Show HN: We built a tool that automatically generates API tests

[Wissmueller]

Hi, this is Mish and Sebastian. We are working on Step CI - a fully automated API testing platform for developers.

Step CI works programming-language independent and for different API paradigms (REST, GraphQL, XML).

Our CLI and test runner are available on GitHub (https://github.com/stepci) under the MPLv2 license.

Since our last launch, Step CI is now able to generate automated tests for your API based on your OpenAPI (Swagger) spec. This saves you a lot of time as you never have to write and maintain your tests again!

We would like to invite you to try our tool and give us feedback! Please star us on GitHub, if you like what we are working on!

We are very thankful for your attention and any feedback or suggestions we receive from you :)

Mish and Sebastian from Germany

[thiht]

From my experience, generated tests are worthless for anything more serious than smoke tests. I prefer working with no tests than automated tests, I feel they give you a false sense of confidence.

The Step CI engine itself looks good though. It looks like a cleaner, but less powerful version of a tool (open source, build in-house) we used when I worked at OVHcloud, Venom: https://github.com/ovh/venom

Here's an example test file for the HTTP executor of Venom: https://github.com/ovh/venom/blob/master/tests/http.yml it's very close to Step CI format.

I'd still use Venom because it's way more powerful (you have DB executors for example, so after executing a POST request you can actually check in DB that you have what you expect) and I prefer focusing on actually writing integration tests instead of generating them.

Maybe this post sounds harsh (I feel it as I write it because I have strong feelings against test generation) but I think your approach is a good one for actually writing automated tests. Testing APIs declaratively like this has a great benefit: your tests work on an interface. You can migrate your API to a whole new stack and your tests remain the same. I did it multiple time at OVHcloud: one time migrating a huge API from a Go router to another (Gin->Echo), and another time migrating public APIs from a legacy, in-house Perl engine to a Go server.

[ushakov]

Hello, Thibaut. We appreciate the honesty!

> I prefer working with no tests than automated tests

We hear this often from our user-interviews and this is something we would like to change

I have just learned about Venom from a fellow hacker yesterday. We're more focused on Web APIs and offer more features there. The key difference is that we're not just a CLI tool, but also a library, that you can use in other applications.

Our end goal is to free you from writing tests

[Wissmueller]

> I have strong feelings against test generation

Thanks for your critical feedback.

Could you please tell us more about your strong opinion against test generation?

[thiht]

> Could you please tell us more about your strong opinion against test generation?

I don't believe generated tests can test anything relevant, and to me they're just a kind of mental load. One day they break, for who knows why and you have to fix them, not knowing how they work or what they do, even doubting the value they add.

To me tests should be business focused and thoroughly thought out. Knowing that your endpoint returns a JSON with a certain format is far from enough:

- it also has to return data that makes sense, generated tests cannot give me that

- and more importantly, the API endpoints that are the most useful to test have side effects. A PUT will probably modify data in a database somewhere. A POST may trigger an asynchronous action. Inputs and outputs are worth testing thoroughly, but you have to check the side effects too. In a good test you'll check what's in db before and after your actions. That's why I love Venom, because it allows me to precisely check the state of all my system.

To be fair, I also have strong feelings against generated code in general because it's always been an impediment more than anything. I worked with JHipster for some time (a Java generator) and it's still nightmare fuel to me.

Again, take this with a grain of salt, others may have a different vision on how testing should work.

[LeonidBugaev]

If you are looking for a more general tool, which can do not only API tests, but also interact with Databases and etc, but still use declrative syntax, try Venom https://github.com/ovh/venom

[Wissmueller]

Hi, this is Sebastian from Step CI

Thanks for sharing Venom!

Certainly, there are lots of tools in the space, both SaaS and open-source. Mish and I can name you a few!

However, there’s one thing these tools seem to be missing - a greater goal.

Our vision is to give you a tool that will free you from writing and maintaining API tests ever again - in any shape or form. What you currently see from us is the first step!

[itake]

> Venom is a CLI (Command Line Interface) that aim to create, manage and run your integration tests with efficiency.

The linked repo seems to have a greater goal.

[intelVISA]

I'm torn, half of me wants to support them for the hustle but I can't shake the strong "accidentally swallowed the same BS we fed the VCs" vibes.

But also in the same vein nothing really is that unique, if they can make some coins this way: who are we to judge?

[sly010]

or python https://www.python.org/

[airocker]

Why use venom? Why not just pytest ?

