set the method to <strong>POST</strong> and the URL to <code>https://jsonplaceholder.typicode.com/posts</code>.</li> <li>In the <strong>Body</strong> tab, select <strong>raw</strong> and <strong>JSON</strong>, then add: </li> </ul> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"My New Post"</span><span class="p">,</span><span class="w"> </span><span class="nl">"body"</span><span class="p">:</span><span class="w"> </span><span class="s2">"This is a test post created via Postman."</span><span class="p">,</span><span class="w"> </span><span class="nl">"userId"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ol> <li> <strong>Add Tests</strong>: In the <strong>Tests</strong> tab, add: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="nx">pm</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="dl">"</span><span class="s2">Status code is 201</span><span class="dl">"</span><span class="p">,</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nx">to</span><span class="p">.</span><span class="nx">have</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">201</span><span class="p">);</span> <span class="p">});</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="dl">"</span><span class="s2">Response contains post details</span><span class="dl">"</span><span class="p">,</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">jsonData</span> <span class="o">=</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="nx">jsonData</span><span class="p">).</span><span class="nx">to</span><span class="p">.</span><span class="nx">have</span><span class="p">.</span><span class="nf">property</span><span class="p">(</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">);</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="nx">jsonData</span><span class="p">.</span><span class="nx">title</span><span class="p">).</span><span class="nx">to</span><span class="p">.</span><span class="nf">equal</span><span class="p">(</span><span class="dl">"</span><span class="s2">My New Post</span><span class="dl">"</span><span class="p">);</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="nx">jsonData</span><span class="p">.</span><span class="nx">body</span><span class="p">).</span><span class="nx">to</span><span class="p">.</span><span class="nf">equal</span><span class="p">(</span><span class="dl">"</span><span class="s2">This is a test post created via Postman.</span><span class="dl">"</span><span class="p">);</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="nx">jsonData</span><span class="p">.</span><span class="nx">userId</span><span class="p">).</span><span class="nx">to</span><span class="p">.</span><span class="nf">equal</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>This validates that the API creates a new post with the correct data and returns a 201 (Created) status.</p> <ol> <li> <strong>Run and Verify</strong>: <ul> <li>Send the request and check the <strong>Test Results</strong>. The API will return the posted data with a new <code>id</code>.</li> </ul> </li> </ol> <p>This mirrors real-world use cases like submitting user-generated content to a CMS or e-commerce platform.</p> <h2> Real-World Example 3: Automating Tests with Collections </h2> <p>In a CI/CD pipeline, you might want to automate multiple API tests. Postman’s <strong>Collection Runner</strong> makes this easy.</p> <ol> <li> <p><strong>Create a Collection</strong>:</p> <ul> <li>Add the “Get Users” and “Create Post” requests to a collection named “JSONPlaceholder Tests”.</li> </ul> </li> <li> <p><strong>Run the Collection</strong>:</p> <ul> <li>Open the <strong>Collection Runner</strong>, select your collection, and click <strong>Run</strong>.</li> <li>Postman executes all requests sequentially and displays test results.</li> </ul> </li> <li> <p><strong>Export for CI/CD</strong>:</p> <ul> <li>Export the collection as a JSON file.</li> <li>Use Newman (Postman’s CLI tool) to run it in a CI pipeline. Install Newman via npm: </li> </ul> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> npm <span class="nb">install</span> <span class="nt">-g</span> newman </code></pre> </div> <ul> <li>Run the collection: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> newman run JSONPlaceholder_Tests.json </code></pre> </div> <p>This is invaluable for teams integrating API tests into Jenkins or GitHub Actions, ensuring APIs are tested with every code change.</p> <h2> Embedding Rich Content </h2> <p>To visualize the power of Postman, check out this quick demo:</p> <p> <iframe src="https://www.youtube.com/embed/8aV5AxRlmh0"> </iframe> </p> <p>This YouTube video shows Postman’s interface and basic request setup, complementing our examples.