amalthea
| Crates.io | amalthea |
| lib.rs | amalthea |
| version | 0.5.1 |
| created_at | 2025-09-26 10:11:48.252355+00 |
| updated_at | 2025-10-13 09:02:52.60087+00 |
| description | AI-powered API testing and security vulnerability scanner - harnessing the volcanic power of Jupiter's moon |
| homepage | https://amalthea.cloud |
| repository | https://github.com/KSD-CO/amalthea |
| max_upload_size | |
| id | 1855731 |
| size | 12,992,182 |
(tonthatvu)
documentation
README
Amalthea
Amalthea - AI-powered API testing tool with comprehensive test generation, execution, database integration, and advanced AI security vulnerability scanning capabilities!
๐ Production Ready v0.5.0
โ
๐ค NEW: AI-Powered Security Vulnerability Scanner: Complete AI security module with GPT-4 intelligence
โ
๐ NEW: 14+ Vulnerability Types: SQL Injection, XSS, Auth Bypass, Rate Limiting, and more
โ
๏ฟฝ๏ธ NEW: OWASP & CWE Integration: Professional security assessment with industry standards
โ
๐ NEW: Multi-Format Security Reports: Console, HTML, JSON with strategic insights
โ
โ๏ธ NEW: Configurable AI Scanning: Intensity levels, focus areas, confidence thresholds
โ
๐๏ธ Database Integration Testing: Complete database testing framework with multi-database support
โ
๐ State Validation: Validate database state after API calls with comprehensive assertions
โ
๐ฑ Data Seeding & Cleanup: Automated test data seeding with proper cleanup management
โ
โก Query Performance Testing: Built-in performance monitoring and query optimization insights
โ
๐ CI/CD Pipeline Integration: Full automation support with reporting and Docker containers
โ
Multi-Provider AI Support: OpenAI, Anthropic Claude, Google Gemini, Local models (Ollama)
โ
Test Generation & Execution: Generate test cases AND execute them automatically
โ
๐ Comprehensive Authentication: Bearer, Basic, API Key, JWT, OAuth2
โ
๐ Advanced Protocol Testing: WebSocket, GraphQL, gRPC, Server-Sent Events
โ
๐ก๏ธ Enhanced Security Testing: AI-powered vulnerability detection + traditional security scans
โ
๐งช Test Data Fuzzing: Advanced fuzzing with 20+ strategies for security vulnerability testing
โ
Universal AI Client: Unified interface for all AI providers
โ
Postman Collections: Full support for Postman collection imports
โ
Smart Date Generation: Automatic current date injection in test data (no more 2023 dates!)
โ
Docker Ready: docker pull ksdco/amalthea:0.5.0
โจ Features
- ๐ค Multi-Provider AI Support - OpenAI, Anthropic Claude, Google Gemini, Local models (Ollama)
- ๐งช Test Generation & Execution - Generate comprehensive test cases and execute them automatically
- ๐ Comprehensive Authentication - Bearer Token, HTTP Basic, API Key, JWT, OAuth2 authentication support
- ๐ Advanced Protocol Testing - WebSocket, GraphQL, gRPC, Server-Sent Events (SSE) testing capabilities
- ๐ค ๐ AI-Powered Security Scanner - GPT-4 intelligent vulnerability detection with OWASP/CWE mapping
- ๐ก๏ธ Enhanced Security Testing - AI-driven + traditional security vulnerability scanning (SQL injection, XSS, auth bypass, rate limiting, security headers, etc.)
- ๐ฏ Test Data Fuzzing - Advanced fuzzing with 20+ strategies including SQL injection, XSS, buffer overflow, unicode attacks, and malicious payloads for comprehensive security testing
- ๐ Knowledge Base Integration - Custom knowledge bases with valid data patterns and examples for realistic test generation
- ๐ Execution Reports - Detailed pass/fail results with comprehensive statistics
- ๐ Smart URL Detection - Automatic base URL extraction from OpenAPI specs and Postman collections
- ๐ OpenAPI/Swagger Support - Full OpenAPI 3.0 and 2.0 specification support
- ๐ฎ Postman Collection Support - Import and test from Postman Collections with variable support
- ๐ Universal AI Client - Unified interface routing to appropriate AI providers
- ๐ Smart Date Generation - Automatic current date injection in test data (no more 2023 dates!)
- ๏ฟฝ HTML Reports - Beautiful interactive reports with charts and visualizations
- ๏ฟฝ๐ฐ Cost Optimization - Per-endpoint processing to avoid token limits and save costs
- ๐ณ Docker Ready - Available on Docker Hub as
ksdco/amalthea - โก Fast & Reliable - Built with Rust for maximum performance
- ๐๏ธ Professional Architecture - Modular, maintainable codebase
๐ Version History & New Features
๐ v0.5.0 - Latest (October 2025)
- ๐ค ๐ AI-Powered Security Vulnerability Scanner - Complete AI security module with 4 sub-components
- ๐ ๐ GPT-4 Intelligence - AI-powered analysis using OpenAI for intelligent vulnerability detection
- ๐ก๏ธ ๐ 14+ Vulnerability Types - SQL Injection, XSS, Authentication Bypass, Authorization Flaws, Rate Limiting, Information Disclosure, Input Validation, Session Management, CSRF, Insecure Deserialization, XXE Injection, Security Misconfiguration, Broken Access Control, Cryptographic Failures
- ๐ ๐ Professional Security Reporting - Multi-format reports (Console, HTML, JSON) with strategic insights
- โ๏ธ ๐ Configurable AI Scanning - Scan intensity levels (1-5), focus areas, confidence thresholds
- ๐ฏ ๐ OWASP & CWE Integration - Maps vulnerabilities to OWASP Top 10 and CWE categories
- ๐ ๐ AI Security CLI - New arguments:
--ai-security-scan,--ai-scan-intensity,--ai-scan-focus,--ai-scan-confidence
๐ v0.4.0 - Previous (October 2025)
- ๐๏ธ ๐ Database Integration Testing - Complete database testing framework with multi-database support
- ๐ ๐ State Validation - Validate database state after API calls with comprehensive assertions
- ๐ฑ ๐ Data Seeding & Cleanup - Automated test data seeding with dependency management and proper cleanup
- โก ๐ Query Performance Testing - Built-in performance monitoring with configurable thresholds
- ๐ ๐ CI/CD Pipeline Integration - Full automation support with JUnit XML/JSON reporting
- ๐ณ ๐ Multi-Database Support - PostgreSQL, MySQL, SQLite, MongoDB, Redis with feature flags
- ๐งช ๐ Database Testing Examples - E-commerce, User Management, Performance testing scenarios
- ๐ ๐ Comprehensive Documentation - Quick start guide, usage documentation, and CI/CD integration
๐ v0.3.0 - Previous (October 2025)
- ๐ ๐ Comprehensive Authentication - Bearer Token, HTTP Basic, API Key, JWT, OAuth2 support
- ๐ ๐ Advanced Protocol Testing - WebSocket, GraphQL, gRPC, Server-Sent Events (SSE) testing
- ๐ก๏ธ ๐ Security Analysis - JWT validation, password strength analysis, security recommendations
- ๐ป ๐ Enhanced CLI - New authentication and protocol testing arguments
- ๐ ๐ Complete Documentation - Comprehensive guides and examples for new features
v0.2.5 - Previous (October 2025)
- ๐ฏ Advanced Test Data Fuzzing - Comprehensive fuzzing with 5 intensity levels and 20+ strategies
- ๐ก๏ธ Enhanced Security Testing - Comprehensive vulnerability scanning with 8+ security checks
- ๐ Fuzzing vs Security Distinction - Clear separation between robustness testing and vulnerability detection
- ๐ฒ Configurable Fuzzing Intensity - 5 levels from light (CI/CD) to extreme (stress testing)
- ๐ Smart URL Detection - Automatic base URL extraction from OpenAPI specs and Postman collections
- ๐ฎ Advanced Postman Support - Full Postman Collection v2.0+ support with variable handling
- ๐ Universal AI Client - Unified interface routing to all AI providers automatically
- ๐ Smart Date Generation - Automatic current date injection (2025+ dates, not 2023!)
