DEV Community: Juan Brendon Luna Juarez

Applying API Testing Frameworks: Real-World Example with REST Assured for a Product Service

Juan Brendon Luna Juarez — Sun, 06 Jul 2025 00:53:10 +0000

Applying API Testing Frameworks: Real-World Example with REST Assured for a Product Service

APIs are the backbone of many modern applications, enabling communication between different systems and services. Therefore, ensuring that an API works correctly is crucial for software quality. In this article, we will explore how to apply the REST Assured framework to automate tests on a RESTful service that manages products.

What is REST Assured?

REST Assured is a Java-based testing framework designed to simplify testing of RESTful APIs. Its fluent syntax allows writing readable and expressive tests that validate HTTP responses, JSON or XML bodies, headers, and more. It integrates easily with testing frameworks like JUnit or TestNG, making it ideal for continuous integration pipelines.

Key Advantages of REST Assured

Intuitive and expressive syntax.
Easy validation of status codes, headers, and response bodies.
Support for authentication, parameters, and various HTTP methods.
Integration with common Java tools.
Active community and good documentation.

Limitations

Requires basic knowledge of Java.
No graphical user interface; tests are written in code.

Case Study: Product Management API

Imagine we work with an API that manages a product catalog for an online store. The API includes several endpoints, such as:

GET /products/{id}: Retrieves information about a specific product.
POST /products: Creates a new product.
PUT /products/{id}: Updates an existing product.
DELETE /products/{id}: Deletes a product.

In this article, we will focus on testing the GET /products/{id} endpoint to ensure it returns correct information and meets expected standards.

Testing Objectives

We want to validate that:

The HTTP response status code is 200 when the product exists.
The JSON body contains the fields id, name, price, category, and inStock.
The name field is a non-empty string.
The price field is a positive number.
The category field belongs to a predefined list of valid categories.
The inStock field is a boolean.
The Content-Type header is application/json.

REST Assured Test Code Example

Below is a complete Java example using REST Assured and JUnit to validate the endpoint:

import static io.restassured.RestAssured.;
import static org.hamcrest.Matchers.;
import org.junit.BeforeClass;
import org.junit.Test;

public class ProductApiTest {

@BeforeClass
public static void setup() {
baseURI = "https://api.example-store.com";
}

@test
public void testGetProductById_ValidProduct() {
int productId = 101;

given()
    .pathParam("id", productId)
.when()
    .get("/products/{id}")
.then()
    .statusCode(200)
    .contentType("application/json")
    .body("id", equalTo(productId))
    .body("name", allOf(notNullValue(), not(isEmptyString())))
    .body("price", greaterThan(0.0f))
    .body("category", isOneOf("Electronics", "Books", "Clothing", "Home", "Sports"))
    .body("inStock", anyOf(equalTo(true), equalTo(false)));

}

@test
public void testGetProductById_ProductNotFound() {
int invalidProductId = 99999;

given()
    .pathParam("id", invalidProductId)
.when()
    .get("/products/{id}")
.then()
    .statusCode(404)
    .body("error", equalTo("Product not found"));

}
}

Detailed Explanation

@BeforeClass and baseURI: Sets up the base URI for all requests.
testGetProductById_ValidProduct():
- Uses pathParam to inject the product ID into the URL.
- Validates the status code is 200.
- Confirms the Content-Type header is application/json.
- Checks that the id field in the response matches the requested ID.
- Ensures the name field is neither null nor empty.
- Validates that the price is a positive number.
- Verifies the category is one of the allowed values.
- Confirms inStock is a boolean value (true or false).
testGetProductById_ProductNotFound():
- Tests with an invalid product ID to ensure the API returns a 404 status and an appropriate error message.

Why Use REST Assured?

REST Assured allows you to automate API tests easily and robustly, with a clear syntax that promotes maintainable code. By integrating with JUnit, you can run these tests within CI/CD pipelines to ensure continuous software quality.

Recommended Next Steps

Extend tests to other endpoints (POST, PUT, DELETE).
Add validations for authentication and authorization.
Integrate with automated reporting tools to visualize results.
Combine with mocking tools for isolated testing environments.