</p> <h2> Conclusion </h2> <p>Postman is a powerful, accessible framework for API testing, suitable for both manual and automated workflows. Its scripting capabilities, collection management, and CI/CD integration make it a go-to choice for real-world API testing. As noted in <a href="https://alicealdaine.medium.com/top-10-api-testing-tools-rest-soap-services-5395cb03cfa9" rel="noopener noreferrer">Alice Aldaine’s article</a>, Postman’s ease of use and lack of required coding knowledge make it ideal for diverse teams.</p> <p>Try Postman with your own APIs, and explore its advanced features like mock servers and monitoring to take your testing to the next level. Happy testing!</p> <h2> References </h2> <ul> <li><a href="https://alicealdaine.medium.com/top-10-api-testing-tools-rest-soap-services-5395cb03cfa9" rel="noopener noreferrer">Top 15 API Testing Tools in 2022 by Alice Aldaine</a></li> <li><a href="https://www.getpostman.com/" rel="noopener noreferrer">Postman Official Website</a></li> <li><a href="https://jsonplaceholder.typicode.com/" rel="noopener noreferrer">JSONPlaceholder API</a></li> </ul> webdev Applying Bandit SAST Tool to Secure Python Applications JEFFERSON ROSAS CHAMBILLA Wed, 24 Sep 2025 00:26:03 +0000 https://dev.to/jefferson_rosas/applying-bandit-sast-tool-to-secure-python-applications-3ci2 https://dev.to/jefferson_rosas/applying-bandit-sast-tool-to-secure-python-applications-3ci2 <h2> Why Bandit for Python Security? </h2> <p>Bandit is an open-source SAST tool developed by the OpenStack Security Project that specializes in analyzing Python code for common security issues. It's particularly valuable because:</p> <ul> <li> <strong>Python-specific analysis</strong> - Understands Python idioms and common patterns</li> <li> <strong>Plugin-based architecture</strong> - Extensible with custom checks</li> <li> <strong>CI/CD friendly</strong> - Designed for automation</li> <li> <strong>Zero cost</strong> - Completely free and open-source</li> </ul> <h3> Common Vulnerabilities Bandit Detects </h3> <ul> <li><strong>SQL injection vulnerabilities</strong></li> <li><strong>Shell injection risks</strong></li> <li><strong>Hardcoded passwords and secrets</strong></li> <li><strong>Use of insecure modules</strong></li> <li><strong>Input validation issues</strong></li> <li><strong>Information disclosure risks</strong></li> </ul> <h2> Hands-On: Implementing Bandit </h2> <h3> Installation </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install using pip</span> pip <span class="nb">install </span>bandit <span class="c"># Or install from source</span> git clone https://github.com/PyCQA/bandit.git <span class="nb">cd </span>bandit pip <span class="nb">install</span> <span class="nb">.</span> </code></pre> </div> <h3> Basic Usage </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Scan a single file</span> bandit my_script.py <span class="c"># Scan an entire directory</span> bandit <span class="nt">-r</span> my_project/ <span class="c"># Generate HTML report</span> bandit <span class="nt">-r</span> my_project/ <span class="nt">-f</span> html <span class="nt">-o</span> report.html <span class="c"># Scan with specific security level</span> bandit <span class="nt">-r</span> my_project/ <span class="nt">-l</span> high </code></pre> </div> <h3> Sample Vulnerable Python Code </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># vulnerable_app.py </span><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">pickle</span> <span class="kn">import</span> <span class="n">subprocess</span> <span class="kn">import</span> <span class="n">sqlite3</span> <span class="k">def</span> <span class="nf">process_user_input</span><span class="p">():</span> <span class="c1"># Vulnerability: Code injection </span> <span class="n">user_input</span> <span class="o">=</span> <span class="nf">input</span><span class="p">(</span><span class="sh">"</span><span class="s">Enter command: </span><span class="sh">"</span><span class="p">)</span> <span class="n">os</span><span class="p">.</span><span class="nf">system</span><span class="p">(</span><span class="n">user_input</span><span class="p">)</span> <span class="c1"># B602: subprocess_popen_with_shell_equals_true </span> <span class="k">def</span> <span class="nf">database_operations</span><span class="p">():</span> <span class="c1"># Vulnerability: SQL injection </span> <span class="n">username</span> <span class="o">=</span> <span class="nf">input</span><span class="p">(</span><span class="sh">"</span><span class="s">Enter username: </span><span class="sh">"</span><span class="p">)</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sh">'</span><span class="s">users.db</span><span class="sh">'</span><span class="p">)</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">SELECT * FROM users WHERE username = </span><span class="sh">'</span><span class="si">{</span><span class="n">username</span><span class="si">}</span><span class="sh">'"</span><span class="p">)</span> <span class="c1"># B608: hardcoded_sql_expressions </span> <span class="k">def</span> <span class="nf">data_deserialization</span><span class="p">():</span> <span class="c1"># Vulnerability: Insecure deserialization </span> <span class="n">data</span> <span class="o">=</span> <span class="nf">input</span><span class="p">(</span><span class="sh">"</span><span class="s">Enter serialized data: </span><span class="sh">"</span><span class="p">)</span> <span class="n">obj</span> <span class="o">=</span> <span class="n">pickle</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">data</span><span class="p">.