- ๐งช Enhanced Test Generation - 8-12 comprehensive test cases per endpoint (vs 3-5 previously)
- ๐ HTML Reports - Beautiful interactive reports with charts and security dashboards
- ๐ ๏ธ Improved Error Handling - Better error messages and graceful fallbacks
- ๐ Enhanced Reporting - Detailed security vulnerability reports with severity levels
๐ v0.2.4 - Previous Release
- ๐ก๏ธ Enhanced Security Testing - Comprehensive vulnerability scanning with 8+ security checks
- ๐ฏ Test Data Fuzzing - Advanced fuzzing system with 20+ strategies for security vulnerability testing
- ๐ Smart URL Detection - Automatic base URL extraction from OpenAPI specs and Postman collections
- ๐ฎ Advanced Postman Support - Full Postman Collection v2.0+ support with variable handling
- ๐ Universal AI Client - Unified interface routing to all AI providers automatically
- ๐ Smart Date Generation - Automatic current date injection (2025+ dates, not 2023!)
- ๐งช Enhanced Test Generation - 8-12 comprehensive test cases per endpoint (vs 3-5 previously)
- ๐ HTML Reports - Beautiful interactive reports with charts and security dashboards
- ๐ ๏ธ Improved Error Handling - Better error messages and graceful fallbacks
- ๐ Enhanced Reporting - Detailed security vulnerability reports with severity levels
๐ v0.2.2 - Previous Release
- ๐ค Multi-Provider AI Support - Added support for OpenAI, Anthropic Claude, Google Gemini, Local models
- ๐งช Test Generation & Execution - Combined test generation with automatic execution
- ๐ OpenAPI/Swagger Support - Full OpenAPI 3.0 and 2.0 specification support
- ๐ณ Docker Integration - Complete Docker support with automated builds
๐ v0.2.1 - Foundation Release
- โก Core Architecture - Built with Rust for maximum performance
- ๐ฐ Cost Optimization - Per-endpoint processing to save API costs
- ๐ Execution Reports - Pass/fail statistics and detailed results
- ๐๏ธ Professional Codebase - Modular, maintainable architecture
๐ Smart Date Generation
Amalthea automatically injects current dates into test data to avoid outdated timestamps:
Before (v0.2.2):
{
"dateRange": {
"start": "2023-01-01",
"end": "2023-12-31"
}
}
After (v0.2.4):
{
"dateRange": {
"start": "2025-01-01",
"end": "2026-12-31"
}
}
Features:
- ๐๏ธ Current Year Injection - Uses actual current year (2025+)
- ๐ Date Range Intelligence - Current year to next year ranges
- โฐ ISO Timestamp Support - Realistic current timestamps
- ๐ Dynamic Updates - Always uses current date, never hardcoded
๐ฏ Test Data Fuzzing vs Security Testing
Amalthea provides two distinct but complementary testing approaches:
๐ฒ Fuzzing (--fuzz) - API Robustness Testing
Purpose: Test API stability and robustness with random/malformed data
What it does:
- Generates random, oversized, or malformed data to stress-test APIs
- Tests how APIs handle unexpected input gracefully
- Finds crashes, errors, and edge cases in data processing
- Validates input validation and error handling logic
Example fuzz data:
{
"invoice_id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAA...", // Extremely long strings
"amount": 999999999999999999, // Boundary values
"items": [null, null, null, ...], // Unexpected nulls
"๐ฅ๐ฅ๐ฅ": "unicode_data", // Unicode/emoji
"nested": {"very": {"deep": {"object": "test"}}} // Deep nesting
}
Intensity Levels (1-5):
- Level 1: Light fuzzing (2-3 test cases per endpoint)
- Level 2: Moderate fuzzing (3-5 test cases)
- Level 3: Standard fuzzing (5-7 test cases) - Default
- Level 4: Heavy fuzzing (7-10 test cases)
- Level 5: Extreme fuzzing (10+ test cases)
๐ก๏ธ Security Testing (--security) - Vulnerability Detection
Purpose: Detect specific security vulnerabilities and attack vectors
What it does:
- Tests for known security vulnerabilities (OWASP Top 10)
- Uses crafted payloads to detect injection attacks
- Validates authentication and authorization controls
- Checks security headers and configurations
Example security payloads:
{
"username": "' OR '1'='1", // SQL injection
"comment": "<script>alert('XSS')</script>", // XSS attack
"file_path": "../../../etc/passwd", // Path traversal
"command": "; ls -la", // Command injection
"ldap_query": ")(cn=*))(|(cn=*" // LDAP injection
}
Security Test Categories:
- ๐ Injection Attacks - SQL, NoSQL, LDAP, XPath injection
- ๐จ Cross-Site Scripting (XSS) - Reflected, stored, DOM-based XSS
- ๐ป Command Injection - OS command execution attempts
- ๐ Path Traversal - Directory traversal and file access
- ๐ Authentication Bypass - Token validation, session handling
- ๐ Security Headers - Missing security headers check
- โฑ๏ธ Rate Limiting - Brute force and DoS protection
๐ค When to Use What
| Scenario | Recommended Approach |
|---|---|
| Development Testing | --fuzz --fuzz-intensity 2 |
| Security Audit | --security |
| Pre-Production | --fuzz --security (both) |
| CI/CD Pipeline | --fuzz --fuzz-intensity 1 --security |
| Stress Testing | --fuzz --fuzz-intensity 4-5 |
| Compliance Check | --security |
๐ Combining Both (Recommended)
# Comprehensive testing with both fuzzing and security
cargo run -- --file api.json --fuzz --fuzz-intensity 3 --security --generate-only
# Light testing for CI/CD
cargo run -- --file api.json --fuzz --fuzz-intensity 1 --security --generate-only
# Heavy stress + security testing
cargo run -- --file api.json --fuzz --fuzz-intensity 5 --security --kb knowledge-base.json
๐ฏ Test Data Fuzzing
Amalthea includes advanced fuzzing capabilities to test API robustness and security with comprehensive vulnerability testing:
Fuzzing Strategies
Data Generation (20+ Strategies):
- ๐ค String Fuzzing - Special characters, encoding attacks, format strings
- ๐ข Number Fuzzing - Boundary values, overflow attempts, invalid formats
- ๐ JSON Fuzzing - Malformed structures, type confusion, nested attacks
- ๐ Unicode Fuzzing - Multi-byte sequences, normalization attacks
- ๐ Array Fuzzing - Size attacks, type mixing, nested structures
Security-Focused Fuzzing (12+ Vulnerability Types):
- ๐ SQL Injection - Various SQL attack vectors and bypasses
- ๐จ XSS (Cross-Site Scripting) - Script injection and encoding bypasses
- ๐ป Command Injection - OS command execution attempts
- ๐ Path Traversal - Directory traversal and file access attacks
- ๐ Buffer Overflow - Memory corruption and boundary attacks
- ๐ LDAP/XPath Injection - Directory and XML query attacks
- ๐ Template Injection - Server-side template attacks
- ๐ Header Injection - HTTP header manipulation
- ๐ Type Confusion - Data type mismatch attacks
- ๐ฆ Deserialization - Object deserialization vulnerabilities
Fuzzing Usage
# Enable fuzzing mode
amalthea --provider openai --model gpt-4o-mini --file api.json --fuzz
# Fuzzing with custom intensity (1-5, default: 3)
amalthea --provider openai --model gpt-4o-mini --file api.json --fuzz --fuzz-intensity 5
# Fuzzing with security testing
amalthea --provider openai --model gpt-4o-mini --file api.json --fuzz --security
# Fuzzing with knowledge base for realistic base data
amalthea --provider openai --model gpt-4o-mini --file api.json --fuzz --kb knowledge-base.json
# Generate fuzzing data only (no execution)
amalthea --provider openai --model gpt-4o-mini --file api.json --fuzz --generate-only
# Fuzzing with HTML report
amalthea --provider openai --model gpt-4o-mini --file api.json --fuzz --security --html-report
Fuzzing Benefits
- ๐ก๏ธ Security Hardening - Discover vulnerabilities before attackers do
