Forem: Renzo Fernando LOYOLA VILCA CHOQUE The latest articles on Forem by Renzo Fernando LOYOLA VILCA CHOQUE (@renzo_fernandoloyolavil). https://forem.com/renzo_fernandoloyolavil https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3644593%2F4ed5bd1a-ec5d-46cc-85ce-f841031d5bb5.png Forem: Renzo Fernando LOYOLA VILCA CHOQUE https://forem.com/renzo_fernandoloyolavil en Secure Your Python App Using Bandit as a SAST Tool Renzo Fernando LOYOLA VILCA CHOQUE Sat, 06 Dec 2025 01:18:08 +0000 https://forem.com/renzo_fernandoloyolavil/secure-your-python-app-using-bandit-as-a-sast-tool-1ofm https://forem.com/renzo_fernandoloyolavil/secure-your-python-app-using-bandit-as-a-sast-tool-1ofm <p>Static Application Security Testing (SAST) tools help you detect vulnerabilities directly in your source code before the application is executed or deployed. In this article, you will see how to use Bandit, a Python‑focused SAST tool, to scan a Python application and improve its security posture.​</p> <p>What Is SAST and Why It Matters<br> SAST refers to techniques and tools that analyze source code, bytecode or binaries to find security weaknesses without running the application. These tools search for patterns related to insecure practices such as injection, unsafe system calls, weak cryptography, or hardcoded secrets.​</p> <p>Running SAST early in the development lifecycle allows teams to detect and fix issues before they reach production, which reduces both risk and remediation cost. Integrating SAST into everyday workflows (IDE checks, pre‑commit hooks or CI/CD pipelines) transforms security from a late, manual step into a continuous, automated practice.​</p> <p>Meet Bandit: A Python Security Linter<br> Bandit is an open source security linter designed to find common security issues in Python code. It parses Python files, builds an abstract syntax tree (AST), and runs a set of security tests to detect problems such as hardcoded passwords, use of unsafe functions like exec, insecure random generators, weak hashes, or risky XML and subprocess usage.​</p> <p>Because Bandit understands Python syntax and idioms, it can provide more precise findings than generic text‑based scanners for this language. It is distributed through PyPI, actively maintained by the PyCQA community, and can be easily integrated into local development workflows and CI/CD pipelines.​</p> <p>Setting Up Bandit in Your Project<br> To use Bandit, you only need a working Python environment and pip. Many developers prefer to create a virtual environment so that security tools and project dependencies do not conflict.​</p> <p>Example setup steps (run in your terminal):</p> <p>Create and activate a virtual environment (optional).​</p> <p>Install Bandit with pip: pip install bandit.​</p> <p>Optionally, install extra features like TOML support, baseline management or SARIF output using extras such as bandit[toml], bandit[baseline] or bandit[sarif].​</p> <p>After installation, the bandit command becomes available in your shell so you can run it from any project directory.​</p> <p>Scanning a Python Application with Bandit<br> Once Bandit is installed, you can scan either a single file or an entire project directory. The most common workflow is to navigate to the root of your Python project and run Bandit recursively.​</p> <p>Typical examples:</p> <p>Scan a single file: bandit app.py</p> <p>Scan a whole project recursively: bandit -r .</p> <p>When the scan finishes, Bandit prints a report showing each issue it found, along with fields like severity, confidence, file path, line number and a short description. You can also change the output format to JSON, XML, HTML, YAML and others, which is useful for storing results or integrating with dashboards.​</p> <p>Understanding Bandit’s Output<br> Bandit assigns two key attributes to each finding: severity and confidence. Severity indicates how serious the potential vulnerability is (for example low, medium or high), while confidence reflects how certain Bandit is that the pattern represents a real security problem.​</p> <p>High‑severity, high‑confidence issues typically indicate dangerous patterns such as use of weak cryptographic functions, insecure temporary files, unsafe XML parsers or shell commands with untrusted input. Developers should review these findings in context, confirm whether they are valid issues, and then apply fixes such as input validation, parameterization, replacing weak algorithms or refactoring dangerous code.​</p> <p>Applying Bandit to a Sample Scenario<br> Imagine a small Python web application that performs file operations, calls external commands and processes user input. Bandit can help identify if:</p> <p>Temporary files are created using insecure methods.​</p> <p>User input is passed directly into shell commands or SQL queries.​</p> <p>Insecure modules like telnetlib or weak hash functions like md5 are in use.​</p> <p>Running bandit -r . from the project root will reveal these patterns with line numbers and explanations, making it easier to refactor the application before deployment.​</p> <p>Integrating Bandit into CI/CD<br> The real power of a SAST tool appears when it becomes part of your automated pipelines. With Bandit, you can add a CI job that installs dependencies, runs bandit -r ., and fails the pipeline if new high‑severity issues are introduced.​</p> <p>For example, in a GitHub Actions or GitLab CI pipeline, you can:</p> <p>Use a Python base image, install Bandit and run it as part of your test stage.​</p> <p>Configure Bandit to output JSON or SARIF and upload that report as a pipeline artifact or feed it into security dashboards.​</p> <p>Optionally, use a baseline file to compare current results against previous scans, so only new findings break the build.​</p> <p>This approach ensures every pull request is checked for security issues, not only for functionality or style.​</p> <p>Best Practices When Using Bandit<br> To get the most value from Bandit, consider these practices:</p> <p>Run Bandit locally as part of a pre‑commit hook so that insecure patterns are caught before code is pushed.​</p> <p>Adjust severity and confidence thresholds to match your project’s risk tolerance, focusing on high‑impact issues first.​</p> <p>Regularly review and update the configuration (for example .bandit.yml) to skip false positives or define project‑specific rules.