</span><span class="nf">encode</span><span class="p">())</span> <span class="c1"># B301: blacklist </span></code></pre> </div> <h3> Running Bandit Scan </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bandit <span class="nt">-r</span> vulnerable_app.py <span class="nt">-f</span> txt </code></pre> </div> <h3> Sample Bandit Output </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Results generated: &gt;&gt; Issue: [B602:subprocess_popen_with_shell_equals_true] Using subprocess with shell=True Severity: High Confidence: High Location: vulnerable_app.py:8 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b602-subprocess-popen-with-shell-equals-true 7 user_input = input("Enter command: ") 8 os.system(user_input) &gt;&gt; Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction. Severity: Medium Confidence: Medium Location: vulnerable_app.py:15 15 cursor.execute(f"SELECT * FROM users WHERE username = '{username}'") &gt;&gt; Issue: [B301:blacklist] Use of unsafe deserialization function. Severity: High Confidence: High Location: vulnerable_app.py:20 20 obj = pickle.loads(data.encode()) </code></pre> </div> <h2> Advanced Bandit Configuration </h2> <h3> Custom Configuration File </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># bandit.yml</span> <span class="na">exclude_dirs</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">tests'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">venv'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">migrations'</span><span class="pi">]</span> <span class="na">skips</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">B101'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">B102'</span><span class="pi">]</span> <span class="na">tests</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">B301'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">B302'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">B601'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">B602'</span><span class="pi">]</span> <span class="na">targets</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">src/</span> <span class="pi">-</span> <span class="s">app/</span> <span class="na">output_format</span><span class="pi">:</span> <span class="s">json</span> <span class="na">verbose</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <h3> Using Configuration File </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bandit <span class="nt">-c</span> bandit.yml <span class="nt">-r</span> my_project/ </code></pre> </div> <h3> CI/CD Integration (GitHub Actions) </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Security Scan with Bandit</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">,</span> <span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">security-scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Python</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-python@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">python-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.9'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Bandit</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pip install bandit</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Bandit Security Scan</span> <span class="na">run</span><span class="pi">:</span> <span class="s">bandit -r . -f json -o bandit-report.json</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload Bandit Report</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">bandit-report</span> <span class="na">path</span><span class="pi">:</span> <span class="s">bandit-report.json</span> </code></pre> </div> <h2> Bandit Test Types and Severity Levels </h2> <h3> Severity Levels </h3> <ul> <li> <strong>Low</strong>: Code quality issues, minor security concerns</li> <li> <strong>Medium</strong>: Potential security vulnerabilities</li> <li> <strong>High</strong>: Critical security vulnerabilities</li> </ul> <h3> Common Test IDs </h3> <ul> <li> <strong>B1xx</strong>: Various general tests</li> <li> <strong>B2xx</strong>: Application/framework-specific issues</li> <li> <strong>B3xx</strong>: Blacklisted imports and functions</li> <li> <strong>B4xx</strong>: Using insecure random generators</li> <li> <strong>B5xx</strong>: SSL/TLS issues</li> <li> <strong>B6xx</strong>: Shell injection vulnerabilities</li> <li> <strong>B7xx</strong>: Pickle and YAML deserialization</li> </ul> <h2> Custom Bandit Plugins </h2> <h3> Creating Custom Tests </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># custom_checks.py </span><span class="kn">import</span> <span class="n">bandit</span> <span class="kn">from</span> <span class="n">bandit.core</span> <span class="kn">import</span> <span class="n">test_properties</span> <span class="k">as</span> <span class="n">test</span> <span class="nd">@test.checks</span><span class="p">(</span><span class="sh">'</span><span class="s">Call</span><span class="sh">'</span><span class="p">)</span> <span class="nd">@test.test_id</span><span class="p">(</span><span class="sh">'</span><span class="s">B901</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">hardcoded_api_key</span><span class="p">(</span><span class="n">context</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Check for hardcoded API keys</span><span class="sh">"""</span> <span class="n">suspicious_strings</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">api_key</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">secret_key</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">]</span> <span class="k">if</span> <span class="n">context</span><span class="p">.</span><span class="n">call_function_name_qual</span> <span class="ow">in</span> <span class="n">suspicious_strings</span><span class="p">:</span> <span class="k">return</span> <span class="n">bandit</span><span class="p">.</span><span class="nc">Issue</span><span class="p">(</span> <span class="n">severity</span><span class="o">=</span><span class="n">bandit</span><span class="p">.</span><span class="n">HIGH</span><span class="p">,</span> <span class="n">confidence</span><span class="o">=</span><span class="n">bandit</span><span class="p">.</span><span class="n">MEDIUM</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="sh">"</span><span class="s">Potential hardcoded API key detected</span><span class="sh">"</span> <span class="p">)</span> </code></pre> </div> <h3> Using Custom Plugins </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bandit <span class="nt">-r</span> my_project/ <span class="nt">-p</span> custom_checks.py </code></pre> </div> <h2> Best Practices for Bandit Implementation </h2> <h3> 1. Integrate Early in Development </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Pre-commit hook example</span> <span class="c"># .git/hooks/pre-commit</span> <span class="c">#!/bin/bash</span> bandit <span class="nt">-r</span> <span class="nb">.</span> <span class="nt">-l</span> high <span class="nt">-i</span> </code></pre> </div> <h3> 2. Regular Scheduled Scans </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># GitHub Actions scheduled scan</span> <span class="na">on</span><span class="pi">:</span> <span class="na">schedule</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">cron</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0</span><span class="nv"> </span><span class="s">2</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">1'</span> <span class="c1"># Weekly scan</span> </code></pre> </div> <h3> 3. Baseline Establishment </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Establish baseline ignoring existing issues</span> bandit <span class="nt">-r</span> <span class="nb">.</span> <span class="nt">--baseline</span> baseline.json </code></pre> </div> <h3> 4. Quality Gates </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Fail build on high severity issues</span> bandit <span class="nt">-r</span> <span class="nb">.</span> <span class="nt">-l</span> high <span class="nt">--exit-zero</span> </code></pre> </div> <h2> Limitations and Considerations </h2> <p>While Bandit is powerful, it's important to understand its limitations:</p> <ul> <li> <strong>Static analysis only</strong> - Cannot detect runtime issues</li> <li> <strong>Python-specific</strong> - Only works with Python code</li> <li> <strong>Pattern-based</strong> - May produce false positives/negatives</li> <li> <strong>No data flow analysis</strong> - Limited context awareness</li> </ul> <h2> Conclusion </h2> <p>Bandit provides an excellent open-source SAST solution for Python applications. Its ease of use, comprehensive vulnerability detection, and seamless CI/CD integration make it an essential tool for any Python developer concerned with security.</p> <p>By implementing Bandit in your development workflow, you can catch common security issues early, reduce remediation costs, and build more secure Python applications.</p> appsec devsecops bandit cybersecurity 🔍 Applying Flawfinder: A Lightweight SAST Tool to Secure C/C++ Codebases JEFFERSON ROSAS CHAMBILLA Tue, 23 Sep 2025 21:59:34 +0000 https://dev.to/jefferson_rosas/applying-flawfinder-a-lightweight-sast-tool-to-secure-cc-codebases-p50 https://dev.to/jefferson_rosas/applying-flawfinder-a-lightweight-sast-tool-to-secure-cc-codebases-p50 <p><strong>Introduction: Why SAST for C/C++?