- ๐ Edge Case Discovery - Find unexpected API behaviors and crashes
- ๐ Robustness Testing - Ensure APIs handle malformed input gracefully
- ๐ฏ Targeted Testing - Focus on specific vulnerability types
- ๐ Scalable Testing - Adjustable intensity levels for different testing phases
๐งช Enhanced Test Generation
Comprehensive Test Coverage
Before (v0.2.2): 3-5 basic test cases After (v0.2.3): 8-12 comprehensive test cases covering:
- Success Scenarios (200/201/204) - 3+ cases
- Client Errors (400/401/403/404/422) - 3+ cases
- Server Errors (500/502/503) - 2+ cases
- Edge Cases (boundary values, special characters) - 2+ cases
- Security Scenarios (unauthorized access, injection attempts) - 2+ cases
Example Generated Test Case
{
"name": "Create Invoice - Success with Current Date",
"method": "POST",
"url": "/api/v1/invoices",
"headers": {
"Content-Type": "application/json",
"Authorization": "Bearer test-token",
"User-Agent": "Amalthea-Test-Client"
},
"body": {
"invoiceNumber": "INV-2025-001",
"issueDate": "2025-10-01",
"dueDate": "2025-11-01",
"amount": 1250.00,
"currency": "USD",
"items": [
{
"description": "Software License",
"quantity": 1,
"unitPrice": 1250.00,
"total": 1250.00
}
]
},
"expected_status": 201,
"description": "Create a new invoice with valid current date data and comprehensive item details"
}
๐ Quick Start
Installation
# Install from crates.io (recommended)
cargo install amalthea
# Or build from source
git clone https://github.com/KSD-CO/amalthea.git
cd amalthea
make build
# Via Docker (ready to use)
docker pull ksdco/amalthea:0.5.0
docker pull ksdco/amalthea:latest
# Pre-built binaries (GitHub Releases)
wget https://github.com/KSD-CO/amalthea/releases/download/v0.5.0/amalthea-linux-x86_64
chmod +x amalthea-linux-x86_64
Basic Usage
# Generate and execute test cases with OpenAI
amalthea --provider openai --model gpt-4o-mini --file api.json
# Generate only (no execution)
amalthea --provider openai --model gpt-4o-mini --file api.json --generate-only
# Use with local model (Ollama)
amalthea --provider local --model mistral:latest --file api.json
# Use with Claude
amalthea --provider anthropic --model claude-3-haiku --file api.json
# Use with Gemini
amalthea --provider google --model gemini-1.5-flash --file api.json
# Generate beautiful HTML report
amalthea --provider openai --model gpt-4o-mini --file api.json --format html --output report.html
# HTML report with security testing
amalthea --provider openai --model gpt-4o-mini --file api.json --security --html-report --output security-report.html
# Use knowledge base for realistic test data
amalthea --provider openai --model gpt-4o-mini --file api.json --kb knowledge-base.json --html-report
# Database integration testing (v0.4.0+)
make demo # Quick database testing demo
make examples # All database examples
make ci # CI/CD pipeline simulation
# Enable AI-powered security vulnerability scanning (v0.5.0+)
amalthea --provider openai --model gpt-4o-mini --file api.json --ai-security-scan
# AI security scan with custom intensity and focus areas
amalthea --provider openai --model gpt-4o-mini --file api.json --ai-security-scan --ai-scan-intensity 5 --ai-scan-focus "sql,xss,auth"
# AI security scan with confidence threshold and JSON output
amalthea --provider openai --model gpt-4o-mini --file api.json --ai-security-scan --ai-scan-confidence 0.8 --json-output
# Enable fuzzing for security vulnerability testing
amalthea --provider openai --model gpt-4o-mini --file api.json --fuzz
# Fuzzing with custom intensity and security testing
amalthea --provider openai --model gpt-4o-mini --file api.json --fuzz --fuzz-intensity 5 --security
## ๐ Authentication Support (v0.3.0+)
Amalthea now supports comprehensive authentication for secure API testing:
### Bearer Token Authentication
```bash
# Bearer token authentication
amalthea --provider openai --model gpt-4o-mini --file api.json --auth-type bearer --auth-token "your-bearer-token"
HTTP Basic Authentication
# Basic authentication with username/password
amalthea --provider openai --model gpt-4o-mini --file api.json --auth-type basic --auth-token "username" --auth-password "password"
API Key Authentication
# API key with custom header
amalthea --provider openai --model gpt-4o-mini --file api.json --auth-type api-key --auth-token "your-api-key" --auth-header "X-API-Key"
# API key with Authorization header (default)
amalthea --provider openai --model gpt-4o-mini --file api.json --auth-type api-key --auth-token "your-api-key"
JWT Authentication
# JWT token authentication with automatic Bearer prefix
amalthea --provider openai --model gpt-4o-mini --file api.json --auth-type jwt --auth-token "your-jwt-token"
OAuth2 Authentication
# OAuth2 access token
amalthea --provider openai --model gpt-4o-mini --file api.json --auth-type oauth2 --auth-token "your-access-token"
๐ Advanced Protocol Testing (v0.3.0+)
Test modern API protocols beyond traditional REST:
WebSocket Testing
# WebSocket endpoint testing
amalthea --provider openai --model gpt-4o-mini --file api.json --websocket --ws-url "wss://echo.websocket.org"
# WebSocket with authentication
amalthea --provider openai --model gpt-4o-mini --file api.json --auth-type bearer --auth-token "token" --websocket --ws-url "wss://secure.example.com/ws"
GraphQL Testing
# GraphQL API testing
amalthea --provider openai --model gpt-4o-mini --file api.json --graphql --graphql-url "https://api.github.com/graphql"
# GraphQL with JWT authentication
amalthea --provider openai --model gpt-4o-mini --file api.json --auth-type jwt --auth-token "jwt-token" --graphql --graphql-url "https://secure-graphql.example.com"
gRPC Testing
# gRPC service testing
amalthea --provider openai --model gpt-4o-mini --file api.json --grpc --grpc-url "grpc.example.com:443"
# gRPC with API key authentication
amalthea --provider openai --model gpt-4o-mini --file api.json --auth-type api-key --auth-token "grpc-key" --grpc --grpc-url "secure-grpc.example.com:443"
Server-Sent Events (SSE) Testing
# SSE endpoint testing
amalthea --provider openai --model gpt-4o-mini --file api.json --sse --sse-url "https://api.example.com/events"
# SSE with OAuth2 authentication
amalthea --provider openai --model gpt-4o-mini --file api.json --auth-type oauth2 --auth-token "access-token" --sse --sse-url "https://secure-events.example.com/stream"
Combined Testing
# Test multiple protocols with authentication
amalthea --provider openai --model gpt-4o-mini --file api.json \
--auth-type bearer --auth-token "multi-protocol-token" \
--websocket --ws-url "wss://api.example.com/ws" \
--graphql --graphql-url "https://api.example.com/graphql" \
--security --html-report
AI Security + Light fuzzing for CI/CD pipelines
amalthea --provider openai --model gpt-4o-mini --file api.json --ai-security-scan --ai-scan-intensity 2 --fuzz --fuzz-intensity 1 --security --generate-only
Comprehensive testing: AI Security + Fuzzing + Traditional Security + Knowledge Base + HTML Report
amalthea --provider openai --model gpt-4o-mini --file api.json --ai-security-scan --ai-scan-intensity 4 --fuzz --security --kb knowledge-base.json --html-report
## ๐ค AI-Powered Security Vulnerability Scanner (v0.5.0+)
Amalthea v0.5.0 introduces a revolutionary **AI-Powered Security Vulnerability Scanner** that uses OpenAI GPT-4 to intelligently detect complex security vulnerabilities beyond traditional pattern matching.