​</p> <p>Combine Bandit with other security practices such as dependency scanning, dynamic testing and manual code review.​</p> <p>Bandit is not a silver bullet, but it is a lightweight and effective way to bring security awareness into everyday Python development.​</p> <p>Limitations and Complementary Tools<br> Bandit focuses on static analysis of Python source code, so it does not replace dynamic application security testing or runtime protection. It may also miss complex logic issues that require deeper understanding of business rules, which is why human review remains essential.​</p> <p>For a more complete security strategy, combine Bandit with tools that check open‑source dependencies, perform dynamic scans against running environments and monitor production systems. Even with these limitations, integrating Bandit as your SAST tool for Python significantly raises your application’s security baseline with relatively low effort</p> Applying API testing frameworks: real-world code examples Renzo Fernando LOYOLA VILCA CHOQUE Sat, 06 Dec 2025 00:53:35 +0000 https://forem.com/renzo_fernandoloyolavil/applying-api-testing-frameworks-real-world-code-examples-424n https://forem.com/renzo_fernandoloyolavil/applying-api-testing-frameworks-real-world-code-examples-424n <p>Applying API testing frameworks: real-world code examples<br> Modern applications dependen de APIs para conectar frontends, servicios internos y terceros. Validar estas APIs de forma automática es clave para evitar regresiones y detectar errores antes de llegar a producción. En este artículo verás cómo aplicar marcos de prueba de API con ejemplos reales usando Postman (JavaScript) y Rest Assured (Java), y cómo integrarlos en un flujo de CI/CD.​</p> <p>Why API testing matters<br> API testing permite validar lógica de negocio, contratos y reglas de seguridad sin necesidad de una interfaz gráfica. Cuando se integra en pipelines de CI/CD, ayuda a detectar fallos de manera temprana y a mantener lanzamientos frecuentes pero estables. Además, automatizar estas pruebas reduce el trabajo manual del QA y mejora la confianza en cada despliegue.​</p> <p>Choosing an API testing framework<br> Existen múltiples herramientas para probar APIs: Postman, Rest Assured, Karate, JMeter, SoapUI, entre otras. Cada una ofrece ventajas según el lenguaje, el tipo de proyecto y el nivel de experiencia del equipo. En este artículo nos centraremos en dos opciones muy usadas en la industria: Postman para flujos rápidos y colaborativos, y Rest Assured para pruebas integradas en suites Java.​</p> <p>Postman: testing with JavaScript<br> Postman es una herramienta muy popular para diseñar, documentar y probar APIs, tanto de forma manual como automatizada. Permite agrupar peticiones en Collections, usar entornos con variables, y añadir scripts en JavaScript para ejecutar aserciones sobre las respuestas.​</p> <p>Un flujo típico de prueba funcional en Postman incluye:</p> <p>Definir la petición (método, URL, headers, body).</p> <p>Añadir scripts en la pestaña “Tests” para validar el resultado.</p> <p>Ejecutar la Collection de manera local o en un pipeline CI/CD.</p> <p>Real-world example: validating a GET endpoint in Postman<br> Supongamos una API de librería con el endpoint GET /books/{id} que devuelve los detalles de un libro. El objetivo de la prueba es validar que el servicio responde con código 200 y que el cuerpo incluye campos como id, title y author con datos válidos.​</p> <p>En Postman, la prueba podría incluir aserciones como:</p> <p>js<br> pm.test("Status code is 200", function () {<br> pm.response.to.have.status(200);<br> });</p> <p>pm.test("Response body has required fields", function () {<br> const json = pm.response.json();<br> pm.expect(json).to.have.property("id");<br> pm.expect(json).to.have.property("title");<br> pm.expect(json).to.have.property("author");<br> });</p> <p>pm.test("Book id matches requested id", function () {<br> const json = pm.response.json();<br> const requestedId = pm.request.url.variables.get("id");<br> pm.expect(json.id.toString()).to.eql(requestedId);<br> });<br> Este tipo de script se ejecuta automáticamente después de cada llamada y te permite validar tanto el código de estado como la estructura del JSON.​</p> <p>Data-driven tests with Postman<br> En escenarios reales, es habitual probar el mismo endpoint con distintos datos de entrada. Postman soporta pruebas orientadas a datos usando archivos CSV o JSON, donde cada fila representa un conjunto de variables para la ejecución.​</p> <p>Por ejemplo, un archivo CSV podría contener varios bookId y valores esperados, y la Collection Runner los iterará de manera automática. Esto permite cubrir casos positivos y negativos (IDs válidos, inexistentes o inválidos) sin duplicar manualmente las peticiones.​</p> <p>Rest Assured: Java-based API testing<br> Rest Assured es un framework para pruebas de API en Java que simplifica el envío de peticiones HTTP y la validación de respuestas. Se integra bien con TestNG o JUnit, lo que facilita su uso dentro de suites automatizadas y pipelines de CI/CD.​</p> <p>Su enfoque fluido permite escribir pruebas legibles, y combinarlo con librerías como Hamcrest para aserciones expresivas sobre JSON y XML. Además, soporta múltiples métodos HTTP, autenticación, parámetros, logs y manejo de serialización/deserialización.​</p> <p>Real-world example: Rest Assured GET test<br> Tomando el mismo escenario de GET /books/{id}, una prueba en Rest Assured podría validar el status code y campos clave de la respuesta JSON.​</p> <p>java<br> import static io.restassured.RestAssured.<em>;<br> import static org.hamcrest.Matchers.</em>;<br> import org.testng.annotations.Test;</p> <p>public class BookApiTest {</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>@Test public void getBookById_shouldReturnValidBook() { given() .baseUri("https://api.example.com") .basePath("/books/{id}") .pathParam("id", 1) .when() .get() .then() .statusCode(200) .body("id", equalTo(1)) .body("title", notNullValue()) .body("author", notNullValue()); } </code></pre> </div> <p>}<br> Este tipo de prueba se puede ejecutar junto con el resto del suite de tests de backend, formando parte del proceso de build.​</p> <p>Creating reusable components in Rest Assured<br> En casos reales, resulta útil extraer configuraciones repetidas como baseUri, headers comunes o autenticación a una clase base. De esta forma, las pruebas se enfocan en el comportamiento, no en el detalle de configuración de cada endpoint.