Comparative Study: GitHub Actions vs GitLab Pipelines for Automated Testing

Juan Brendon Luna Juarez — Fri, 04 Jul 2025 14:32:06 +0000

🧪 Introducción

La automatización de pruebas es un pilar fundamental en el desarrollo de software moderno. Las pipelines de Integración Continua y Entrega Continua (CI/CD) permiten a los equipos entregar código de calidad de forma más rápida, automatizando la ejecución de pruebas y despliegues.

En este artículo, compararemos dos herramientas populares de CI/CD: GitHub Actions y GitLab Pipelines, centrándonos en cómo gestionan los flujos de trabajo de pruebas. Analizaremos su sintaxis, estructura, fortalezas y presentaremos ejemplos prácticos con repositorios públicos.

⚙️ Visión General de Cada Herramienta

🔵 GitHub Actions

GitHub Actions es una herramienta de CI/CD integrada nativamente en GitHub, que permite automatizar flujos de trabajo directamente desde los repositorios mediante archivos de configuración en YAML.

Ventajas:

Integración nativa con GitHub
Gran comunidad y marketplace de acciones predefinidas
Fácil activación mediante eventos en GitHub (push, pull request, etc.)

Desventajas:

Paralelismo limitado en el plan gratuito
Interfaz menos flexible para pipelines complejas

🟣 GitLab Pipelines

GitLab CI/CD está profundamente integrado en GitLab y ofrece funcionalidades avanzadas como entornos, runners personalizados y flujos de trabajo complejos.

Ventajas:

Interfaz potente y altamente flexible
Registro Docker integrado
Repositorios privados con CI/CD gratuitos

Desventajas:

Curva de aprendizaje más pronunciada
Minutos de CI limitados en el plan gratuito

🧰 Ejemplos Prácticos de Código

🧪 Ejemplo con GitHub Actions

.github/workflows/test.yml
name: Run Tests

on: [push, pull_request]

jobs:
test:
runs-on: ubuntu-latest
steps:

uses: actions/checkout@v3
name: Set up Node.js uses: actions/setup-node@v3 with: node-version: '18'
run: npm install
run: npm test

text

🧪 Ejemplo con GitLab Pipelines

.gitlab-ci.yml
stages:

test

test_job:
image: node:18
stage: test
script:

npm install
npm test

text

🔍 Comparativa Detallada

Aspecto	GitHub Actions	GitLab Pipelines
Configuración	Múltiples archivos YAML en `.github/workflows`	Archivo único `.gitlab-ci.yml`
Integración	Nativa con GitHub y su ecosistema	Integración completa en GitLab (issues, merge, etc.)
Flexibilidad de flujo	Modelo basado en eventos, fácil para flujos dinámicos	Soporta pipelines complejos con múltiples etapas y dependencias
Marketplace / Runners	Amplio marketplace de acciones predefinidas	Runners personalizables, registro Docker integrado
Curva de aprendizaje	Más sencillo para empezar	Requiere mayor conocimiento para configuraciones avanzadas
Paralelismo	Soporta matrix builds y trabajos paralelos	Soporta ejecución paralela y condicional

🧪 Conclusión

Ambas herramientas son poderosas para implementar CI/CD y automatizar pruebas, pero su elección dependerá del contexto y necesidades del equipo:

GitHub Actions destaca por su integración nativa con GitHub, su modelo flexible basado en eventos y la facilidad para comenzar rápidamente con flujos simples o medianamente complejos.
GitLab Pipelines ofrece una solución más robusta para pipelines complejos, con mayor control sobre etapas, dependencias y despliegues, ideal para equipos que buscan una plataforma DevOps integral.

En cualquier caso, la automatización de pruebas dentro de CI/CD acelera la entrega de software de calidad, reduce errores manuales y mejora la colaboración, siendo una práctica esencial en el desarrollo moderno.

Si quieres profundizar en algún aspecto o necesitas más ejemplos, no dudes en dejar un comentario.

Detecting Infrastructure Misconfigurations Using CoGuard: SAST for Terraform and IaC

Juan Brendon Luna Juarez — Wed, 30 Apr 2025 05:17:55 +0000

Introduction

Infrastructure as Code (IaC) is a modern approach to provisioning cloud infrastructure using tools like Terraform, Pulumi, or OpenTofu. These technologies improve scalability, repeatability, and automation—but they can also introduce security risks if the code is misconfigured. For example, exposing an S3 bucket to the public or disabling encryption can lead to serious data breaches.