[inglor]

How do you deal with state between API calls? (For example, a user filling a shopping cart, getting discounts based on their geo/products and then checking out)

[ushakov]

Hello, this is Mish from Step CI

Thanks for your question!

We allow you to capture content like headers, response and cookies between steps using captures, check out the "Captures" example in our Demo

Here's a documentation with examples for all capture types: https://github.com/stepci/stepci/blob/main/docs/workflow-syn...

also: we manage cookies for you automatically

[fernandopj]

Does capture implement what I'm trying to discuss here? https://github.com/stepci/stepci/discussions/17

[ushakov]

I answered you on GitHub!

[jicea]

Really cool, with already a lot of features!

Given the raise of CI/CD, I really think these kind of tools (CLI tests on HTTP requests), based on a simple format, will be really important. We've build Hurl (https://github.com/Orange-OpenSource/hurl), that shares a lot of similarities with Step CI (plain text instead of yaml, captures, jsonpath, xpath etc...). I will shamelessly take inspiration for some new features (like GraphQL for instance)!

[Sebastian_Wis]

Oh, nice to meet you!

Our Matcher functionality was actually inspired by Hurl (you call them predicates!)! We would take your inspiration from us as a huge compliment :)

The main difference between Hurl and Step CI is from our persepective an ideological one. What do you think?

Hurl is a CLI tool, while Step CI is a library. This means that you can include our Test Runner (https://github.com/stepci/runner) and use it with other tools. For example, you can combine it with testing frameworks like Mocha, Jest, and Ava (https://github.com/stepci/stepci/blob/main/docs/using-test-t...) or build your own platform on top of it.

That's what's so nice about open source.

[jicea]

Yes, I can see that! We focus on the CLI and I see how Step CI can shine. Happy to be a (small) source of inspiration. Good luck with Step CI!

[fernandopj]

Fantastic project. I worked on something similar that had the same approach, but the main goal was to test availability in different environments (dev, stage, production) against the same tests. We also had the feature of using the result of one test as input to another, so a complete user case from an API could be tested (auth, POST data, GET results)

[mkl95]

OpenAPI Generator + This tool + some good UI would be a killer combination

[airocker]

Hi , I tried to build cli from swagger, it was a disaster: very verbose and did not really work. I am wondering what’s the verbosity of your tool. How do you deal with imperfect specs?

[Wissmueller]

We’re sorry to hear that! Would you mind sharing some context with us?

Our OpenAPI (Swagger) integration is currently in Beta and only available through our website. We acknowledge, that it is not ready for prime-time just yet

Everything we do is open-source. You can see the list of issues in the repository and contribute if possible: https://github.com/stepci/plugin-openapi/issues

Disclaimer: We have tested our OpenAPI integration with the Petstore example and some other API definitions we had available. In both cases the generated tests would run after only some little adjustments

[airocker]

Swagger has the ability to turn api definition to libraries in any language. It is too verbose

[raydiatian]

openapi is insanely verbose. I personally treat openapi as an interchange format: I don’t write it by hand. The best workflow I’ve found thus far is:

FastAPI (Python) or NestJS to produce self documented APIs via route annotations, handled by framework, and then from that, export an openapi file that you use to create the client in your necessary language. In so doing, every service I make can be commanded with ease by whoever wants to use it, at minimal overhead for me as the service maintainer.

It was a decent amount of effort to work out the bugs, enough so that I think better documentation around getting setup would be valuable, but of course the documentation is so cross-cutting that it’s difficult. But the work was well worth it—I’m much happier with this workflow where I don’t have to roll a service layer lib for my front end, nor use vanilla fetch libraries.

[airocker]

The client's it generates, is there a way to make them nice and usable? they seem not very user friendly.

[raydiatian]

> Nice and usable

Perhaps you could clarify your criteria for usability further, but each of my service-client’s methods are 100% type-safe. This is because Nest and Fast encourage the use of (and subsequently export type information from) the DTO pattern. Service-clients constructors have plug-holes for obvious stuff like url & headers, you make API requests via method, I never feel that I’m needlessly repeating myself. Can’t imagine what else there is to meet usability needs, it works great, I can even make the method names pop out camel_case on the service client if I want to.

Perhaps my only gripe about the technique is that some request/response object types, specifically ones with recursive typing, become a hassle to code up as DTOs with the type annotations. I don’t understand why it’s a problem because it shouldn’t be, but it can knock you out of your flow if you don’t get it right the first time. The alternative, manually updating my service clients or using fetch libraries, is not type safe and thus is far worse, so frankly I’ll take it.