​</p> <p>Por ejemplo, se puede definir una clase BaseApiTest que configure Rest Assured en un método @BeforeClass y luego extenderla desde las clases que representan cada módulo de la API (books, users, orders, etc.).​</p> <p>Testing authenticated APIs<br> Muchos servicios exponen endpoints protegidos mediante API keys, tokens Bearer u OAuth2. Tanto Postman como Rest Assured ofrecen soporte para este tipo de autenticación, ya sea configurando headers, usando helpers integrados o generando tokens previos a las pruebas.​</p> <p>En Rest Assured, por ejemplo, se puede añadir un header de autorización de forma global o en cada prueba:</p> <p>java<br> given()<br> .baseUri("<a href="https://api.example.com%22" rel="noopener noreferrer">https://api.example.com"</a>)<br> .header("Authorization", "Bearer " + token)<br> .when()<br> .get("/books")<br> .then()<br> .statusCode(200);<br> En Postman, puedes almacenar el token en una variable de entorno y referenciarlo en el header Authorization mediante {{token}}.​</p> <p>Integrating API tests into CI/CD<br> El verdadero valor de estos marcos se ve cuando se integran en pipelines de CI/CD como GitHub Actions, Jenkins o GitLab CI. La idea es ejecutar suites de pruebas de API en cada push o antes de un despliegue para evitar que cambios en el código rompan contratos existentes.​</p> <p>Algunos enfoques habituales son:</p> <p>Ejecutar Collections de Postman mediante Newman en un job del pipeline.</p> <p>Ejecutar tests de Rest Assured con Maven/Gradle como parte del stage de test.</p> <p>Publicar reportes (HTML, JUnit) como artefactos del pipeline para su revisión.</p> <p>Example: running Postman tests in CI<br> Newman, el CLI de Postman, permite ejecutar collections dentro de un flujo automatizado. Un paso típico en un pipeline podría incluir un comando como:​</p> <p>bash<br> newman run LibraryAPI.postman_collection.json \<br> -e staging.postman_environment.json \<br> --reporters cli,junit \<br> --reporter-junit-export newman-report.xml<br> Ese reporte puede ser consumido por la plataforma de CI/CD para marcar el build como exitoso o fallido según los resultados de las pruebas.​</p> <p>Example: running Rest Assured in CI<br> Para proyectos Java, lo más habitual es ejecutar los tests de Rest Assured junto con el resto de pruebas unitarias e integradas. En un pipeline que use Maven, bastaría con un job que ejecute mvn test y recoja los informes generados.​</p> <p>Combinado con herramientas de reporte como surefire-report o plugins de informes HTML, es posible ver en detalle qué endpoints fallaron, qué payload se envió y cuál fue la respuesta recibida.​</p> <p>Putting it all together<br> Aplicar marcos de prueba de API en proyectos reales significa ir más allá de pruebas manuales puntuales y construir suites automatizadas que vivan junto al código. Usando Postman puedes cubrir rápidamente escenarios funcionales y colaborativos, mientras que Rest Assured te permite integrar pruebas de API directamente en tu base de código Java y pipeline de CI/CD.​</p> <p>Al combinar ambos enfoques, obtienes una cobertura robusta: validaciones funcionales, pruebas con datos, escenarios autenticados y ejecución continua en cada cambio. Esto se traduce en APIs más confiables, menos incidentes en producción y un ciclo de desarrollo más seguro y predecible</p> Securing Infrastructure as Code with Checkov: A Practical SAST Approach Renzo Fernando LOYOLA VILCA CHOQUE Sat, 06 Dec 2025 00:41:48 +0000 https://forem.com/renzo_fernandoloyolavil/securing-infrastructure-as-code-with-checkov-a-practical-sast-approach-58co https://forem.com/renzo_fernandoloyolavil/securing-infrastructure-as-code-with-checkov-a-practical-sast-approach-58co <p>Introduction<br> Infrastructure as Code (IaC) has revolutionized how we manage and deploy cloud resources. However, with great power comes great responsibility. Security misconfigurations in IaC templates can lead to serious vulnerabilities in production environments. This is where Static Application Security Testing (SAST) tools like Checkov come into play.</p> <p>In this article, we'll explore how to implement Checkov, a powerful open-source SAST tool, to scan and secure your Infrastructure as Code across multiple platforms including Terraform, CloudFormation, Kubernetes, and more.</p> <p>What is Checkov?<br> Checkov is a static code analysis tool developed by Bridgecrew (now part of Palo Alto Networks) that scans infrastructure code for security and compliance misconfigurations. It supports:</p> <p>Terraform<br> CloudFormation<br> Kubernetes<br> Helm<br> ARM Templates<br> Serverless Framework<br> Docker<br> And many more...<br> Why Use SAST for Infrastructure as Code?<br> Early Detection: Identify security issues before they reach production<br> Compliance: Ensure adherence to industry standards (CIS, PCI-DSS, HIPAA)<br> Cost Reduction: Fix issues early in the development cycle<br> Automation: Integrate seamlessly into CI/CD pipelines<br> Policy as Code: Define and enforce organizational security policies</p> <p>Getting Started with Checkov<br> Installation<br> Checkov can be installed using pip:</p> <p>pip install checkov<br> Or using Docker:</p> <p>docker pull bridgecrew/checkov<br> Basic Usage<br> Scan a Terraform directory:</p> <p>checkov -d /path/to/terraform<br> Scan a specific file:</p> <p>checkov -f main.tf<br> Practical Example: Securing Terraform Code<br> Let's examine a vulnerable Terraform configuration and how Checkov identifies the issues.</p> <p>Vulnerable Configuration</p> <h1> main.tf - INSECURE EXAMPLE </h1> <p>resource "aws_s3_bucket" "data_bucket" {<br> bucket = "my-data-bucket"</p> <p># Missing encryption<br> # Missing versioning<br> # Missing logging<br> }</p> <p>resource "aws_security_group" "web_sg" {<br> name = "web-security-group"<br> description = "Security group for web servers"</p> <p>ingress {<br> from_port = 0<br> to_port = 0<br> protocol = "-1"<br> cidr_blocks = ["0.0.0.0/0"] # Too permissive!<br> }<br> }</p> <p>resource "aws_db_instance" "database" {<br> allocated_storage = 20<br> engine = "mysql"<br> instance_class = "db.t3.micro"<br> username = "admin"<br> password = "hardcodedpassword123" # Hardcoded password!