This article introduces CoGuard, a Static Application Security Testing (SAST) tool designed specifically to analyze configuration files used in infrastructure code. We’ll demonstrate how to scan Terraform code, interpret results, and automate the scanning process in a CI/CD workflow.

What is CoGuard?

CoGuard is a command-line static analysis tool for infrastructure configuration security. It detects insecure defaults and misconfigurations before deployment, aligning its findings with security frameworks like:

CIS Benchmarks
OWASP Cloud-Native Top 10
Internal security policies

It supports a variety of IaC and system configuration formats, including:

Terraform
Kubernetes YAML
Dockerfiles
CloudFormation
Apache/Nginx configs
PostgreSQL, MySQL
SSH, Linux services

Unlike general-purpose SAST tools that analyze source code for logic flaws, CoGuard focuses on infrastructure and system-level misconfigurations, such as weak ACLs, missing encryption, and open network ports.

Key Features

Scans entire directories for misconfigured infrastructure files
Highlights issues with severity levels and remediation advice
Maps findings to recognized security standards (e.g., CIS, OWASP)
Produces detailed reports in terminal or SARIF format
Integrates with CI/CD tools like GitHub Actions or GitLab CI

Installation and First Scan

Step 1: Pull the Docker image

docker pull coguard/coguard-cli

Step 2: Run the scan on your Terraform project

Make sure you're inside your Terraform project directory and run:

docker run --rm -v $(pwd):/mnt coguard/coguard-cli scan /mnt

This command mounts your local project and scans all infrastructure configuration files inside it. CoGuard will return a report showing any misconfigurations, their severity, and remediation advice.

If you prefer a graphical user interface, you can also use CoGuard’s web platform to upload and analyze configuration files.

Example: Vulnerable Terraform Code

Here is a deliberately insecure main.tf file:

resource "aws_s3_bucket" "example" {
  bucket = "open-bucket"
  acl    = "public-read"
}

What CoGuard detects:

Public access: The ACL public-read makes the bucket accessible to anyone.
No encryption: There's no encryption configuration for data at rest.
Missing versioning: There’s no versioning policy enabled.

These issues are reported with their severity and are mapped to standards like the CIS AWS Foundations Benchmark v1.4 and OWASP Cloud-Native Application Security Top 10.

CI/CD Integration

You can integrate CoGuard into your deployment workflow using GitHub Actions:

name: CoGuard Terraform Scan

on:
  push:
    branches: [ "main" ]

jobs:
  coguard-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Run CoGuard
        run: |
          docker pull coguard/coguard-cli
          docker run --rm -v ${{ github.workspace }}:/mnt coguard/coguard-cli scan /mnt

Exporting SARIF Reports

You can export results in SARIF format for integration with GitHub Security Dashboard:

docker run --rm -v $(pwd):/mnt coguard/coguard-cli scan /mnt --output-format sarif > report.sarif

Results and Interpretation

In a sample scan, CoGuard detected:

3 high-severity issues (e.g., public S3 bucket, unencrypted storage)
2 medium-severity issues (e.g., missing logging)
1 low-severity issue (e.g., missing metadata tags)

Each result includes filename, line number, and clear remediation guidance.

Conclusions

CoGuard is a reliable SAST tool tailored for Infrastructure as Code. Its strengths include:

Early detection of cloud misconfigurations
Alignment with security benchmarks like CIS and OWASP
Easy setup using Docker
Seamless CI/CD integration
Report generation for audits and dashboards

By integrating CoGuard, teams can ensure secure and compliant infrastructure even before deployment.

References

Securing Code at the Source: Applying HCL AppScan CodeSweep in Real-Time Development

Juan Brendon Luna Juarez — Wed, 30 Apr 2025 04:55:11 +0000

Securing Code at the Source: Applying HCL AppScan CodeSweep in Real-Time Development

In modern software engineering, ensuring security from the beginning of the development cycle is fundamental. Static Application Security Testing (SAST) tools provide a way to detect potential vulnerabilities directly in the source code, often before the application is even compiled. This article discusses the use of HCL AppScan CodeSweep, a lightweight, IDE-integrated SAST tool, applied in a real Node.js development context.