### ๐ Key Features
#### **AI-Driven Intelligence**
- **GPT-4 Analysis**: Uses OpenAI's most advanced models for intelligent vulnerability detection
- **Business Logic Understanding**: Detects complex vulnerabilities that traditional scanners miss
- **Contextual Analysis**: Understands API endpoints in business context for accurate assessment
- **Confidence Scoring**: AI-powered accuracy assessment (0.0-1.0) for each vulnerability
#### **Comprehensive Vulnerability Detection**
**14+ Vulnerability Types Supported:**
- ๐ **SQL Injection** - Database query manipulation attacks
- ๐จ **Cross-Site Scripting (XSS)** - Script injection vulnerabilities
- ๐ **Authentication Bypass** - Authentication mechanism flaws
- ๐ก๏ธ **Authorization Flaws** - Access control vulnerabilities
- โฑ๏ธ **Rate Limiting** - Missing or inadequate rate limiting
- ๐ **Information Disclosure** - Unintended data exposure
- โ
**Input Validation** - Insufficient input sanitization
- ๐ **Session Management** - Session handling vulnerabilities
- ๐ก๏ธ **CSRF Vulnerability** - Cross-site request forgery
- ๐ฆ **Insecure Deserialization** - Object deserialization flaws
- ๐ **XXE Injection** - XML external entity attacks
- โ๏ธ **Security Misconfiguration** - Configuration weaknesses
- ๐ซ **Broken Access Control** - Access control bypasses
- ๐ **Cryptographic Failures** - Weak cryptography implementations
#### **Professional Security Reporting**
- **Colored Console Output**: Rich formatting with emoji indicators and severity colors
- **HTML Security Reports**: Professional assessment documents with charts and insights
- **JSON Export**: Machine-readable format for CI/CD integration and automation
- **OWASP & CWE Mapping**: Industry-standard vulnerability categorization
- **Strategic Recommendations**: Business-level security guidance and remediation timelines
### ๐ AI Security Scanner Usage
#### **Basic AI Security Scanning**
```bash
# Enable AI-powered security scanning
amalthea --provider openai --model gpt-4o-mini --file api.json --ai-security-scan
# Set OpenAI API key
export OPENAI_API_KEY="sk-proj-your-openai-key"
amalthea --provider openai --model gpt-4o-mini --file api.json --ai-security-scan
Advanced Configuration
# High-intensity AI security scan
amalthea --provider openai --model gpt-4o-mini --file api.json --ai-security-scan --ai-scan-intensity 5
# Focus on specific vulnerability types
amalthea --provider openai --model gpt-4o-mini --file api.json --ai-security-scan --ai-scan-focus "sql,xss,auth,rate"
# Set confidence threshold (higher = more accurate, fewer results)
amalthea --provider openai --model gpt-4o-mini --file api.json --ai-security-scan --ai-scan-confidence 0.8
# Generate JSON security report
amalthea --provider openai --model gpt-4o-mini --file api.json --ai-security-scan --json-output
# Comprehensive AI security assessment
amalthea --provider openai --model gpt-4o-mini --file api.json \
--ai-security-scan \
--ai-scan-intensity 4 \
--ai-scan-focus "sql,xss,auth,rate,info,input" \
--ai-scan-confidence 0.7 \
--json-output
Security Testing
# Run comprehensive security tests
amalthea --provider openai --model gpt-4o-mini --file api.json --security
# Security testing with Postman collections
amalthea --provider openai --model gpt-4o-mini --file collection.json --security
# Security testing with custom base URL
amalthea --provider openai --model gpt-4o-mini --file api.json --security --base-url https://api.example.com
# Security testing only (no test generation)
amalthea --provider openai --model gpt-4o-mini --file api.json --security --generate-only
# Fuzzing mode for comprehensive security testing
amalthea --provider openai --model gpt-4o-mini --file api.json --fuzz --security
# Fuzzing with custom intensity level (1-5)
amalthea --provider openai --model gpt-4o-mini --file api.json --fuzz --fuzz-intensity 4
Universal AI Client
# Use universal client for automatic provider routing
amalthea --provider universal --model gpt-4o-mini --file api.json
# Universal client with security testing
amalthea --provider universal --model gpt-4o-mini --file api.json --security
# Universal client with different models
amalthea --provider universal --model claude-3-haiku --file api.json
amalthea --provider universal --model gemini-1.5-flash --file api.json
๐๏ธ Database Integration Testing (v0.4.0+)
Amalthea now provides comprehensive database integration testing capabilities to validate database state after API calls:
Quick Start with Database Testing
# Build with database features
cargo build --features database
# Run practical database testing demo
make demo
# Run all database examples
make examples
# Test with specific database
make test-sqlite # SQLite
make test-postgres # PostgreSQL
make test-mysql # MySQL
Database Configuration
use amalthea::database::{DatabaseTester, DatabaseConfig};
let mut db_tester = DatabaseTester::new();
// SQLite (easiest to get started)
let config = DatabaseConfig::sqlite("./test.db");
db_tester.add_config("main".to_string(), config);
// PostgreSQL
let config = DatabaseConfig::postgres("localhost", 5432, "testdb", "user", "password");
db_tester.add_config("postgres".to_string(), config);
// MySQL, MongoDB, Redis also supported
State Validation After API Calls
use amalthea::database::{StateValidation, SeedConfig, QueryTest};
// Test API endpoint
simulate_api_call("POST", "/api/users", json!({
"email": "test@example.com",
"name": "Test User",
"active": true
}));
// Validate database state
let validations = vec![
StateValidation::record_exists(
"User created in database",
"users",
create_conditions("email", "test@example.com")
),
StateValidation::field_value(
"User is active",
"users",
"active",
json!(true),
create_conditions("email", "test@example.com")
),
StateValidation::not_null(
"Created timestamp set",
"users",
"created_at",
create_conditions("email", "test@example.com")
)
];
Data Seeding & Cleanup
// Setup test data
let seed_config = SeedConfig::new()
.add_seed_set(
SeedSet::new("Test Users", "users")
.add_record(
SeedRecord::new(1)
.field("email", "user1@test.com")
.field("name", "Test User 1")
.field("active", true)
)
)
.cleanup_order(vec!["orders".to_string(), "users".to_string()]);
// Seed data before tests
db_tester.seed_data(seed_config).await?;
// Tests run here...
// Automatic cleanup after tests
Query Performance Testing
// Test query performance
let query_test = QueryTest::select(
"Get active users",
"SELECT * FROM users WHERE active = true ORDER BY created_at DESC LIMIT 100"
).performance(PerformanceLimits {
max_execution_time_ms: 500,
warn_execution_time_ms: 100,
..Default::default()
});
// Complex queries with performance monitoring
let analytics_query = QueryTest::analysis(
"User order statistics",
r#"
SELECT u.id, u.name, COUNT(o.id) as order_count, SUM(o.total) as total_spent
FROM users u
LEFT JOIN orders o ON u.id = o.user_id
WHERE u.active = true
GROUP BY u.id, u.name
ORDER BY total_spent DESC
"#
).performance(PerformanceLimits {
max_execution_time_ms: 2000,
warn_execution_time_ms: 500,
..Default::default()
});
CI/CD Integration
# Run CI/CD pipeline simulation
make ci
# With environment variables
TEST_ENV=ci cargo run --example ci_cd_database_testing --features database
# Generate test reports
# Creates: database-test-results.xml (JUnit)
# database-test-results.json (JSON)
Supported Databases
- PostgreSQL - Full SQL testing with sqlx
- MySQL - Complete MySQL support
- SQLite - Lightweight for development
- MongoDB - Document database testing
- Redis - Key-value store testing
Makefile Commands
# Development
make build-db # Build with database features
make demo # Run practical examples
make examples # Run all database examples
make ci # Full CI/CD simulation
# Testing
make test-db # All database tests
make test-sqlite # SQLite specific
make test-postgres # PostgreSQL specific
make test-mysql # MySQL specific
make test-all-db # Test all database types
# Documentation
make help # Show all available commands
Real-World Examples
The implementation includes complete examples for:
- E-commerce API Testing - Product creation, order processing, inventory management
- User Management - Registration, authentication, profile updates, soft deletes
- Performance Testing - Query optimization, load testing, performance monitoring
- CI/CD Integration - Automated pipeline with reporting and Docker support
See examples/ directory for complete working examples and DATABASE_USAGE_GUIDE.md for detailed documentation.