<br> skip_final_snapshot = true</p> <p># Missing encryption<br> # Publicly accessible by default<br> }<br> Running Checkov<br> checkov -f main.tf --output json --output-file results.json<br> Checkov Output<br> Checkov will identify multiple security issues:</p> <p>Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"<br> Check: CKV_AWS_19: "Ensure the S3 bucket has server-side encryption enabled"<br> Check: CKV_AWS_21: "Ensure the S3 bucket has versioning enabled"<br> Check: CKV_AWS_23: "Ensure Security Group does not allow ingress from 0.0.0.0/0 to port 22"<br> Check: CKV_AWS_16: "Ensure RDS database is encrypted at rest"<br> Check: CKV_AWS_41: "Ensure RDS instance has IAM authentication enabled"<br> Secure Configuration<br> Now let's fix these issues:</p> <h1> main.tf - SECURE VERSION </h1> <p>resource "aws_s3_bucket" "data_bucket" {<br> bucket = "my-data-bucket"<br> }</p> <p>resource "aws_s3_bucket_versioning" "data_bucket_versioning" {<br> bucket = aws_s3_bucket.data_bucket.id<br> versioning_configuration {<br> status = "Enabled"<br> }<br> }</p> <p>resource "aws_s3_bucket_server_side_encryption_configuration" "data_bucket_encryption" {<br> bucket = aws_s3_bucket.data_bucket.id</p> <p>rule {<br> apply_server_side_encryption_by_default {<br> sse_algorithm = "AES256"<br> }<br> }<br> }</p> <p>resource "aws_s3_bucket_logging" "data_bucket_logging" {<br> bucket = aws_s3_bucket.data_bucket.id</p> <p>target_bucket = aws_s3_bucket.log_bucket.id<br> target_prefix = "log/"<br> }</p> <p>resource "aws_security_group" "web_sg" {<br> name = "web-security-group"<br> description = "Security group for web servers"</p> <p>ingress {<br> from_port = 443<br> to_port = 443<br> protocol = "tcp"<br> cidr_blocks = ["10.0.0.0/8"] # Restricted to internal network<br> }</p> <p>egress {<br> from_port = 0<br> to_port = 0<br> protocol = "-1"<br> cidr_blocks = ["0.0.0.0/0"]<br> }<br> }</p> <p>resource "aws_db_instance" "database" {<br> allocated_storage = 20<br> engine = "mysql"<br> instance_class = "db.t3.micro"<br> username = "admin"<br> password = var.db_password # Using variable instead<br> skip_final_snapshot = false</p> <p>storage_encrypted = true<br> iam_database_authentication_enabled = true<br> publicly_accessible = false</p> <p>backup_retention_period = 7<br> enabled_cloudwatch_logs_exports = ["error", "general", "slowquery"]<br> }<br> Integrating Checkov into CI/CD<br> GitHub Actions Example<br> name: IaC Security Scan</p> <p>on: [push, pull_request]</p> <p>jobs:<br> checkov:<br> runs-on: ubuntu-latest<br> steps:<br> - name: Checkout code<br> uses: actions/checkout@v3</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> - name: Set up Python uses: actions/setup-python@v4 with: python-version: '3.9' - name: Install Checkov run: pip install checkov - name: Run Checkov run: | checkov -d . --output cli --output json --output-file checkov-report.json - name: Upload results uses: actions/upload-artifact@v3 if: always() with: name: checkov-report path: checkov-report.json </code></pre> </div> <p>GitLab CI Example<br> checkov:<br> stage: test<br> image: bridgecrew/checkov:latest<br> script:<br> - checkov -d . --output cli --output junitxml --output-file checkov-report.xml<br> artifacts:<br> reports:<br> junit: checkov-report.xml<br> Custom Policies<br> Checkov allows you to create custom policies using Python:</p> <p>from checkov.common.models.enums import CheckResult, CheckCategories<br> from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck</p> <p>class S3BucketEncryption(BaseResourceCheck):<br> def <strong>init</strong>(self):<br> name = "Ensure S3 bucket is encrypted with KMS"<br> id = "CKV_AWS_CUSTOM_1"<br> supported_resources = ['aws_s3_bucket']<br> categories = [CheckCategories.ENCRYPTION]<br> super().<strong>init</strong>(name=name, id=id, categories=categories, <br> supported_resources=supported_resources)</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>def scan_resource_conf(self, conf): if 'server_side_encryption_configuration' in conf: encryption_config = conf['server_side_encryption_configuration'][0] if 'rule' in encryption_config: rule = encryption_config['rule'][0] if 'apply_server_side_encryption_by_default' in rule: encryption = rule['apply_server_side_encryption_by_default'][0] if encryption.get('sse_algorithm') == ['aws:kms']: return CheckResult.PASSED return CheckResult.FAILED </code></pre> </div> <p>check = S3BucketEncryption()<br> Best Practices<br> Run Checkov Early: Integrate it into your development workflow<br> Use Suppressions Wisely: Document why certain checks are suppressed<br> Keep Checkov Updated: New checks are added regularly<br> Set Baseline: Use --baseline to track improvements over time<br> Combine with Other Tools: Use alongside dynamic testing and manual reviews<br> Educate Your Team: Ensure developers understand the security implications<br> Suppressing False Positives<br> Sometimes you need to suppress legitimate findings:</p> <p>resource "aws_security_group" "special_case" {<br> name = "special-sg"</p> <p>#checkov:skip=CKV_AWS_23:This SG is for internal load balancer<br> ingress {<br> from_port = 80<br> to_port = 80<br> protocol = "tcp"<br> cidr_blocks = ["0.0.0.0/0"]<br> }<br> }<br> Measuring Success<br> Track these metrics to measure the effectiveness of Checkov:</p> <p>Vulnerability Detection Rate: Number of issues found per scan<br> Fix Time: Time from detection to remediation<br> False Positive Rate: Percentage of findings that are not actual issues<br> Coverage: Percentage of infrastructure code being scanned<br> Compliance Score: Pass rate against security benchmarks<br> Conclusion<br> Implementing SAST tools like Checkov is essential for maintaining secure infrastructure as code. By catching security issues early in the development cycle, you can:</p> <p>Reduce security risks in production<br> Ensure compliance with industry standards<br> Foster a security-first culture<br> Save time and money on remediation<br> Start small by integrating Checkov into one project, measure the results, and gradually expand coverage across your organization. Security is a journey, not a destination, and tools like Checkov are invaluable companions along the way.