What is HCL AppScan CodeSweep?

AppScan CodeSweep is a free and open-source plugin available for IDEs such as Visual Studio Code and JetBrains IDEs (e.g., IntelliJ, PyCharm, WebStorm). It enables static code analysis by scanning the developer's source files upon saving and reporting common security issues in real time.

Supported languages include JavaScript, Python, PHP, Java, Go, Ruby, .NET Core, Apex, and others.

Installation and Setup

The setup process is straightforward:

Open Visual Studio Code.
Access the Extensions Marketplace.
Search for "AppScan CodeSweep" and install the plugin.
Open any source file.
Save the file to trigger automatic analysis.

No manual configuration or terminal usage is required to begin scanning.

Practical Example: Node.js API Project

The tool was tested in a Node.js REST API built with Express, including user authentication and token-based access control.

Findings included:

Use of eval() on user-controlled input
Absence of input validation in a POST route, potentially enabling XSS
Insecure client-side storage of JSON Web Tokens (JWTs)

Each issue was presented with file name, line number, vulnerability type, and a concise remediation suggestion.

Observed Benefits

Real-time vulnerability detection during development
Seamless integration into existing IDE workflows
No additional infrastructure or complex configurations
Zero-cost licensing, ideal for personal or educational use

Limitations

The tool focuses on file-level static analysis and may miss context-specific issues
False positives may occur, though generally manageable
Not a substitute for dynamic analysis (DAST) or manual code reviews

Conclusion

HCL AppScan CodeSweep proves to be an effective solution for integrating security into the software development lifecycle without disrupting productivity. It empowers developers to identify and resolve vulnerabilities early, contributing to safer and more reliable codebases.

This tool is particularly useful for developers who want to adopt security practices without the overhead of enterprise-grade platforms. Its ease of use and compatibility with popular languages make it a practical choice for secure software development.

Creating a Generative AI Chatbot with Python

Juan Brendon Luna Juarez — Wed, 11 Dec 2024 07:44:04 +0000

AI models have become incredibly popular in the development of chatbots. With Python, it's easy to create such a chatbot using deep learning techniques and libraries like transformers, TensorFlow, and PyTorch. In this article, we’ll guide you step by step to build a simple generative AI chatbot using Python.

Why we use a AI Chatbot with Python?
Using an AI chatbot with Python offers several advantages, particularly in the areas of simplicity, flexibility, and access to powerful machine learning frameworks.

First step to start with ai chatbot development Install the necessary dependencies

pip install transformers torch

Install virtualenv in console if you don’t have it already:

pip install virtualenv

Create a virtual environment

virtualenv chatbot-env

We need Activate the environment. I use Windows

chatbot-env\Scripts\activate

Importing Required Libraries

from transformers import GPT2LMHeadModel, GPT2Tokenizer
import torch

Loading Pre-trained GPT model

model_name = "gpt2"
model = GPT2LMHeadModel.from_pretrained(model_name)
tokenizer = GPT2Tokenizer.from_pretrained(model_name)

model.eval()

Creating the Chatbot’s Response Generator

def generate_response(user_input):

    inputs = tokenizer.encode(user_input + tokenizer.eos_token, return_tensors="pt")

    outputs = model.generate(inputs, max_length=150, num_return_sequences=1, no_repeat_ngram_size=2, temperature=0.7)

    response = tokenizer.decode(outputs[0], skip_special_tokens=True)

    return response

Building the Chatbot Interface.

Finally, we’ll create a simple loop where the user can input text, and the chatbot will generate a response.

print("Hello! I am your chatbot. Type 'quit' to exit.")

while True:
    user_input = input("You: ")

    if user_input.lower() == "quit":
        break

    response = generate_response(user_input)
    print("Chatbot: ", response)

Finally Testing the Chatbot!!

python chatbot.py

Conclusions
We've shown you how to create a simple generative AI chatbot using Python. The chatbot uses a pre-trained model to generate responses based on user input. With some fine-tuning and improvements, you can create a more sophisticated and context-aware chatbot. Chatbots like this one can be used in a variety of applications, such as customer service, education, and entertainment.