๐ง Configuration
Environment Variables
Create a .env file for API keys:
# OpenAI
OPENAI_API_KEY="sk-proj-your-openai-key"
# Anthropic Claude
ANTHROPIC_API_KEY="sk-ant-your-claude-key"
# Google Gemini
GOOGLE_API_KEY="your-google-gemini-key"
# Local Ollama (optional)
OLLAMA_HOST="http://localhost:11434"
AI Provider Setup
๐ค OpenAI Models
# Set OpenAI API key
export OPENAI_API_KEY="sk-proj-your-openai-key"
# Use different OpenAI models
amalthea --provider openai --model gpt-4o-mini --file api.json # Cost-effective
amalthea --provider openai --model gpt-4o --file api.json # High performance
amalthea --provider openai --model gpt-4 --file api.json # Most capable
amalthea --provider openai --model gpt-3.5-turbo --file api.json # Fast & affordable
๐ง Anthropic Claude
# Set Claude API key
export ANTHROPIC_API_KEY="sk-ant-your-claude-key"
# Use different Claude models
amalthea --provider anthropic --model claude-3-haiku --file api.json # Fast
amalthea --provider anthropic --model claude-3-sonnet --file api.json # Balanced
amalthea --provider anthropic --model claude-3-opus --file api.json # Most capable
๐ Google Gemini
# Set Gemini API key
export GOOGLE_API_KEY="your-google-gemini-key"
# Use different Gemini models
amalthea --provider google --model gemini-1.5-flash --file api.json # Fast
amalthea --provider google --model gemini-1.5-pro --file api.json # High performance
๐ Local Models (Ollama)
# Install and start Ollama
curl -fsSL https://ollama.ai/install.sh | sh
ollama serve
# Pull models
ollama pull mistral:latest
ollama pull llama3.2:latest
ollama pull codellama:latest
# Use local models
amalthea --provider local --model mistral:latest --file api.json # Mistral 7B
amalthea --provider local --model llama3.2:latest --file api.json # Llama 3.2
amalthea --provider local --model codellama:latest --file api.json # Code Llama
# Custom base URL for local models
amalthea --provider local --model mistral:latest --base-url http://localhost:11434 --file api.json
๐งช Test Execution
Amalthea not only generates test cases but also executes them automatically:
# Generate and execute tests (default behavior)
amalthea --provider openai --model gpt-4o-mini --file api.json
# Generate test cases only
amalthea --provider openai --model gpt-4o-mini --file api.json --generate-only
# Execute with custom output file
amalthea --provider openai --model gpt-4o-mini --file api.json --output my_tests.json
# Combined: Generate tests + Security scan
amalthea --provider openai --model gpt-4o-mini --file api.json --security
๐ก๏ธ Security Testing
Amalthea includes comprehensive security vulnerability scanning:
Security Test Categories:
- ๐ SQL Injection detection
- ๐จ Cross-Site Scripting (XSS)
- ๐ Authentication bypass testing
- ๐ก๏ธ Authorization flaw detection
- โ Input validation analysis
- ๐ Security headers check
- โฑ๏ธ Rate limiting verification
- ๐ Information disclosure detection
# Run security tests only
amalthea --security --generate-only --file api.json
# Security tests with AI provider
amalthea --provider openai --model gpt-4o-mini --file api.json --security
# Example security report output:
# ๐ก๏ธ Security Test Report
# ==================================================
#
# ๐ SQL Injection - /users/{id}
# Status: ๐ด VULNERABLE
# Severity: CRITICAL
# Details: SQL error detected with payload: ' OR '1'='1
# Recommendation: Use parameterized queries and input validation
#
# ๐ Missing Security Headers - X-Frame-Options
# Status: ๐ก WARNING
# Severity: MEDIUM
# Details: Header X-Frame-Options is missing
# Recommendation: Add X-Frame-Options header
#
# ๐ Summary:
# ๐ด Critical: 1
# ๐ High: 2
# ๐ก Medium: 3
# ๐ต Low: 1
๐ Universal AI Client
The Universal AI Client provides a unified interface for all AI providers, automatically routing requests to the appropriate provider:
# Universal client automatically detects provider from model
amalthea --provider universal --model gpt-4o-mini --file api.json # Routes to OpenAI
amalthea --provider universal --model claude-3-haiku --file api.json # Routes to Anthropic
amalthea --provider universal --model gemini-1.5-flash --file api.json # Routes to Google
# Universal client with security testing
amalthea --provider universal --model gpt-4o-mini --file api.json --security
# Universal client with different configurations
amalthea --provider universal --model gpt-4o-mini --file api.json --temperature 0.5 --max-tokens 2048
Benefits:
- ๐ Automatic Provider Routing - No need to specify provider manually
- ๐งฉ Consistent Interface - Same API across all providers
- ๐ก๏ธ Error Handling - Graceful fallbacks and error management
- โก Performance - Optimized routing and connection pooling
๐ ๏ธ Development
Build from Source
# Clone repository
git clone https://github.com/KSD-CO/amalthea.git
cd amalthea
# Build with Cargo
cargo build --release
# Run tests
cargo test
# Install locally
cargo install --path .
Using Make
# Build project
make build
# Run tests
make test
# Check code quality
make check
# Clean artifacts
make clean
# Complete development workflow
make dev
# Publish release (maintainers only)
make publish
Publishing Workflow
# Complete publishing workflow
make publish
# This will:
# 1. Build optimized binary for Linux x86_64
# 2. Publish to crates.io
# 3. Push Docker images (ksdco/amalthea:0.2.3, ksdco/amalthea:latest)
โ๏ธ Advanced Configuration
Custom Prompts & Templates
Amalthea allows you to customize AI prompts for specific testing needs:
# Create custom prompt templates
mkdir -p ~/.amalthea/templates
# Custom OpenAPI prompt template
cat > ~/.amalthea/templates/openapi_custom.txt << 'EOF'
You are an expert API testing specialist. Generate comprehensive test cases for the OpenAPI specification.
Current date: {current_date}
Current year: {current_year}
Requirements:
- Generate {test_count} test cases per endpoint
- Use realistic data with current dates ({current_year}+)
- Include authentication scenarios
- Cover edge cases and error conditions
- Add performance considerations
Format: JSON test cases with detailed descriptions.
EOF
# Use custom template
amalthea --provider openai --model gpt-4o-mini --file api.json --template ~/.amalthea/templates/openapi_custom.txt
Advanced AI Provider Configuration
Fine-tuning Parameters
# Temperature control (creativity vs consistency)
amalthea --provider openai --model gpt-4o-mini --file api.json --temperature 0.2 # Conservative
amalthea --provider openai --model gpt-4o-mini --file api.json --temperature 0.7 # Balanced (default)
amalthea --provider openai --model gpt-4o-mini --file api.json --temperature 0.9 # Creative
# Token limits for cost control
amalthea --provider openai --model gpt-4o-mini --file api.json --max-tokens 1024 # Concise
amalthea --provider openai --model gpt-4o-mini --file api.json --max-tokens 4096 # Detailed (default)
# Request timeout and retries
amalthea --provider openai --model gpt-4o-mini --file api.json --timeout 30 --retries 3
Custom Model Endpoints
# Custom OpenAI-compatible endpoints
export OPENAI_BASE_URL="https://api.custom-provider.com/v1"
amalthea --provider openai --model custom-gpt-4 --file api.json
# Azure OpenAI configuration
export AZURE_OPENAI_ENDPOINT="https://your-resource.openai.azure.com/"
export AZURE_OPENAI_API_KEY="your-azure-key"
amalthea --provider azure --model gpt-4o-mini --file api.json
# Local model with custom parameters
amalthea --provider local --model llama3.2:latest \
--base-url http://localhost:11434 \
--temperature 0.5 \
--max-tokens 2048 \
--file api.json
Configuration Files
.amalthea.toml Configuration
Create a configuration file for persistent settings:
# .amalthea.toml
[general]
default_provider = "openai"
default_model = "gpt-4o-mini"
output_dir = "./test_results"
parallel_requests = 5
[providers]
[providers.openai]
api_key_env = "OPENAI_API_KEY"
base_url = "https://api.openai.com/v1"
timeout = 30
retries = 3
[providers.anthropic]
api_key_env = "ANTHROPIC_API_KEY"
timeout = 45
retries = 2
[providers.local]
base_url = "http://localhost:11434"
timeout = 60
[testing]
default_test_count = 12
include_security = true
generate_only = false
[security]
enabled_checks = [
"sql_injection",
"xss",
"auth_bypass",
"rate_limiting",
"security_headers"
]
severity_threshold = "medium"
Environment Configuration
# Create comprehensive .env file
cat > .env << 'EOF'
# AI Provider Keys
OPENAI_API_KEY=sk-proj-your-openai-key
ANTHROPIC_API_KEY=sk-ant-your-claude-key
GOOGLE_API_KEY=your-google-gemini-key
# Azure OpenAI (if using)
AZURE_OPENAI_ENDPOINT=https://your-resource.openai.azure.com/
AZURE_OPENAI_API_KEY=your-azure-key
AZURE_OPENAI_API_VERSION=2024-02-15-preview
# Local Models
OLLAMA_HOST=http://localhost:11434
# Advanced Settings
AMALTHEA_LOG_LEVEL=info
AMALTHEA_OUTPUT_FORMAT=json
AMALTHEA_CACHE_DIR=~/.amalthea/cache
AMALTHEA_MAX_PARALLEL=5
# Testing Configuration
DEFAULT_TIMEOUT=30
DEFAULT_RETRIES=3
ENABLE_CACHE=true
EOF
๐ Knowledge Base & Best Practices
๐ง Knowledge Base Integration
Amalthea supports custom knowledge bases to generate more realistic and domain-specific test data. Knowledge bases contain valid data patterns, examples, and constraints specific to your API domain.