</strong></p> <p>Static Application Security Testing (SAST) is a foundational practice in modern secure software development. Unlike dynamic or runtime analysis, SAST examines source code without executing it, identifying vulnerabilities early in the development lifecycle when they are cheapest and easiest to fix.</p> <p>While enterprise-grade tools often dominate the conversation, lightweight, open-source alternatives like <strong>Flawfinder</strong> offer tremendous value. This is especially true for teams working with C/C++, embedded systems, or legacy codebases where simplicity, speed, and zero cost are critical.</p> <p>In this article, we'll apply Flawfinder to a sample C++ program, interpret its findings, and discuss how to integrate it into a development workflow.</p> <p><strong>Why Flawfinder?</strong></p> <p>Flawfinder is a command-line static analysis tool designed specifically for C and C++. Created by David A. Wheeler, it scans source code for calls to functions known to be risky (like <code>strcpy</code>, <code>gets</code>, <code>sprintf</code>) which commonly lead to:</p> <ul> <li> <strong>Buffer overflows (CWE-120)</strong> </li> <li> <strong>Format string vulnerabilities (CWE-134)</strong> </li> <li> <strong>Command injection (CWE-78)</strong> </li> </ul> <p>Instead of performing complex abstract syntax tree (AST) analysis, Flawfinder uses simple but effective pattern-matching against a curated database of dangerous function calls. This makes it:</p> <p>✅ <strong>Blazingly fast</strong> - Scans thousands of lines of code in seconds.<br> ✅ <strong>Lightweight</strong> - No compilation or complex setup required.<br> ✅ <strong>Free and Open-Source</strong> - No licensing fees.<br> ✅ <strong>Beginner-friendly</strong> - Easy to install and interpret results.</p> <p>And as requested, it's <strong>not</strong> SonarQube, Snyk, Semgrep, or Veracode.</p> <p><strong>Hands-On: Scanning a C++ Project</strong></p> <p><strong>Step 1: Installation</strong></p> <p>Installing Flawfinder is straightforward. It's available via package managers for most Linux distributions and macOS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># On Ubuntu/Debian</span> <span class="nb">sudo </span>apt-get <span class="nb">install </span>flawfinder <span class="c"># On macOS using Homebrew</span> brew <span class="nb">install </span>flawfinder <span class="c"># Using pip (Python Package Manager)</span> pip <span class="nb">install </span>flawfinder </code></pre> </div> <p>Verify the installation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>flawfinder <span class="nt">--version</span> </code></pre> </div> <p><strong>Step 2: Create a Sample C++ File to Scan</strong></p> <p>Let's create a simple C++ file (<code>vulnerable_example.cpp</code>) that contains some common security pitfalls. This will give Flawfinder something interesting to report.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="c1">// vulnerable_example.cpp</span> <span class="cp">#include</span> <span class="cpf">&lt;iostream&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;cstring&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;cstdio&gt;</span><span class="cp"> </span> <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">src</span><span class="p">[</span><span class="mi">10</span><span class="p">]</span> <span class="o">=</span> <span class="s">"Hello"</span><span class="p">;</span> <span class="kt">char</span> <span class="n">dest</span><span class="p">[</span><span class="mi">5</span><span class="p">];</span> <span class="c1">// Oops! Too small.</span> <span class="c1">// 1. Risky function: strcpy (potential buffer overflow)</span> <span class="n">strcpy</span><span class="p">(</span><span class="n">dest</span><span class="p">,</span> <span class="n">src</span><span class="p">);</span> <span class="c1">// 2. Risky function: sprintf (potential buffer overflow)</span> <span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">10</span><span class="p">];</span> <span class="n">sprintf</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="s">"The number is %d"</span><span class="p">,</span> <span class="mi">42</span><span class="p">);</span> <span class="c1">// 3. Risky function: gets (extremely dangerous)</span> <span class="c1">// char input[50];</span> <span class="c1">// gets(input); // Uncommenting this would be a major flaw!</span> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">"Dest: "</span> <span class="o">&lt;&lt;</span> <span class="n">dest</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> <span class="n">std</span><span class="o">::</span><span class="n">cout</span> <span class="o">&lt;&lt;</span> <span class="s">"Buffer: "</span> <span class="o">&lt;&lt;</span> <span class="n">buffer</span> <span class="o">&lt;&lt;</span> <span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Step 3: Run the Scan</strong></p> <p>Navigate to the directory containing your source file and run Flawfinder. You can point it to a single file or an entire directory.