</p> <p>References<br> Checkov Official Documentation<br> OWASP Source Code Analysis Tools<br> Terraform Security Best Practices<br> CIS Benchmarks</p> Dominando las Pruebas de API con Postman: Ejemplos del Mundo Real Renzo Fernando LOYOLA VILCA CHOQUE Thu, 04 Dec 2025 13:04:09 +0000 https://forem.com/renzo_fernandoloyolavil/dominando-las-pruebas-de-api-con-postman-ejemplos-del-mundo-real-23ld https://forem.com/renzo_fernandoloyolavil/dominando-las-pruebas-de-api-con-postman-ejemplos-del-mundo-real-23ld <h2> Introducción </h2> <p>En el desarrollo de software moderno, las APIs (Interfaces de Programación de Aplicaciones) son la columna vertebral de la comunicación entre sistemas. Postman se ha consolidado como una de las herramientas más populares y poderosas para probar, documentar y automatizar APIs. En este artículo, exploraremos cómo aplicar Postman en escenarios del mundo real, con ejemplos prácticos que puedes implementar inmediatamente.</p> <h2> ¿Por qué Postman? </h2> <p>Postman no es solo un cliente HTTP; es una plataforma completa para el desarrollo de APIs que ofrece:</p> <ul> <li> <strong>Interfaz intuitiva</strong>: Ideal para principiantes y expertos</li> <li> <strong>Automatización de pruebas</strong>: Scripts JavaScript para validaciones complejas</li> <li> <strong>Colecciones organizadas</strong>: Agrupa solicitudes relacionadas</li> <li> <strong>Variables de entorno</strong>: Facilita el cambio entre dev, staging y producción</li> <li> <strong>Integración CI/CD</strong>: Compatible con Newman para pipelines automatizados</li> <li> <strong>Colaboración en equipo</strong>: Espacios de trabajo compartidos</li> </ul> <h2> Caso de Uso 1: Prueba de API RESTful de E-commerce </h2> <p>Imaginemos que estamos probando una API de una tienda en línea que gestiona productos.</p> <h3> Escenario: Obtener lista de productos </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// GET https://api.tienda.com/v1/productos</span> <span class="c1">// En la pestaña "Tests" de Postman:</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="dl">"</span><span class="s2">El código de estado es 200</span><span class="dl">"</span><span class="p">,</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nx">to</span><span class="p">.</span><span class="nx">have</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">);</span> <span class="p">});</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="dl">"</span><span class="s2">La respuesta es JSON</span><span class="dl">"</span><span class="p">,</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nx">to</span><span class="p">.</span><span class="nx">be</span><span class="p">.</span><span class="nx">json</span><span class="p">;</span> <span class="p">});</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="dl">"</span><span class="s2">La respuesta contiene productos</span><span class="dl">"</span><span class="p">,</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">jsonData</span> <span class="o">=</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="nx">jsonData</span><span class="p">).</span><span class="nx">to</span><span class="p">.</span><span class="nx">be</span><span class="p">.</span><span class="nf">an</span><span class="p">(</span><span class="dl">'</span><span class="s1">array</span><span class="dl">'</span><span class="p">);</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="nx">jsonData</span><span class="p">.</span><span class="nx">length</span><span class="p">).</span><span class="nx">to</span><span class="p">.</span><span class="nx">be</span><span class="p">.</span><span class="nf">above</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">});</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="dl">"</span><span class="s2">Cada producto tiene campos requeridos</span><span class="dl">"</span><span class="p">,</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">productos</span> <span class="o">=</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nx">productos</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">producto</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="nx">producto</span><span class="p">).</span><span class="nx">to</span><span class="p">.</span><span class="nx">have</span><span class="p">.</span><span class="nf">property</span><span class="p">(</span><span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">);</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="nx">producto</span><span class="p">).</span><span class="nx">to</span><span class="p">.</span><span class="nx">have</span><span class="p">.</span><span class="nf">property</span><span class="p">(</span><span class="dl">"</span><span class="s2">nombre</span><span class="dl">"</span><span class="p">);</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="nx">producto</span><span class="p">).</span><span class="nx">to</span><span class="p">.</span><span class="nx">have</span><span class="p">.</span><span class="nf">property</span><span class="p">(</span><span class="dl">"</span><span class="s2">precio</span><span class="dl">"</span><span class="p">);</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="nx">producto</span><span class="p">).</span><span class="nx">to</span><span class="p">.</span><span class="nx">have</span><span class="p">.</span><span class="nf">property</span><span class="p">(</span><span class="dl">"</span><span class="s2">stock</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h3> Escenario: Crear un nuevo producto (POST) </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// POST https://api.tienda.com/v1/productos</span> <span class="c1">// Body (JSON):</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">nombre</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Laptop Dell XPS 15</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">precio</span><span class="dl">"</span><span class="p">:</span> <span class="mf">1299.99</span><span class="p">,</span> <span class="dl">"</span><span class="s2">categoria</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Electrónica</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">stock</span><span class="dl">"</span><span class="p">:</span> <span class="mi">25</span> <span class="p">}</span> <span class="c1">// Tests:</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="dl">"</span><span class="s2">Producto creado exitosamente - 201</span><span class="dl">"</span><span class="p">,</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nx">to</span><span class="p">.</span><span class="nx">have</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">201</span><span class="p">);</span> <span class="p">});</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="dl">"</span><span class="s2">La respuesta contiene el ID del producto</span><span class="dl">"</span><span class="p">,</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">jsonData</span> <span class="o">=</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="nx">jsonData</span><span class="p">).