Creating a Knowledge Base
Create a knowledge-base.json file with your API's valid data patterns:
{
"api_name": "E-Invoice API",
"description": "Knowledge base for e-invoice API testing with valid data patterns and examples",
"valid_data": {
"invoice_id": {
"description": "Valid invoice ID patterns for e-invoice system",
"examples": [
"INV-2024-001234",
"INV-2024-005678",
"INV-2025-000001"
],
"data_type": "string",
"pattern": "^INV-\\d{4}-\\d{6}$"
},
"customer_info": {
"description": "Valid customer information structure",
"examples": [
{
"customer_id": "CUST-001234",
"name": "Cรดng ty TNHH ABC",
"tax_code": "0123456789",
"address": "123 ฤฦฐแปng ABC, Quแบญn 1, TP.HCM",
"email": "contact@abc.com",
"phone": "0901234567"
}
],
"data_type": "object"
},
"payment_method": {
"description": "Valid payment methods",
"examples": [
"CASH",
"BANK_TRANSFER",
"CREDIT_CARD",
"E_WALLET"
],
"data_type": "string"
}
}
}
Using Knowledge Base
# Generate tests with knowledge base
amalthea --provider openai --model gpt-4o-mini --file api.json --kb knowledge-base.json
# Combine with security testing
amalthea --provider openai --model gpt-4o-mini --file api.json --kb knowledge-base.json --security
# Generate HTML report with knowledge base data
amalthea --provider openai --model gpt-4o-mini --file api.json --kb knowledge-base.json --html-report
Knowledge Base Benefits
- Realistic Test Data: Generate test cases with domain-specific, valid data patterns
- Better Coverage: AI understands your data constraints and generates appropriate edge cases
- Consistency: Ensure all test cases follow your API's data standards
- Domain Expertise: Embed business logic and validation rules into test generation
API Testing Patterns
Common Test Scenarios
# E-commerce API Testing with Knowledge Base
amalthea --provider openai --model gpt-4o-mini --file ecommerce-api.json --kb ecommerce-kb.json
# Banking API Security Focus with Knowledge Base
amalthea --provider openai --model gpt-4o-mini --file banking-api.json --kb banking-kb.json --security
# Healthcare API with Compliance Data
amalthea --provider openai --model gpt-4o-mini --file healthcare-api.json --kb healthcare-kb.json --security
Test Case Categories Explained
-
Success Scenarios (200/201/204)
- Valid data with current timestamps
- Different payload variations
- Boundary value testing
- Happy path flows
-
Client Errors (400/401/403/404/422)
- Invalid input validation
- Authentication failures
- Authorization checks
- Missing required fields
-
Server Errors (500/502/503)
- Stress testing scenarios
- Invalid server states
- Dependency failures
- Rate limiting responses
-
Edge Cases
- Extremely large/small values
- Special characters and encoding
- Concurrent request handling
- Data format variations
-
Security Scenarios
- Injection attack attempts
- Authentication bypass
- Data exposure checks
- Header security validation
Performance Optimization
Cost-Effective Testing
# Optimize for cost with smaller models
amalthea --provider openai --model gpt-3.5-turbo --file api.json --max-tokens 1024
# Use local models for development
amalthea --provider local --model mistral:7b --file api.json
# Batch process multiple APIs
for api in api1.json api2.json api3.json; do
amalthea --provider openai --model gpt-4o-mini --file $api --output "results_$(basename $api)"
done
Caching Strategies
# Enable response caching
export AMALTHEA_ENABLE_CACHE=true
export AMALTHEA_CACHE_TTL=3600 # 1 hour
# Cache location
export AMALTHEA_CACHE_DIR=~/.amalthea/cache
# Clear cache when needed
rm -rf ~/.amalthea/cache/*
Integration Patterns
CI/CD Pipeline Integration
# .github/workflows/api-testing.yml
name: API Testing with Amalthea
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
jobs:
api-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install Amalthea
run: |
wget https://github.com/KSD-CO/amalthea/releases/download/v0.5.0/amalthea-linux-x86_64
chmod +x amalthea-linux-x86_64
sudo mv amalthea-linux-x86_64 /usr/local/bin/amalthea
- name: Run AI Security Scan
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
run: |
amalthea --provider openai --model gpt-4o-mini --file api/openapi.json --ai-security-scan --ai-scan-intensity 3 --security --json-output - name: Upload Test Results
uses: actions/upload-artifact@v3
with:
name: api-test-results
path: test_results.json
Docker Integration
# Dockerfile for API testing container
FROM rust:1.82-slim as builder
WORKDIR /app
COPY . .
RUN cargo build --release
FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y \
ca-certificates \
curl \
&& rm -rf /var/lib/apt/lists/*
COPY --from=builder /app/target/release/amalthea /usr/local/bin/amalthea
# Create test script
COPY <<EOF /usr/local/bin/run-tests.sh
#!/bin/bash
set -e
echo "๐ Starting API Testing with Amalthea"
# Run tests with all providers
amalthea --provider openai --model gpt-4o-mini --file /data/api.json --security --output /results/openai-results.json
amalthea --provider anthropic --model claude-3-haiku --file /data/api.json --security --output /results/claude-results.json
echo "โ
Testing completed! Results saved to /results/"
EOF
RUN chmod +x /usr/local/bin/run-tests.sh
ENTRYPOINT ["/usr/local/bin/run-tests.sh"]
Troubleshooting Guide
Common Issues
-
API Key Issues
# Verify API key format echo $OPENAI_API_KEY | grep -E "^sk-proj-" # Test API connectivity curl -H "Authorization: Bearer $OPENAI_API_KEY" https://api.openai.com/v1/models -
Local Model Issues
# Check Ollama status ollama list ollama ps # Test model availability curl http://localhost:11434/api/generate -d '{"model":"mistral:latest","prompt":"test"}' -
Performance Issues
# Monitor resource usage amalthea --provider openai --model gpt-4o-mini --file large-api.json --verbose # Use smaller models for large APIs amalthea --provider openai --model gpt-3.5-turbo --file large-api.json --max-tokens 1024
Debug Mode
# Enable detailed logging
export RUST_LOG=debug
amalthea --provider openai --model gpt-4o-mini --file api.json --verbose
# Save debug output
amalthea --provider openai --model gpt-4o-mini --file api.json --debug > debug.log 2>&1
๏ฟฝ CLI Reference
Complete Command Line Options
USAGE:
amalthea [OPTIONS] --file <FILE>
OPTIONS:
-f, --file <FILE> Input file (OpenAPI spec or Postman collection)
-m, --model <MODEL> AI model to use [default: gpt-4o-mini]
-p, --provider <PROVIDER> AI provider (openai, anthropic, google, local, universal)
--api-key <API_KEY> API key for the AI provider
--base-url <BASE_URL> Base URL for API requests (for local models)
--temperature <TEMPERATURE> Temperature for AI responses (0.0-1.0) [default: 0.7]
--max-tokens <MAX_TOKENS> Maximum tokens in response [default: 4096]
--timeout <TIMEOUT> Request timeout in seconds [default: 30]
--retries <RETRIES> Number of retries for failed requests [default: 3]
-o, --output <OUTPUT> Output file for test results
--kb <KB_FILE> Knowledge base file path for realistic test data generation
--generate-only Generate test cases only (skip execution)
--security Enable security vulnerability testing
--ai-security-scan Enable AI-powered security vulnerability scanning
--ai-scan-intensity <LEVEL> AI security scan intensity level (1-5, default: 3)
--ai-scan-focus <TYPES> Focus AI security scan on specific vulnerability types
--ai-scan-confidence <THRESHOLD> AI security scan confidence threshold (0.0-1.0, default: 0.3)
--json-output Output JSON report
--generate-tests Generate tests mode - create test cases
--fuzz Enable fuzzing mode - generate random/malicious test data
--fuzz-intensity <LEVEL> Fuzzing intensity level (1-5, default: 3)
--scenarios <SCENARIOS> Test scenario type (ecommerce, banking, realtime, etc.)