Bokeh an interesting data tool in python for data visualization

Juan Brendon Luna Juarez — Sun, 08 Sep 2024 07:19:39 +0000

Data visualization plays a critical role in interpreting large volumes of information. Tools like Bokeh have emerged as popular solutions for building interactive dashboards and reports. Each tool brings unique advantages depending on the complexity of your project and your preferred programming language. In this article, we will delve into each tool and then focus on Bokeh, including a hands-on example and deployment in the cloud.

So that...

What is bokeh?
Bokeh is an interactive visualization library that targets modern web browsers for presentation. It offers elegant and concise graphics, enabling developers to build dashboards with advanced interactivity. Bokeh is particularly suitable for data scientists and developers using Python, offering both high-level interfaces and granular control over your plots.

How can you use this tool?

Install dependencies:

pip install bokeh pip install gunicorn

Create the plot: In this case i developed two plots in the main page then i called "app.py"

from bokeh.layouts import column
from bokeh.models import ColumnDataSource, Select
from bokeh.plotting import figure, curdoc
import numpy as np

# Sample data for line plot
line_data = {
    'x': [1, 2, 3, 4, 5],
    'y1': [6, 7, 2, 4, 7],
    'y2': [1, 4, 8, 6, 9]
}

# Data for scatter plot
N = 4000
x_scatter = np.random.random(size=N) * 100
y_scatter = np.random.random(size=N) * 100
radii = np.random.random(size=N) * 1.5
colors = np.array([(r, g, 150) for r, g in zip(50 + 2 * x_scatter, 30 + 2 * y_scatter)], dtype="uint8")

# Create ColumnDataSource for line plot
source = ColumnDataSource(data={'x': line_data['x'], 'y': line_data['y1']})

# Create a figure for line plot
plot_line = figure(title="Interactive Line Plot", x_axis_label='X', y_axis_label='Y')
line1 = plot_line.line('x', 'y', source=source, line_width=3, color='blue', legend_label='y1')
line2 = plot_line.line('x', 'y2', source=source, line_width=3, color='red', legend_label='y2', line_alpha=0.5)

# Create a figure for scatter plot
plot_scatter = figure(title="Scatter Plot", tools="hover,crosshair,pan,wheel_zoom,zoom_in,zoom_out,box_zoom,undo,redo,reset,tap,save,box_select,poly_select,lasso_select,examine,help")
plot_scatter.circle(x_scatter, y_scatter, radius=radii,
                    fill_color=colors, fill_alpha=0.6,
                    line_color=None)

# Dropdown widget to select data for line plot
select = Select(title="Y-axis data", value='y1', options=['y1', 'y2'])

# Update function to change data based on selection
def update(attr, old, new):
    selected_y = select.value
    source.data = {'x': line_data['x'], 'y': line_data[selected_y]}
    # Update line colors based on selection
    line1.visible = (selected_y == 'y1')
    line2.visible = (selected_y == 'y2')
    plot_line.title.text = f"Interactive Line Plot - Showing {selected_y}"

select.on_change('value', update)

# Arrange plots and widgets in a layout
layout = column(select, plot_line, plot_scatter)

# Add layout to current document
curdoc().add_root(layout)
`

Create your page in heroku and make the next to steps.

Create a Procfile:

In this file declare for example in my case.

web: bokeh serve --port=$PORT --address=0.0.0.0 --allow-websocket-origin=juancitoelpapi-325d94c2c6c7.herokuapp.com app.py

Create requeriments: In the project create requirements.txt and write and save

bokeh

Push your project:

It's similar when you push a project in git but in this case the final master push is in heroku

git init git add . git commit -m "Deploy Bokeh app with Gunicorn" git push heroku master

And Finally ...

You can see your page with the plots bokeh.

Conclusion

The real power of Bokeh lies in its ability to deliver interactive dashboards in web environments, making it ideal for real-time data monitoring and large datasets. By using Gunicorn to deploy Bokeh applications on cloud services like Heroku, you can build scalable, production-ready dashboards that are easy to maintain and update.