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Scan a single file</span> flawfinder vulnerable_example.cpp <span class="c"># Scan the current directory and all subdirectories</span> flawfinder ./ </code></pre> </div> <p><strong>Step 4: Interpreting the Results</strong></p> <p>Flawfinder's output is color-coded and ranked by risk level (0-5, where 5 is the most severe). Here's what you might see for our example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Flawfinder version 2.0.19, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 220 Examining vulnerable_example.cpp vulnerable_example.cpp:10: [4] (buffer) strcpy: Does not check for buffer overflows when copying to destination (CWE-120). Consider using strncpy or snprintf. vulnerable_example.cpp:14: [4] (buffer) sprintf: Does not check for buffer overflows when writing to destination (CWE-120). Use snprintf or vsnprintf instead. vulnerable_example.cpp:18: [5] (buffer) gets: This function is extremely dangerous because it may overflow the calling buffer. It is obsoleted by ISO/IEC 9899:1999 (C99) and should never be used. Use fgets() instead. FINAL RESULTS: Hits = 3 Lines analyzed = 20 in 0.1 seconds (200 lines/second) 3 Physical Source Lines of Code (SLOC) = 20 Hits@level = [0] 0 [1] 0 [2] 0 [3] 0 [4] 2 [5] 1 Hits@level+ = [0+] 3 [1+] 3 [2+] 3 [3+] 3 [4+] 3 [5+] 1 </code></pre> </div> <p><strong>Key takeaways from the report:</strong></p> <ul> <li> <strong>Location:</strong> Each finding shows the file and line number.</li> <li> <strong>Risk Level:</strong> <code>[4]</code> and <code>[5]</code> indicate high-severity issues.</li> <li> <strong>Description:</strong> A brief explanation of the risk and the associated CWE.</li> <li> <strong>Recommendation:</strong> Suggests safer alternative functions.</li> </ul> <p><strong>Integrating Flawfinder into Your Workflow</strong></p> <p>To move beyond one-off scans, you can integrate Flawfinder directly into your development process.</p> <p><strong>1. Make it Part of Your CI/CD Pipeline (e.g., GitHub Actions)</strong></p> <p>You can create a simple GitHub Action to run Flawfinder on every push or pull request. Create a file in your repo at <code>.github/workflows/flawfinder.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">SAST with Flawfinder</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">,</span> <span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">sast</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Flawfinder</span> <span class="na">run</span><span class="pi">:</span> <span class="s">sudo apt-get install -y flawfinder</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Flawfinder</span> <span class="na">run</span><span class="pi">:</span> <span class="s">flawfinder --sarflib ./</span> </code></pre> </div> <p>This will output the results in SARIF format, which GitHub can natively display in the "Security" tab.</p> <p><strong>2. Customizing Scans with Command-Line Options</strong></p> <p>Flawfinder offers several options to tailor the output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Only show high-risk issues (level 4 and 5)</span> flawfinder <span class="nt">--minlevel</span> 4 ./ <span class="c"># Generate a HTML report</span> flawfinder <span class="nt">--html</span> <span class="nt">--output</span> results.html ./ <span class="c"># Suppress specific known issues (e.g., a false positive on line 10)</span> flawfinder <span class="nt">--falsepositive</span> vulnerable_example.cpp:10 </code></pre> </div> <p><strong>Limitations and Considerations</strong></p> <p>While Flawfinder is excellent for catching known dangerous patterns, it's important to understand its limitations:</p> <ul> <li> <strong>False Positives:</strong> Pattern-matching can flag safe usage of functions</li> <li> <strong>Limited Scope:</strong> Only finds issues related to its built-in database</li> <li> <strong>No Data Flow Analysis:</strong> Cannot track variables across complex function calls</li> </ul> <p>For mission-critical projects, consider using Flawfinder alongside more advanced tools like Clang Static Analyzer or commercial solutions.</p> <p><strong>Conclusion: Flawfinder's Place in Your Toolbox</strong></p> <p>Flawfinder is not a silver bullet. Its pattern-matching approach can produce false positives and it won't catch complex logical flaws. However, as a fast, free, and focused tool, it is incredibly effective at what it does: <strong>catching obvious yet dangerous function calls in C/C++ code.</strong></p> <p>It serves as an excellent first line of defense, especially for developers new to secure coding practices. By integrating it early and often, you can prevent well-known vulnerability classes from ever reaching production.</p> flawfinder cybersecurity appsec devsecops