[SeriousM]

Some years ago I setup postman tests and run it with cli during deployment tests. The whole hassle with postman ui just makes it really not fun work with it even for simple tasks depending on each other. I wanted to use restclient from vscode where you just define requests in a raw format but there was no usable output to process for azure devops. I will give this project a chance to get things done in a convenient way. Thanks!

[ushakov]

Thank you! We'd be happy to hear about your experience with Step CI

If you have any questions, feel free to post to our GitHub Discussions: https://github.com/stepci/stepci/discussions

[barefeg]

I was looking in the site to understand the automatic generation of tests from OpenAPI but I couldn’t find it. Maybe it’s very obvious but I missed it. Does it mean that it produces test cases from the examples provided? Or how does it figure out the request response pairs?

[Wissmueller]

Thank you for the question!:)

You can generate tests from your OpenAPI definition using the “import from OpenAPI” button on our website.

The tests are generated from your request/response examples. If there are no examples given/available, we will generate examples for you based on the schema provided.

[barefeg]

Thanks for the quick answer! Are the examples generated based on the types? As in if a field is set as an integer, the tests will pass arbitrary integers? But still how does it know how to produce positive examples? Do you maybe have some documentation on this functionality?

[ushakov]

Yes! We generate placeholder values that are based on the types defined in your schema

We don't have documentation for it at the moment, but the code for our OpenAPI integration is open-source on GitHub: https://github.com/stepci/plugin-openapi

[yuvalsteuer]

Love it!

> "never have to write and maintain your tests again!"

this feels a bit misleading though.

What are you doing step ci? :D

[Sebastian_Wis]

We have been watching you and we know testing APIs is your hobby and you spend a lot of time on it. We'll have to take it away from you! ;)

Just give us a little more time and hopefully your support. :)

[yuvalsteuer]

Haha! love the spirit! :)

[APhoenixRises]

How does Step CI handle testing business logic? I don't see how anything other than input/boundary testing could be generated automatically.

[ushakov]

Currently we are doing what is called "Synthetic monitoring"

https://en.wikipedia.org/wiki/Synthetic_monitoring

You can subscribe to our newsletter if you want to get updates once we add new features or make new tools!

[devoutsalsa]

There’s no way they could automate any non-trivial tests. That’s why we still have jobs.

[BerislavLopac]

How does this compare to Schemathesis [0]?

[0] https://schemathesis.readthedocs.io

[ushakov]

Mish from Step CI here

Great question. We are aware of Schemathesis

I believe the main difference is that our solution is very configurable, unopinionated and no-code. Schemathesis doesn't offer you an easy way to configure tests, relies on OpenAPI instead and for anything more complicated requires you to use Python

Maybe you could add something else?

[dmitry_dygalo]

Hi, Schemathesis author here

I'd add that Schemathesis is essentially a fuzzer, where from the first glance Step CI is not (correct me if I am wrong).

[reagan83]

This is a great idea & brilliantly executed. I love to see the innovation in this space. Nice work Mish and Sebastian!

[fernandorojo]

Cool idea. I’ll definitely check it out. We’ve been thinking of making something similar internally.

[ushakov]

Hello Fernando, this is Mish from Step CI

We're glad you liked the idea! I had this idea in my head for about 2 years until I met Sebastian and we decided to give it a try!

We already support sending GraphQL queries and validating the responses

Soon we will also be able to generate automated API tests based on your GraphQL Schema. You can watch our main repository (https://github.com/stepci/stepci) or subscribe to our newsletter to follow our progress!

Thanks in advance for checking out our tool!

[jzig]

Yo, I tried uploading my openapi.json file and all I got was a big error on the right hand side.

[jzig]

In the console:

``` Uncaught YAMLParseError: The : indicator must be at most 1024 chars after the start of an implicit block mapping key at line 5551, column 3:

    #     $ref: '#/components/schemas/String'
  schemas:
  ^^^^^^^

```

Edit: Apparently I have some validation errors when pasting into the Swagger Editor. That must be why; will have to fix those up and try again.

[ushakov]

Hello, did you try again? Please let us know how it went!

[yuvalsteuer]

BTW I appreciate good UI, your site is incredible, how did you build it?

[ushakov]

Mish from Step CI here

We too like good UI! Our website is built with Nuxt and the Demo with CodeMirror 6

[raydiatian]

Way to go guys.

[manishrana]

This is really a useful tool

[mrwnmonm]

love the design