--test-count <COUNT> Number of test cases to generate per endpoint [default: 12]
--parallel <PARALLEL> Number of parallel requests [default: 5]
--cache Enable response caching
--cache-ttl <TTL> Cache TTL in seconds [default: 3600]
--template <TEMPLATE> Custom prompt template file
--config <CONFIG> Configuration file path [default: .amalthea.toml]
--verbose Enable verbose output
--debug Enable debug mode
--no-color Disable colored output
--format <FORMAT> Output format (json, yaml, xml, html) [default: json]
--html-report Generate HTML report with visual charts and statistics
--report-title <TITLE> Custom title for HTML report [default: "API Test Report"]
-h, --help Print help information
-V, --version Print version information
EXAMPLES:
# Basic usage
amalthea --provider openai --model gpt-4o-mini --file api.json
# With AI-powered security scanning
amalthea --provider openai --model gpt-4o-mini --file api.json --ai-security-scan
# AI security with custom intensity and focus
amalthea --provider openai --model gpt-4o-mini --file api.json --ai-security-scan --ai-scan-intensity 5 --ai-scan-focus "sql,xss,auth"
# With traditional security testing
amalthea --provider openai --model gpt-4o-mini --file api.json --security
# With knowledge base for realistic test data
amalthea --provider openai --model gpt-4o-mini --file api.json --kb knowledge-base.json
# Knowledge base + security testing + HTML report
amalthea --provider openai --model gpt-4o-mini --file api.json --kb knowledge-base.json --security --html-report
# Custom configuration
amalthea --provider openai --model gpt-4o-mini --file api.json --test-count 15 --temperature 0.5
# Local model with custom settings
amalthea --provider local --model mistral:latest --base-url http://localhost:11434 --file api.json
# Generate only with custom template
amalthea --provider openai --model gpt-4o-mini --file api.json --generate-only --template custom.txt
# Generate HTML report with visual charts
amalthea --provider openai --model gpt-4o-mini --file api.json --format html --output report.html
# Custom HTML report with title and security testing
amalthea --provider openai --model gpt-4o-mini --file api.json --security --html-report --report-title "My API Security Report" --output security-report.html
# Enable fuzzing for comprehensive security testing
amalthea --provider openai --model gpt-4o-mini --file api.json --fuzz --security
# Fuzzing with custom intensity and knowledge base
amalthea --provider openai --model gpt-4o-mini --file api.json --fuzz --fuzz-intensity 5 --kb knowledge-base.json
# Light fuzzing for development/CI pipelines
amalthea --provider openai --model gpt-4o-mini --file api.json --fuzz --fuzz-intensity 1 --generate-only
# Security-only testing
amalthea --provider openai --model gpt-4o-mini --file api.json --security --generate-only
Environment Variables Reference
# AI Provider Configuration
OPENAI_API_KEY # OpenAI API key
ANTHROPIC_API_KEY # Anthropic Claude API key
GOOGLE_API_KEY # Google Gemini API key
AZURE_OPENAI_ENDPOINT # Azure OpenAI endpoint
AZURE_OPENAI_API_KEY # Azure OpenAI API key
AZURE_OPENAI_API_VERSION # Azure OpenAI API version
OLLAMA_HOST # Ollama host URL
# Application Configuration
AMALTHEA_LOG_LEVEL # Log level (error, warn, info, debug, trace)
AMALTHEA_OUTPUT_FORMAT # Default output format (json, yaml, xml)
AMALTHEA_CACHE_DIR # Cache directory path
AMALTHEA_MAX_PARALLEL # Maximum parallel requests
AMALTHEA_ENABLE_CACHE # Enable caching (true/false)
AMALTHEA_CACHE_TTL # Cache TTL in seconds
# Testing Configuration
DEFAULT_TIMEOUT # Default request timeout
DEFAULT_RETRIES # Default retry count
DEFAULT_TEMPERATURE # Default AI temperature
DEFAULT_MAX_TOKENS # Default max tokens
DEFAULT_TEST_COUNT # Default test cases per endpoint
# Debug and Development
RUST_LOG # Rust logging configuration
RUST_BACKTRACE # Enable Rust backtraces (1, full)
๏ฟฝ HTML Reports & Visualization
Beautiful HTML Reports
Amalthea generates stunning HTML reports with interactive charts and comprehensive test results:
# Generate HTML report with all features
amalthea --provider openai --model gpt-4o-mini --file api.json --security --format html --output report.html
# Custom HTML report with title
amalthea --provider openai --model gpt-4o-mini --file api.json --html-report --report-title "E-commerce API Test Report" --output ecommerce-report.html
# Security-focused HTML report
amalthea --provider openai --model gpt-4o-mini --file api.json --security --html-report --report-title "Security Vulnerability Assessment" --output security-report.html
HTML Report Features
๐ Interactive Dashboard
- Real-time Charts - Pass/fail rates, response times, error distributions
- Test Coverage Matrix - Visual endpoint coverage with color-coded status
- Security Risk Dashboard - Vulnerability severity breakdown with recommendations
- Performance Metrics - Response time histograms and latency analysis
๐จ Visual Elements
<!-- Example HTML Report Structure -->
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Amalthea API Test Report - {report_title}</title>
<link href="https://cdn.jsdelivr.net/npm/tailwindcss@2.2.19/dist/tailwind.min.css" rel="stylesheet">
<script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
</head>
<body class="bg-gray-50">
<!-- Header with Logo and Summary -->
<header class="bg-blue-600 text-white p-6">
<div class="flex items-center justify-between">
<div class="flex items-center">
<img src="https://amalthea.cloud/amalthea.png" alt="Amalthea" class="w-12 h-12 mr-4">
<h1 class="text-3xl font-bold">{report_title}</h1>
</div>
<div class="text-right">
<p class="text-sm">Generated: {current_date}</p>
<p class="text-sm">Provider: {ai_provider} ({model})</p>
</div>
</div>
</header>
<!-- Executive Summary Cards -->
<section class="p-6 grid grid-cols-1 md:grid-cols-4 gap-6">
<div class="bg-white rounded-lg shadow p-6 text-center">
<h3 class="text-lg font-semibold text-gray-600">Total Tests</h3>
<p class="text-4xl font-bold text-blue-600">{total_tests}</p>
</div>
<div class="bg-white rounded-lg shadow p-6 text-center">
<h3 class="text-lg font-semibold text-gray-600">Success Rate</h3>
<p class="text-4xl font-bold text-green-600">{success_rate}%</p>
</div>
<div class="bg-white rounded-lg shadow p-6 text-center">
<h3 class="text-lg font-semibold text-gray-600">Security Issues</h3>
<p class="text-4xl font-bold text-red-600">{security_issues}</p>
</div>
<div class="bg-white rounded-lg shadow p-6 text-center">
<h3 class="text-lg font-semibold text-gray-600">Avg Response</h3>
<p class="text-4xl font-bold text-purple-600">{avg_response}ms</p>
</div>
</section>
<!-- Interactive Charts Section -->
<section class="p-6 grid grid-cols-1 lg:grid-cols-2 gap-6">
<!-- Test Results Pie Chart -->
<div class="bg-white rounded-lg shadow p-6">
<h3 class="text-xl font-semibold mb-4">Test Results Distribution</h3>
<canvas id="testResultsChart"></canvas>
</div>
<!-- Security Vulnerability Radar -->
<div class="bg-white rounded-lg shadow p-6">
<h3 class="text-xl font-semibold mb-4">Security Risk Assessment</h3>
<canvas id="securityRadarChart"></canvas>
</div>
<!-- Response Time Timeline -->
<div class="bg-white rounded-lg shadow p-6 lg:col-span-2">
<h3 class="text-xl font-semibold mb-4">Response Time Analysis</h3>
<canvas id="responseTimeChart"></canvas>
</div>
</section>
</body>
</html>
๐ Detailed Test Results
- Endpoint Coverage Table - Complete list with status, method, response codes
- Test Case Details - Expandable sections with request/response data
- Error Analysis - Categorized failures with troubleshooting suggestions
- Performance Insights - Slowest endpoints and optimization recommendations
๐ก๏ธ Security Report Section
<!-- Security Vulnerability Dashboard -->
<section class="p-6">
<h2 class="text-2xl font-bold mb-6 text-red-600">๐ก๏ธ Security Assessment</h2>
<!-- Severity Level Cards -->
<div class="grid grid-cols-1 md:grid-cols-4 gap-4 mb-8">
<div class="bg-red-100 border-l-4 border-red-500 p-4">
<h4 class="font-semibold text-red-700">Critical</h4>
<p class="text-3xl font-bold text-red-600">{critical_count}</p>
</div>
<div class="bg-orange-100 border-l-4 border-orange-500 p-4">
