reglet/docs/examples/03-web-security.yaml at main · reglet-dev/reglet · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# Web Server Security - HTTP/HTTPS Validation
# Run: reglet check examples/03-web-security.yaml --trust-plugins
#
# This profile tests HTTP endpoints for security best practices.
# Requires HTTP plugin (WASM built and ready!)
#
# NOTE: These checks connect to real websites. Requires network access.

profile:
  name: Web Server Security
  description: HTTP/HTTPS validation and security header checks
  version: 1.0.0

plugins:
  - http

controls:
  items:
    - id: http-responds
      name: HTTP endpoint is accessible
      description: Verify the website responds to HTTP requests
      severity: low
      tags: [web, http, connectivity]
      observations:
        - plugin: http
          config:
            url: http://example.com
            method: GET
          expect:
            - data.status_code >= 200 && data.status_code < 500

    - id: https-accessible
      name: HTTPS endpoint is accessible
      description: Verify the website responds over HTTPS
      severity: high
      tags: [web, https, connectivity]
      observations:
        - plugin: http
          config:
            url: https://example.com
            method: GET
          expect:
            - data.status_code == 200

    - id: https-success
      name: HTTPS returns 200 OK
      description: HTTPS endpoint should return successful status
      severity: high
      tags: [web, https, status]
      observations:
        - plugin: http
          config:
            url: https://example.com
            method: GET
          expect:
            - data.status_code == 200

    - id: body-not-empty
      name: Response body contains content
      description: Server returns actual content, not empty response
      severity: medium
      tags: [web, http, content]
      observations:
        - plugin: http
          config:
            url: https://example.com
            body_preview_length: 100
            method: GET
          expect:
            - data.body_size > 0

    - id: github-api-accessible
      name: GitHub API is accessible
      description: Test connectivity to external API
      severity: low
      tags: [web, api, connectivity]
      observations:
        - plugin: http
          config:
            url: https://api.github.com
            method: GET
          expect:
            - data.status_code == 200

    - id: api-returns-json
      name: API returns JSON content
      description: Verify API response contains JSON markers
      severity: low
      tags: [web, api, json]
      observations:
        - plugin: http
          config:
            url: https://api.github.com
            method: GET
            body_preview_length: -1
          expect:
            # Check status and body contains JSON markers using 'in' operator
            - data.status_code == 200
            - data.body contains "{"
            - data.body contains "}"