Skip to main content

Test Runner

Running Security Tests with Levo.ai

Levo provides you with the ability to run security tests on your application endpoints. These tests can be executed in the following environments:

  • On the Cloud
  • On-Premises

Requirements for Running Security Tests

To successfully run security tests, you need:

  1. A target service URL that is reachable.
  2. A valid configuration for authenticated endpoints.
  3. Valid API endpoint parameters.

Testing Publicly Reachable Services

If your target service is publicly accessible, you can directly run security tests from the Levo Cloud.

Testing Internal Services

For internal services that are not publicly reachable, you can use the Levo Testrunner. The testrunner is a service that can be installed on your premises.

Once you initiate security tests from the Levo UI, the testrunner will:

  • Pull the tests to your premises.
  • Execute them internally.

This approach ensures secure testing of internal APIs.

Installation

You can install the testrunner

Prerequisites

Before installation, ensure the following:

  1. Levo Authorization Token: Refer to Generate a CLI Authorization Key.
  2. Organization ID: Refer to Find your Organization ID.
  3. Helm or Docker: Install the appropriate tool based on your chosen installation method.

Install Testrunner via Helm on Kubernetes

Follow these steps to install the testrunner in a Kubernetes environment:

  1. Add Levo Helm Repository:
helm repo add levoai https://levoai.github.io/helm-charts/
  1. Install the Testrunner Helm Chart:
helm upgrade --install -n levoai --create-namespace \
--set key="auth-key" \
--set orgId="organization id" \
--set levoBaseUrl="<ApiUrl />" \
testrunner levoai/testrunner
info

For apps hosted in different regions, update the levoBaseUrl. For example, if the testrunner is used with app.india-1.levo.ai:

helm upgrade --install -n levoai --create-namespace \
--set key="auth-key" \
--set orgId="organization id" \
--set levoBaseUrl="https://api.india-1.levo.ai" \
testrunner levoai/testrunner

For starting the testrunner with a group, select the group name created on the Levoai SaaS

helm upgrade --install -n levoai --create-namespace \
--set key="auth-key" \
--set orgId="organization id" \
--set levoBaseUrl="<ApiUrl />" \
--set group="group-name" \
testrunner levoai/testrunner

Install Testrunner via Docker

If Docker is installed on your machine, follow these steps to start the testrunner:

  1. Download the
    Loading...
    script.
  2. Make the script executable:
chmod +x levoai-testrunner.sh
  1. Create .env file in the same directory to set the required environment variables:
LEVOAI_AUTH_KEY=<your-auth-key>
LEVOAI_ORG_ID=<your-organization-id>
info

For customers hosted in India region, add LEVOAI_BASE_URL environment variable too.

LEVOAI_BASE_URL=https://api.india-1.levo.ai

For starting the testrunner with a group, select the group name created on the Levoai SaaS. In the the .env file, add

LEVOAI_TESTRUNNER_GROUP=<group-name>
  1. Start the testrunner:
./levoai-testrunner.sh start
note

If you are running the script with sudo, ensure that the environment variables are also set with sudo. Otherwise, the script will not have access to these variables.

Alternatively, you can use the -E flag with sudo to preserve the user-defined environment variables, like this:

sudo -E ./levoai-testrunner.sh start

This ensures the script can access the required environment variables without explicitly redefining them under sudo.

  1. Stop the testrunner:
./levoai-testrunner.sh stop

TLS / Certificate Configuration

If your target service uses a custom or self-signed CA, or requires mutual TLS (mTLS), configure the testrunner with the following environment variables:

Environment VariablePurpose
CA_CERT_PATHPath to a custom CA certificate used to verify the target's TLS certificate
CLIENT_CERT_PATHPath to the client certificate for mTLS authentication
CLIENT_KEY_PATHPath to the client private key for mTLS authentication
REQUESTS_CA_BUNDLEPath to a CA bundle used for both target and Levo SaaS calls
info

Use CA_CERT_PATH when only the target needs a custom CA. Use REQUESTS_CA_BUNDLE if you also need the custom CA to be trusted for calls to the Levo SaaS platform.

