{"id":50713101,"url":"https://github.com/IBM/simrun","last_synced_at":"2026-06-26T17:00:43.198Z","repository":{"id":361490987,"uuid":"1251484753","full_name":"IBM/simrun","owner":"IBM","description":"Attack Simulation Platform (ASP) for detection testing","archived":false,"fork":false,"pushed_at":"2026-06-23T21:26:42.000Z","size":730,"stargazers_count":6,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-25T00:20:51.239Z","etag":null,"topics":["attack-simulation","cloud-security","detection-engineering","security","security-automation","threat-detection"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/IBM.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-27T16:15:03.000Z","updated_at":"2026-06-23T21:26:36.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/IBM/simrun","commit_stats":null,"previous_names":["ibm/simrun"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/IBM/simrun","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IBM%2Fsimrun","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IBM%2Fsimrun/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IBM%2Fsimrun/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IBM%2Fsimrun/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/IBM","download_url":"https://codeload.github.com/IBM/simrun/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IBM%2Fsimrun/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34825611,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-26T02:00:06.560Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attack-simulation","cloud-security","detection-engineering","security","security-automation","threat-detection"],"created_at":"2026-06-09T17:00:26.107Z","updated_at":"2026-06-26T17:00:43.193Z","avatar_url":"https://github.com/IBM.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# SimRun\n\nSimRun is an **Attack Simulation Platform (ASP)** for detection testing. It **detonates**\nattack simulations and verifies that the security alerts you expect fire in your SIEM\n(currently only Elastic Security is supported).\n\nIt ships as a single Go binary serving a REST API + WebSocket interface backed by\nPostgreSQL, with an embedded SvelteKit frontend.\n\n## Getting Started\n\n### Prerequisites\n\n- [mise](https://mise.jdx.dev/) — manages the Go 1.25 and Node 22 toolchains (or install them yourself)\n- PostgreSQL\n\n### Build\n\n```bash\nmise build   # builds the SvelteKit frontend and the simrun binary into dist/simrun\n```\n\n### Run\n\nsimrun requires a PostgreSQL database; schema migrations run automatically on startup.\n\n```bash\nexport SR_DATABASE_URL=\"postgres://user:pass@localhost:5432/simrun?sslmode=disable\"\n./dist/simrun\n```\n\nThe UI and API are then served on http://localhost:8080.\n\n\u003e Authentication is optional. Without `SR_GOOGLE_CLIENT_ID`/`SR_GOOGLE_CLIENT_SECRET`,\n\u003e login is disabled and the app runs unauthenticated\n\n## Configuration\n\nDeploy-time configuration is read from environment variables — the only `SR_*` env\nsurface. Everything else (connectors, secrets, packs, schedules, scenarios, app\ndefaults) lives in the database and is managed through the web UI.\n\n| Variable | Required | Default | Description |\n|---|---|---|---|\n| `SR_DATABASE_URL` | yes | — | PostgreSQL connection string |\n| `SR_WEB_PORT` | no | `8080` | HTTP listen port |\n| `SR_DATA_DIR` | no | `~/.simrun` | Local data dir (encryption key, SSH logs) |\n| `SR_ENCRYPTION_KEY_FILE` | no | `$SR_DATA_DIR/encryption.key` | Key file for encrypting stored secrets |\n| `SR_DEBUG` | no | off | Verbose logging when set to a non-zero value |\n| `SR_WEB_URL` | no | — | External base URL (used for OAuth redirects) |\n| `SR_GOOGLE_CLIENT_ID` / `SR_GOOGLE_CLIENT_SECRET` | no | — | Google OAuth credentials (enables login) |\n| `SR_GOOGLE_ALLOWED_DOMAIN` | no | — | Restrict OAuth login to a Google Workspace domain |\n| `SR_AUTH_SESSION_TTL_HOURS` | no | `168` | Session lifetime in hours |\n\n### Run with Docker\n\n```bash\ndocker build -t simrun .\ndocker run -p 8080:8080 \\\n  -e SR_DATABASE_URL=\"postgres://...\" \\\n  -v simrun-data:/home/nonroot/.simrun \\\n  simrun\n```\n\nThe image bundles the `aws`, `gcloud`, and `az` CLIs used by detonators. Persist\n`SR_DATA_DIR` (the volume above) so the secret-encryption key survives restarts.\n\n## Architecture\n\nA single Go binary handles:\n- Simulation detonation and orchestration\n- Alert matching and verification\n- Log collection from security platforms\n- Scenario parsing and execution\n\n### Simulation Packs\n\nSimulations are distributed as external packs, installed and managed via the web UI:\n\n- simrun-base-pack — custom simulations (AWS, Azure, GCP)\n- simrun-stratus-pack — [Stratus Red Team](https://github.com/DataDog/stratus-red-team) simulations\n\n## Concepts\n\n### Detonators\nA **detonator** describes how and where an attack technique is executed.\n* Simrun detonator — runs a simulation pack (Terraform-based; packs can themselves\n  execute locally or over SSH)\n* AWS CLI detonator — runs AWS CLI commands\n\n### Injectors\nAn **injector** is an alternative to detonators: instead of executing the end-to-end\nattack it takes a generated log message and injects it directly into the SIEM. This\ncovers cases where end-to-end simulation isn't feasible but you still want to confirm\nthe detection is operational.\n* Elastic Injector\n\n### Alert Matchers\nAn **alert matcher** is a platform-specific integration that checks whether an expected\nalert was triggered.\n* Elastic Security alerts\n* Datadog security signals\n\n### Collectors\nA **collector** retrieves logs from security platforms after detonation for analysis and\nrule generation.\n* Elastic Collector — collects related logs from Elasticsearch by execution ID or\n  user-agent correlation\n\n### Detonation and Alert Correlation\nEach detonation is assigned a UUID, reflected in the detonation where possible and used\nto ensure the matched alert corresponds exactly to that detonation. If the detonator\ncannot reflect the UUID, the matcher can correlate using indicators the user provides\n(static indicators) or terraform output (dynamic indicators).\n\n### Simulations\nA **simulation** is a reusable module describing how to perform a specific attack.\nSimulations are distributed as [packs](#simulation-packs) and installed via the web UI.\n\n## Development\n\n```bash\nmise run build-frontend   # build just the SvelteKit frontend\ngo test ./...             # run the test suite\nmise run lint             # run golangci-lint\ngo generate ./...         # regenerate mocks (mockery)\nmise run parser           # regenerate parser from JSON schemas\n```\n\n## Contributing\n\nIssues and pull requests are welcome.\n\n## License\n\nLicensed under the Apache License 2.0. See [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FIBM%2Fsimrun","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FIBM%2Fsimrun","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FIBM%2Fsimrun/lists"}