'use client' import { useState } from 'react' import AdminLayout from '@/components/admin/AdminLayout' import { WizardStepper, WizardNavigation, EducationCard, ArchitectureContext, TestRunner, TestSummary, type WizardStep, type TestCategoryResult, type FullTestResults, type EducationContent, type ArchitectureContextType, } from '@/components/wizard' // ============================================== // Constants // ============================================== const BACKEND_URL = process.env.NEXT_PUBLIC_BACKEND_URL || 'http://localhost:8000' const STEPS: WizardStep[] = [ { id: 'welcome', name: 'Willkommen', icon: '👋', status: 'pending' }, { id: 'api-health', name: 'API Status', icon: '💚', status: 'pending', category: 'api-health' }, { id: 'sast', name: 'SAST', icon: '🔍', status: 'pending', category: 'sast' }, { id: 'sca', name: 'SCA', icon: '📦', status: 'pending', category: 'sca' }, { id: 'secrets', name: 'Secrets', icon: '🔑', status: 'pending', category: 'secrets' }, { id: 'sbom', name: 'SBOM', icon: '📋', status: 'pending', category: 'sbom' }, { id: 'summary', name: 'Zusammenfassung', icon: '📊', status: 'pending' }, ] const EDUCATION_CONTENT: Record = { 'welcome': { title: 'Willkommen zum Security Wizard', content: [ 'DevSecOps integriert Sicherheit in den gesamten Entwicklungsprozess.', '', 'In diesem Wizard lernen Sie:', '• SAST: Statische Code-Analyse mit Semgrep', '• SCA: Abhaengigkeits-Scans mit Trivy/Grype', '• Secrets: Erkennung von Credentials im Code', '• SBOM: Software Bill of Materials', '', 'Shift Left Security: Fehler frueh finden, nicht in Produktion!', ], }, 'api-health': { title: 'Security API - DevSecOps Dashboard', content: [ 'Die Security API steuert alle Sicherheitsscans.', '', 'Endpunkte:', '• /api/security/scan - Scan starten', '• /api/security/findings - Ergebnisse abrufen', '• /api/security/sbom - SBOM generieren', '• /api/security/dashboard - Uebersicht', '', 'Verfuegbarkeit kritisch fuer:', '• CI/CD Pipeline Integration', '• Automatisierte Security Gates', '• Compliance Reporting', ], }, 'sast': { title: 'SAST - Static Application Security Testing', content: [ 'Semgrep analysiert Quellcode OHNE ihn auszufuehren.', '', 'Findet:', '• SQL Injection Patterns', '• XSS Vulnerabilities', '• Hardcoded Credentials', '• Insecure Crypto Usage', '• Path Traversal Risks', '', 'Vorteile:', '• Schnell (Minuten, nicht Stunden)', '• Findet Fehler VOR dem Deployment', '• Keine laufende Anwendung noetig', ], }, 'sca': { title: 'SCA - Software Composition Analysis', content: [ 'Prueft Abhaengigkeiten auf bekannte Schwachstellen (CVEs).', '', 'Gescannt werden:', '• Python packages (requirements.txt)', '• Node modules (package.json)', '• Go modules (go.mod)', '• Container Images', '', 'Bekannte Angriffe:', '• Log4Shell (CVE-2021-44228)', '• NPM Supply Chain Attacks', '• PyPI Typosquatting', ], }, 'secrets': { title: 'Secret Detection mit Gitleaks', content: [ 'Findet versehentlich eingecheckte Secrets:', '', '• AWS/GCP/Azure Credentials', '• Database Passwords', '• Private SSH Keys', '• OAuth Tokens', '• JWT Secrets', '', 'Risiken ohne Detection:', '• Kompromittierte Cloud-Accounts', '• Datenlecks durch DB-Zugriff', '• Git History: Einmal gepusht, schwer zu entfernen!', ], }, 'sbom': { title: 'SBOM - Software Bill of Materials', content: [ 'Vollstaendige Inventarliste aller Software-Komponenten.', '', 'Rechtliche Anforderungen:', '• US Executive Order 14028 (2021)', '• EU Cyber Resilience Act', '• Supply Chain Transparency', '', 'Inhalt:', '• Alle Abhaengigkeiten mit Versionen', '• Lizenzen (GPL, MIT, Apache, etc.)', '• Bekannte Vulnerabilities', '', 'Bei Zero-Day: Schnell pruefen wer betroffen ist', ], }, 'summary': { title: 'Test-Zusammenfassung', content: [ 'Hier sehen Sie eine Uebersicht aller durchgefuehrten Tests:', '• Anzahl bestandener Tests', '• Fehlgeschlagene Tests mit Details', '• Empfehlungen zur Behebung', ], }, } const ARCHITECTURE_CONTEXTS: Record = { 'api-health': { layer: 'api', services: ['backend'], dependencies: ['PostgreSQL', 'Scanner Tools'], dataFlow: ['API Request', 'Scanner Dispatch', 