</span><span class="nx">to</span><span class="p">.</span><span class="nx">have</span><span class="p">.</span><span class="nf">property</span><span class="p">(</span><span class="dl">"</span><span class="s2">id</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Guardar el ID para usar en solicitudes posteriores</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">producto_id</span><span class="dl">"</span><span class="p">,</span> <span class="nx">jsonData</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="p">});</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="dl">"</span><span class="s2">El precio se guardó correctamente</span><span class="dl">"</span><span class="p">,</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">jsonData</span> <span class="o">=</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="nx">jsonData</span><span class="p">.</span><span class="nx">precio</span><span class="p">).</span><span class="nx">to</span><span class="p">.</span><span class="nf">eql</span><span class="p">(</span><span class="mf">1299.99</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h2> Caso de Uso 2: Autenticación y Autorización </h2> <p>Las APIs del mundo real requieren autenticación. Veamos cómo manejar tokens JWT.</p> <h3> Paso 1: Login y captura de token </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// POST https://api.tienda.com/v1/auth/login</span> <span class="c1">// Body:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">email</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">usuario@ejemplo.com</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">password</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">password123</span><span class="dl">"</span> <span class="p">}</span> <span class="c1">// Tests:</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="dl">"</span><span class="s2">Login exitoso</span><span class="dl">"</span><span class="p">,</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nx">to</span><span class="p">.</span><span class="nx">have</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">);</span> <span class="p">});</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="dl">"</span><span class="s2">Token JWT recibido</span><span class="dl">"</span><span class="p">,</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">jsonData</span> <span class="o">=</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="nx">jsonData</span><span class="p">).</span><span class="nx">to</span><span class="p">.</span><span class="nx">have</span><span class="p">.</span><span class="nf">property</span><span class="p">(</span><span class="dl">"</span><span class="s2">token</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Guardar el token en variable de entorno</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">jwt_token</span><span class="dl">"</span><span class="p">,</span> <span class="nx">jsonData</span><span class="p">.</span><span class="nx">token</span><span class="p">);</span> <span class="c1">// Guardar timestamp de expiración</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">token_expiry</span><span class="dl">"</span><span class="p">,</span> <span class="nx">jsonData</span><span class="p">.</span><span class="nx">expiresIn</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> Paso 2: Usar el token en solicitudes protegidas </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// GET https://api.tienda.com/v1/usuario/perfil</span> <span class="c1">// Headers: Authorization: Bearer {{jwt_token}}</span> <span class="c1">// Pre-request Script para verificar token:</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">jwt_token</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">No hay token de autenticación. Ejecuta primero el login.</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Tests:</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="dl">"</span><span class="s2">Acceso autorizado al perfil</span><span class="dl">"</span><span class="p">,</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nx">to</span><span class="p">.</span><span class="nx">have</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">);</span> <span class="p">});</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="dl">"</span><span class="s2">Datos del usuario son correctos</span><span class="dl">"</span><span class="p">,</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">usuario</span> <span class="o">=</span> <span class="nx">pm</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="nx">usuario</span><span class="p">).</span><span class="nx">to</span><span class="p">.</span><span class="nx">have</span><span class="p">.</span><span class="nf">property</span><span class="p">(</span><span class="dl">"</span><span class="s2">email</span><span class="dl">"</span><span class="p">);</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="nx">usuario</span><span class="p">).</span><span class="nx">to</span><span class="p">.</span><span class="nx">have</span><span class="p">.</span><span class="nf">property</span><span class="p">(</span><span class="dl">"</span><span class="s2">nombre</span><span class="dl">"</span><span class="p">);</span> <span class="nx">pm</span><span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="nx">usuario</span><span class="p">.</span><span class="nx">rol</span><span class="p">).</span><span class="nx">to</span><span class="p">.</span><span class="nf">eql</span><span class="p">(</span><span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h2> Conclusiones </h2> <p>Postman es mucho más que una herramienta para enviar solicitudes HTTP. Como hemos visto en estos ejemplos del mundo real:</p> <ol> <li> <strong>Validación robusta</strong>: Podemos verificar códigos de estado, estructura de datos y lógica de negocio</li> <li> <strong>Flujos complejos</strong>: Encadenamiento de solicitudes con variables dinámicas</li> <li> <strong>Automatización</strong>: Integración perfecta con pipelines CI/CD mediante Newman</li> <li> <strong>Colaboración</strong>: Espacios de trabajo compartidos facilitan el trabajo en equipo</li> <li> <strong>Documentación viva</strong>: Las colecciones sirven como documentación ejecutable</li> </ol> <h2> Recursos Adicionales </h2> <ul> <li><a href="https://learning.postman.com/" rel="noopener noreferrer">Documentación oficial de Postman</a></li> <li><a href="https://learning.postman.com/docs/getting-started/introduction/" rel="noopener noreferrer">Postman Learning Center</a></li> <li><a href="https://github.com/postmanlabs/newman" rel="noopener noreferrer">Newman en GitHub</a></li> </ul> <p><strong>Sobre el autor</strong>: Este artículo forma parte del Trabajo de Investigación N° 02 sobre Comparación de Frameworks de Pruebas de API, desarrollado como parte del curso de Calidad y Pruebas de Software.