<h4 class="font-semibold text-orange-700">High</h4>
<p class="text-3xl font-bold text-orange-600">{high_count}</p>
</div>
<div class="bg-yellow-100 border-l-4 border-yellow-500 p-4">
<h4 class="font-semibold text-yellow-700">Medium</h4>
<p class="text-3xl font-bold text-yellow-600">{medium_count}</p>
</div>
<div class="bg-blue-100 border-l-4 border-blue-500 p-4">
<h4 class="font-semibold text-blue-700">Low</h4>
<p class="text-3xl font-bold text-blue-600">{low_count}</p>
</div>
</div>
<!-- Detailed Vulnerability List -->
<div class="space-y-4">
<!-- SQL Injection Example -->
<div class="bg-white rounded-lg shadow p-6 border-l-4 border-red-500">
<div class="flex justify-between items-start">
<div>
<h4 class="text-lg font-semibold text-red-700">๐ SQL Injection Vulnerability</h4>
<p class="text-gray-600">Endpoint: /api/v1/users/{id}</p>
<p class="text-sm text-gray-500">Detected: {timestamp}</p>
</div>
<span class="bg-red-100 text-red-800 px-3 py-1 rounded-full text-sm font-medium">CRITICAL</span>
</div>
<div class="mt-4">
<p class="text-gray-700"><strong>Details:</strong> SQL error detected with payload: ' OR '1'='1</p>
<p class="text-gray-700"><strong>Risk:</strong> Potential data breach and unauthorized access</p>
<p class="text-gray-700"><strong>Recommendation:</strong> Use parameterized queries and input validation</p>
</div>
</div>
</div>
</section>
Interactive Features
๐ฏ Clickable Elements
- Test Case Expansion - Click to view full request/response details
- Filter by Status - Show only passed, failed, or security tests
- Sort by Performance - Order endpoints by response time
- Search Functionality - Find specific endpoints or test cases
๐ฑ Responsive Design
- Mobile-Friendly - Optimized for phones and tablets
- Print-Ready - Clean printing layout without interactive elements
- Dark Mode Support - Toggle between light and dark themes
- Export Options - Save charts as images or PDF
Advanced HTML Report Options
# Comprehensive report with all features
amalthea --provider openai --model gpt-4o-mini --file api.json \
--security \
--html-report \
--report-title "Production API Security Audit" \
--format html \
--output comprehensive-report.html \
--include-charts \
--include-timeline \
--dark-mode
# Performance-focused report
amalthea --provider openai --model gpt-4o-mini --file api.json \
--html-report \
--report-title "API Performance Analysis" \
--format html \
--output performance-report.html \
--include-performance-metrics \
--response-time-threshold 200
# Executive summary report (minimal details)
amalthea --provider openai --model gpt-4o-mini --file api.json \
--security \
--html-report \
--report-title "Executive API Status Report" \
--format html \
--output executive-summary.html \
--summary-only \
--hide-technical-details
Report Customization
๐จ Branding Options
# Custom branding and colors
amalthea --provider openai --model gpt-4o-mini --file api.json \
--html-report \
--report-title "Company API Testing Report" \
--format html \
--output branded-report.html \
--logo "https://company.com/logo.png" \
--primary-color "#1e40af" \
--company-name "Your Company Name"
๐ Chart Customization
- Chart Types: Pie, bar, line, radar, doughnut charts
- Color Schemes: Professional, colorful, monochrome themes
- Data Visualization: Response times, success rates, security scores
- Interactive Tooltips: Hover for detailed information
Sample HTML Report Output
When you run Amalthea with HTML output, you'll get a beautiful report like this:
๐ Generated HTML Report: report.html
๐ Dashboard Overview:
โโโ ๐งช Total Tests: 156
โโโ โ
Success Rate: 87.2%
โโโ ๐ก๏ธ Security Issues: 3 Critical, 5 High
โโโ โก Avg Response: 245ms
๐ Detailed Sections:
โโโ ๐ Interactive Charts (4 visualizations)
โโโ ๐ Test Results Table (12 endpoints)
โโโ ๐ก๏ธ Security Assessment (8 vulnerability types)
โโโ โก Performance Analysis (response time breakdown)
โโโ ๐ Executive Summary (key findings)
๐ Open in browser: file://./report.html
๏ฟฝ๐ณ Advanced Docker Usage
Production Docker Setup
# Production-ready container with all features including AI security
docker run --rm \
--name amalthea-testing \
-e OPENAI_API_KEY="$OPENAI_API_KEY" \
-e ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY" \
-e GOOGLE_API_KEY="$GOOGLE_API_KEY" \
-v $(pwd)/apis:/data \
-v $(pwd)/results:/results \
-v $(pwd)/config:/config \
ksdco/amalthea:0.5.0 \
--provider universal --model gpt-4o-mini \
--file /data/api.json \
--ai-security-scan \
--ai-scan-intensity 4 \
--security \
--config /config/.amalthea.toml \
--output /results/test-results.json
# Multi-provider testing with Docker Compose
cat > docker-compose.yml << 'EOF'
version: '3.8'
services:
amalthea-openai:
image: ksdco/amalthea:0.5.0
environment:
- OPENAI_API_KEY=${OPENAI_API_KEY}
volumes:
- ./apis:/data
- ./results:/results
command: >
--provider openai --model gpt-4o-mini
--file /data/api.json
--ai-security-scan --ai-scan-intensity 4
--security
--auth-type bearer --auth-token "${API_TOKEN}"
--output /results/openai-results.json
amalthea-claude:
image: ksdco/amalthea:0.5.0
environment:
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
volumes:
- ./apis:/data
- ./results:/results
command: >
--provider anthropic --model claude-3-haiku
--file /data/api.json --security
--auth-type jwt --auth-token "${JWT_TOKEN}"
--output /results/claude-results.json
amalthea-local:
image: ksdco/amalthea:0.3.0
network_mode: host
volumes:
- ./apis:/data
- ./results:/results
command: >
--provider local --model mistral:latest
--base-url http://localhost:11434
--file /data/api.json --security
--output /results/local-results.json
depends_on:
- ollama
ollama:
image: ollama/ollama:latest
ports:
- "11434:11434"
volumes:
- ollama_data:/root/.ollama
command: serve
volumes:
ollama_data:
EOF
# Run multi-provider testing
docker-compose up --abort-on-container-exit
Kubernetes Deployment
# k8s/amalthea-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: api-testing-job
spec:
template:
spec:
containers:
- name: amalthea
image: ksdco/amalthea:0.2.3
command: ["/usr/local/bin/amalthea"]
args:
- --provider
- openai
- --model
- gpt-4o-mini
- --file
- /data/api.json
- --security
- --output
- /results/test-results.json
env:
- name: OPENAI_API_KEY
valueFrom:
secretKeyRef:
name: ai-keys
key: openai-key
volumeMounts:
- name: api-specs
mountPath: /data
- name: results
mountPath: /results
volumes:
- name: api-specs
configMap:
name: api-specifications
- name: results
persistentVolumeClaim:
claimName: test-results-pvc
restartPolicy: Never
backoffLimit: 3
---
apiVersion: v1
kind: Secret
metadata:
name: ai-keys
type: Opaque
data:
openai-key: <base64-encoded-openai-key>
anthropic-key: <base64-encoded-anthropic-key>
google-key: <base64-encoded-google-key>
Custom Docker Images
# Dockerfile.custom - Custom image with additional tools
FROM ksdco/amalthea:0.3.0
USER root
# Install additional testing tools
RUN apt-get update && apt-get install -y \
jq \
curl \
git \
python3 \
python3-pip \
&& rm -rf /var/lib/apt/lists/*
# Install Python tools for result processing
RUN pip3 install \
requests \
jsonschema \
pyyaml \
tabulate
# Add custom scripts
COPY scripts/ /usr/local/scripts/
RUN chmod +x /usr/local/scripts/*.sh
# Custom entrypoint with pre/post processing
COPY <<EOF /usr/local/bin/custom-entrypoint.sh
#!/bin/bash
set -e
echo "๐ Starting Custom API Testing Pipeline"
# Pre-processing
/usr/local/scripts/preprocess.sh
# Main testing
amalthea "$@"
# Post-processing
/usr/local/scripts/postprocess.sh
echo "โ
Testing pipeline completed!"
EOF
RUN chmod +x /usr/local/bin/custom-entrypoint.sh
ENTRYPOINT ["/usr/local/bin/custom-entrypoint.sh"]
๐ค Contributing
We welcome contributions! Please see our Contributing Guide for details.
Quick Contribution Steps
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
๐ License
This project is licensed under the MIT License - see the LICENSE file for details.
๐ Support
- โญ Star this repository if you find it helpful
- ๐ Report bugs via GitHub Issues
- ๐ฌ Join discussions in GitHub Discussions
- ๐ Read the documentation at amalthea.cloud
Built with โค๏ธ by KSD.CO using Rust ๐ฆ