'Result Storage'], }, 'sast': { layer: 'service', services: ['backend'], dependencies: ['semgrep', 'Git Repository'], dataFlow: ['Source Code', 'Semgrep Scanner', 'Findings', 'Dashboard'], }, 'sca': { layer: 'service', services: ['backend'], dependencies: ['trivy', 'grype', 'CVE Database'], dataFlow: ['Dependencies', 'Scanner', 'CVE Lookup', 'Report'], }, 'secrets': { layer: 'service', services: ['backend'], dependencies: ['gitleaks', 'Git Repository'], dataFlow: ['Git History', 'Pattern Matching', 'Findings'], }, 'sbom': { layer: 'service', services: ['backend'], dependencies: ['syft', 'cyclonedx'], dataFlow: ['Container/Code', 'Syft Analysis', 'CycloneDX SBOM'], }, } // ============================================== // Main Component // ============================================== export default function SecurityWizardPage() { const [currentStep, setCurrentStep] = useState(0) const [steps, setSteps] = useState(STEPS) const [categoryResults, setCategoryResults] = useState>({}) const [fullResults, setFullResults] = useState(null) const [isLoading, setIsLoading] = useState(false) const [error, setError] = useState(null) const currentStepData = steps[currentStep] const isTestStep = currentStepData?.category !== undefined const isWelcome = currentStepData?.id === 'welcome' const isSummary = currentStepData?.id === 'summary' const runCategoryTest = async (category: string) => { setIsLoading(true) setError(null) try { const response = await fetch(`${BACKEND_URL}/api/admin/security-tests/${category}`, { method: 'POST', }) if (!response.ok) { throw new Error(`HTTP ${response.status}: ${response.statusText}`) } const result: TestCategoryResult = await response.json() setCategoryResults((prev) => ({ ...prev, [category]: result })) setSteps((prev) => prev.map((step) => step.category === category ? { ...step, status: result.failed === 0 ? 'completed' : 'failed' } : step ) ) } catch (err) { setError(err instanceof Error ? err.message : 'Unbekannter Fehler') } finally { setIsLoading(false) } } const runAllTests = async () => { setIsLoading(true) setError(null) try { const response = await fetch(`${BACKEND_URL}/api/admin/security-tests/run-all`, { method: 'POST', }) if (!response.ok) { throw new Error(`HTTP ${response.status}: ${response.statusText}`) } const results: FullTestResults = await response.json() setFullResults(results) setSteps((prev) => prev.map((step) => { if (step.category) { const catResult = results.categories.find((c) => c.category === step.category) if (catResult) { return { ...step, status: catResult.failed === 0 ? 'completed' : 'failed' } } } return step }) ) const newCategoryResults: Record = {} results.categories.forEach((cat) => { newCategoryResults[cat.category] = cat }) setCategoryResults(newCategoryResults) } catch (err) { setError(err instanceof Error ? err.message : 'Unbekannter Fehler') } finally { setIsLoading(false) } } const goToNext = () => { if (currentStep < steps.length - 1) { setSteps((prev) => prev.map((step, idx) => idx === currentStep && step.status === 'pending' ? { ...step, status: 'completed' } : step ) ) setCurrentStep((prev) => prev + 1) } } const goToPrev = () => { if (currentStep > 0) { setCurrentStep((prev) => prev - 1) } } const handleStepClick = (index: number) => { if (index <= currentStep || steps[index - 1]?.status !== 'pending') { setCurrentStep(index) } } return ( {/* Header */}
🛡️

DevSecOps Test Wizard

SAST, SCA, Secrets, SBOM

← Zurueck zum Security Dashboard
{/* Stepper */}
{/* Content */}
{currentStepData?.icon}

Schritt {currentStep + 1}: {currentStepData?.name}

{currentStep + 1} von {steps.length}

{isTestStep && currentStepData?.category && ARCHITECTURE_CONTEXTS[currentStepData.category] && ( )} {error && (
Fehler: {error}
)} {isWelcome && (
)} {isTestStep && currentStepData?.category && ( runCategoryTest(currentStepData.category!)} /> )} {isSummary && (
{!fullResults ? (

Fuehren Sie alle Tests aus um eine Zusammenfassung zu sehen.

) : ( )}
)}
Diese Tests pruefen die DevSecOps Security-Konfiguration. Bei Fragen wenden Sie sich an das Security-Team.
) }