</p> api testing postman automation Construyendo un Servidor MCP: Conectando Claude y VSCode a Herramientas Externas Renzo Fernando LOYOLA VILCA CHOQUE Thu, 04 Dec 2025 01:16:02 +0000 https://forem.com/renzo_fernandoloyolavil/building-an-mcp-server-connecting-claude-and-vscode-to-external-tools-1g4c https://forem.com/renzo_fernandoloyolavil/building-an-mcp-server-connecting-claude-and-vscode-to-external-tools-1g4c <h2> Introducción </h2> <p>El Protocolo de Contexto de Modelo (MCP) es un protocolo abierto revolucionario desarrollado por Anthropic que permite a asistentes de IA como Claude conectarse con fuentes de datos externas y herramientas. En este artículo, te guiaré a través de la construcción de tu propio servidor MCP que puede ser utilizado con Claude Desktop, VSCode y otros clientes compatibles.</p> <h2> ¿Qué es MCP? </h2> <p>MCP proporciona una forma estandarizada para que los asistentes de IA interactúen con sistemas externos. Piensa en él como un adaptador universal que permite a Claude:</p> <ul> <li>Acceder a bases de datos y APIs</li> <li>Leer y escribir archivos</li> <li>Ejecutar comandos</li> <li>Interactuar con servicios web</li> </ul> <p>El protocolo define una arquitectura cliente-servidor donde:</p> <ul> <li> <strong>Clientes MCP</strong> (como Claude Desktop o VSCode) se conectan a servidores</li> <li> <strong>Servidores MCP</strong> exponen capacidades específicas (recursos, herramientas y prompts)</li> <li> <strong>La comunicación</strong> ocurre a través de JSON-RPC 2.0 sobre stdio o HTTP</li> </ul> <h2> Descripción General de la Arquitectura </h2> <p>Un servidor MCP consta de tres componentes principales:</p> <h3> 1. Recursos </h3> <p>Los recursos son fuentes de datos que el servidor puede proporcionar a los clientes. Pueden ser:</p> <ul> <li>Archivos de un sistema de archivos</li> <li>Registros de bases de datos</li> <li>Respuestas de APIs</li> <li>Flujos de datos en tiempo real</li> </ul> <h3> 2. Herramientas </h3> <p>Las herramientas son funciones que el cliente puede invocar a través del servidor:</p> <ul> <li>Ejecutar comandos del sistema</li> <li>Realizar cálculos</li> <li>Interactuar con APIs externas</li> <li>Manipular datos</li> </ul> <h3> 3. Prompts </h3> <p>Los prompts son plantillas predefinidas que ayudan a estructurar las interacciones:</p> <ul> <li>Plantillas de consultas</li> <li>Patrones de comandos</li> <li>Instrucciones de flujo de trabajo</li> </ul> <h2> Construyendo tu Primer Servidor MCP </h2> <p>Construyamos un servidor MCP simple paso a paso. Para este ejemplo, usaré Python, pero los servidores MCP pueden construirse en cualquier lenguaje.</p> <h3> Requisitos Previos </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>mcp </code></pre> </div> <h3> Estructura Básica del Servidor </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">mcp.server</span> <span class="kn">import</span> <span class="n">Server</span> <span class="kn">from</span> <span class="n">mcp.types</span> <span class="kn">import</span> <span class="n">Resource</span><span class="p">,</span> <span class="n">Tool</span> <span class="kn">import</span> <span class="n">asyncio</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Server</span><span class="p">(</span><span class="sh">"</span><span class="s">my-mcp-server</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.list_resources</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">list_resources</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="n">Resource</span><span class="p">]:</span> <span class="k">return</span> <span class="p">[</span> <span class="nc">Resource</span><span class="p">(</span> <span class="n">uri</span><span class="o">=</span><span class="sh">"</span><span class="s">file:///example.txt</span><span class="sh">"</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">Archivo de Ejemplo</span><span class="sh">"</span><span class="p">,</span> <span class="n">mimeType</span><span class="o">=</span><span class="sh">"</span><span class="s">text/plain</span><span class="sh">"</span> <span class="p">)</span> <span class="p">]</span> <span class="nd">@app.read_resource</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">read_resource</span><span class="p">(</span><span class="n">uri</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">if</span> <span class="n">uri</span> <span class="o">==</span> <span class="sh">"</span><span class="s">file:///example.txt</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">¡Hola desde el Servidor MCP!</span><span class="sh">"</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Recurso desconocido: </span><span class="si">{</span><span class="n">uri</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.list_tools</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">list_tools</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="n">Tool</span><span class="p">]:</span> <span class="k">return</span> <span class="p">[</span> <span class="nc">Tool</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">saludar</span><span class="sh">"</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Saludar a alguien por su nombre</span><span class="sh">"</span><span class="p">,</span> <span class="n">inputSchema</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">object</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">properties</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">nombre</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">}</span> <span class="p">},</span> <span class="sh">"</span><span class="s">required</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">nombre</span><span class="sh">"</span><span class="p">]</span> <span class="p">}</span> <span class="p">)</span> <span class="p">]</span> <span class="nd">@app.call_tool</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">call_tool</span><span class="p">(</span><span class="n">name</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">arguments</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">if</span> <span class="n">name</span> <span class="o">==</span> <span class="sh">"</span><span class="s">saludar</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">¡Hola, </span><span class="si">{</span><span class="n">arguments</span><span class="p">[</span><span class="sh">'</span><span class="s">nombre</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">!