Helm (Kubernetes)

Step 1 — Create a Kubernetes secret from your cert files:

CA-only (no mTLS)

If you only need a custom CA and do not require mutual TLS, omit the --from-file=client-cert.pem and --from-file=client-key.pem lines below.

kubectl create secret generic testrunner-certs \
  --from-file=ca-cert.pem=./your-ca.pem \
  --from-file=client-cert.pem=./your-client.pem \
  --from-file=client-key.pem=./your-client.key \
  -n levoai

Step 2 — Pass the cert configuration when installing or upgrading the helm chart:

helm upgrade --install -n levoai --create-namespace \
  --set key="auth-key" \
  --set orgId="organization-id" \
  --set "extraEnv[0].name=CA_CERT_PATH" \
  --set "extraEnv[0].value=/etc/levo/certs/ca-cert.pem" \
  --set "extraEnv[1].name=CLIENT_CERT_PATH" \
  --set "extraEnv[1].value=/etc/levo/certs/client-cert.pem" \
  --set "extraEnv[2].name=CLIENT_KEY_PATH" \
  --set "extraEnv[2].value=/etc/levo/certs/client-key.pem" \
  --set "extraVolumes[0].name=testrunner-certs" \
  --set "extraVolumes[0].secret.secretName=testrunner-certs" \
  --set "extraVolumeMounts[0].name=testrunner-certs" \
  --set "extraVolumeMounts[0].mountPath=/etc/levo/certs" \
  --set "extraVolumeMounts[0].readOnly=true" \
  testrunner levoai/testrunner

Alternatively, use a values.yaml file:

extraEnv:
  - name: CA_CERT_PATH
    value: /etc/levo/certs/ca-cert.pem
  - name: CLIENT_CERT_PATH      # only required for mTLS
    value: /etc/levo/certs/client-cert.pem
  - name: CLIENT_KEY_PATH       # only required for mTLS
    value: /etc/levo/certs/client-key.pem
  # Use REQUESTS_CA_BUNDLE instead of (or in addition to) CA_CERT_PATH if you also
  # need the custom CA to be trusted for outbound calls to the Levo SaaS platform.
  # - name: REQUESTS_CA_BUNDLE
  #   value: /etc/levo/certs/ca-cert.pem

extraVolumes:
  - name: testrunner-certs
    secret:
      secretName: testrunner-certs

extraVolumeMounts:
  - name: testrunner-certs
    mountPath: /etc/levo/certs
    readOnly: true

Then apply with:

helm upgrade --install -n levoai --create-namespace \
  --set key="auth-key" \
  --set orgId="organization-id" \
  -f values.yaml \
  testrunner levoai/testrunner

Docker

Step 1 — Place your cert files in a directory, e.g. ./certs/.

Step 2 — Add the cert env vars to your .env file:

LEVOAI_AUTH_KEY=<your-auth-key>
LEVOAI_ORG_ID=<your-organization-id>
CA_CERT_PATH=/etc/levo/certs/ca-cert.pem
CLIENT_CERT_PATH=/etc/levo/certs/client-cert.pem  # only required for mTLS
CLIENT_KEY_PATH=/etc/levo/certs/client-key.pem    # only required for mTLS
# Use REQUESTS_CA_BUNDLE instead of (or in addition to) CA_CERT_PATH if you also
# need the custom CA trusted for calls to the Levo SaaS platform.
# REQUESTS_CA_BUNDLE=/etc/levo/certs/ca-cert.pem

Step 3 — Mount the certs directory when starting the testrunner. If using the levoai-testrunner.sh script, set LEVO_EXTRA_DOCKER_ARGS before running:

export LEVO_EXTRA_DOCKER_ARGS="-v $(pwd)/certs:/etc/levo/certs:ro"
./levoai-testrunner.sh start

Need Help?

For further assistance, please reach out to support@levo.ai.

Was this page helpful?