</span><span class="sh">"</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Herramienta desconocida: </span><span class="si">{</span><span class="n">name</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">app</span><span class="p">.</span><span class="nf">run</span><span class="p">())</span> </code></pre> </div> <h2> Conectando a Claude Desktop </h2> <p>Para usar tu servidor MCP con Claude Desktop, necesitas configurarlo en la configuración de Claude:</p> <ol> <li>Abre la configuración de Claude Desktop</li> <li>Navega a la sección "Developer"</li> <li>Agrega la configuración de tu servidor: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"mi-servidor"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"python"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"ruta/a/tu/servidor.py"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ol> <li>Reinicia Claude Desktop</li> <li>Las herramientas y recursos de tu servidor ahora estarán disponibles para Claude</li> </ol> <h2> Conectando a VSCode </h2> <p>Para la integración con VSCode, puedes usar la extensión MCP:</p> <ol> <li>Instala la extensión MCP desde el marketplace</li> <li>Configura tu servidor en <code>.vscode/mcp.json</code>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"servers"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mi-servidor"</span><span class="p">,</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"python"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"ruta/a/tu/servidor.py"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Casos de Uso del Mundo Real </h2> <p>Aquí hay algunas aplicaciones prácticas para servidores MCP:</p> <h3> Acceso a Bases de Datos </h3> <p>Crea un servidor que permita a Claude consultar tus bases de datos de forma segura:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.list_tools</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">list_tools</span><span class="p">():</span> <span class="k">return</span> <span class="p">[</span><span class="nc">Tool</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">consultar_bd</span><span class="sh">"</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Ejecutar consultas SQL</span><span class="sh">"</span><span class="p">)]</span> </code></pre> </div> <h3> Operaciones del Sistema de Archivos </h3> <p>Construye un servidor que gestione archivos de proyecto:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.list_resources</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">list_resources</span><span class="p">():</span> <span class="k">return</span> <span class="p">[</span><span class="nc">Resource</span><span class="p">(</span><span class="n">uri</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">file:///</span><span class="si">{</span><span class="n">archivo</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">archivo</span> <span class="ow">in</span> <span class="n">os</span><span class="p">.</span><span class="nf">listdir</span><span class="p">()]</span> </code></pre> </div> <h3> Integración con APIs </h3> <p>Conecta Claude a APIs externas:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.call_tool</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">call_tool</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">args</span><span class="p">):</span> <span class="k">if</span> <span class="n">name</span> <span class="o">==</span> <span class="sh">"</span><span class="s">obtener_datos</span><span class="sh">"</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">http_client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">args</span><span class="p">[</span><span class="sh">'</span><span class="s">url</span><span class="sh">'</span><span class="p">])</span> <span class="k">return</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> </code></pre> </div> <h2> Mejores Prácticas </h2> <ol> <li> <strong>Seguridad Primero</strong>: Siempre valida las entradas y sanitiza las salidas</li> <li> <strong>Manejo de Errores</strong>: Proporciona mensajes de error claros</li> <li> <strong>Documentación</strong>: Documenta tus herramientas y recursos exhaustivamente</li> <li> <strong>Rendimiento</strong>: Usa async/await para operaciones de I/O</li> <li> <strong>Pruebas</strong>: Prueba tu servidor con diferentes clientes</li> </ol> <h2> Repositorio de Ejemplo </h2> <p>Puedes encontrar un ejemplo completo y funcional en mi repositorio de GitHub:</p> <p><strong>Repositorio</strong>: <a href="https://github.com/renzoloyola/MCP-Server" rel="noopener noreferrer">https://github.com/renzoloyola/MCP-Server</a></p> <p>Este repositorio incluye:</p> <ul> <li>Implementación básica del servidor MCP</li> <li>Ejemplos de configuración para Claude y VSCode</li> <li>Documentación e instrucciones de configuración</li> <li>Casos de uso de ejemplo</li> </ul> <h2> Conclusión </h2> <p>Construir servidores MCP abre posibilidades infinitas para extender las capacidades de los asistentes de IA. Ya sea que te estés conectando a bases de datos, sistemas de archivos o APIs externas, MCP proporciona una forma estandarizada y poderosa de hacer que tus datos y herramientas sean accesibles para la IA.</p> <p>El Protocolo de Contexto de Modelo sigue evolucionando, y el ecosistema está creciendo rápidamente. Al crear tus propios servidores MCP, puedes personalizar Claude y otros clientes compatibles para que se ajusten a tus necesidades y flujos de trabajo específicos.</p> <h2> Recursos </h2> <ul> <li><a href="https://modelcontextprotocol.io" rel="noopener noreferrer">Documentación MCP</a></li> <li><a href="https://github.com/anthropics/anthropic-quickstarts" rel="noopener noreferrer">GitHub de Anthropic MCP</a></li> <li><a href="https://github.com/renzoloyola/MCP-Server" rel="noopener noreferrer">Mi Repositorio de Ejemplo</a></li> </ul> <p>¿Has construido un servidor MCP? ¡Comparte tu experiencia en los comentarios!</p> mcpclaudevscodeai