diff --git a/.brightsec/.gitkeep b/.brightsec/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/.brightsec/tests/get-posts-search.test.ts b/.brightsec/tests/get-posts-search.test.ts
new file mode 100644
index 0000000..4a1d4e5
--- /dev/null
+++ b/.brightsec/tests/get-posts-search.test.ts
@@ -0,0 +1,41 @@
+import { test, before, after } from 'node:test';
+import { SecRunner } from '@sectester/runner';
+import { AttackParamLocation, HttpMethod } from '@sectester/scan';
+
+const timeout = 40 * 60 * 1000;
+const baseUrl = process.env.BRIGHT_TARGET_URL!;
+
+let runner!: SecRunner;
+
+before(async () => {
+  runner = new SecRunner({
+    hostname: process.env.BRIGHT_HOSTNAME!,
+    projectId: process.env.BRIGHT_PROJECT_ID!
+  });
+
+  await runner.init();
+});
+
+after(() => runner.clear());
+
+test('GET /posts/search?search_term=example', { signal: AbortSignal.timeout(timeout) }, async () => {
+  await runner
+    .createScan({
+      tests: ['sqli', 'xss', 'csrf', 'business_constraint_bypass'],
+      attackParamLocations: [AttackParamLocation.QUERY],
+      starMetadata: {
+        code_source: 'NeuraLegion/ruby-example-app:master',
+        databases: ['PostgreSQL'],
+        user_roles: []
+      },
+      poolSize: +process.env.SECTESTER_SCAN_POOL_SIZE || undefined
+    })
+    .setFailFast(false)
+    .timeout(timeout)
+    .run({
+      method: HttpMethod.GET,
+      url: `${baseUrl}/posts/search?search_term=example`,
+      headers: { 'Content-Type': 'application/json' },
+      auth: process.env.BRIGHT_AUTH_ID
+    });
+});
\ No newline at end of file
diff --git a/.github/workflows/ci.yml b/.github/workflows/bright.yml
similarity index 57%
rename from .github/workflows/ci.yml
rename to .github/workflows/bright.yml
index 4e2a120..6cd900c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/bright.yml
@@ -1,10 +1,14 @@
-name: ci
+name: Bright
 
 on:
-  push:
-    branches:
-      - main
   pull_request:
+    branches:
+      - '**'
+
+permissions:
+  checks: write
+  contents: read
+  id-token: write
 
 jobs:
   test:
@@ -80,45 +84,48 @@ jobs:
       - name: Install gems
         run: bundle install
 
-      - name: Wait for postgres
-        run: |
-          for i in $(seq 1 30); do
-            pg_isready -h "$PGHOST" -p "$PGPORT" -d "$PGDATABASE" && break
-            sleep 2
-          done
-          bundle exec ruby -e "require 'pg'; PG.connect(host: ENV['PGHOST'], port: ENV['PGPORT'].to_i, dbname: ENV['PGDATABASE'], user: ENV['PGUSER'], password: ENV['PGPASSWORD']);"
-
       - name: Setup database
         run: bundle exec rake db:create db:migrate db:seed
 
       - name: Start server
+        env:
+          DATABASE_URL: postgres://postgres:postgres@postgres:5432/blog_development
+          PGDATABASE: blog_development
+          PGHOST: postgres
+          PGPASSWORD: postgres
+          PGPORT: 5432
+          PGUSER: postgres
         run: |
-          bundle exec rails server -b 0.0.0.0 -p 3000 >rails.log 2>&1 &
+          bundle exec rails server -b 0.0.0.0 -p 3000 &
 
-      - name: Wait for server readiness
+      - name: Probe application readiness
         run: |
-          READY=0
-          for i in $(seq 1 30); do
-            echo "Attempt ${i}/30: checking http://localhost:3000"
-            if curl -sSfL http://localhost:3000 >/dev/null; then
-              echo "Server responded successfully on attempt ${i}."
-              READY=1
-              break
-            fi
-            echo "Server still starting up, waiting 2s before retry."
-            sleep 2
-          done
-          if [ "$READY" -ne 1 ]; then
-            echo "Server failed to start"
-            tail -n 200 rails.log || true
-            exit 1
-          fi
-          echo "Server is ready; last 200 lines of rails.log:"
-          tail -n 200 rails.log || true
-
-      - name: Check homepage
+          for i in {1..30}; do curl -sS -o /dev/null http://127.0.0.1:3000 && exit 0 || sleep 5; done; exit 1
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22.x
+
+      - name: Install SecTesterJS dependencies
+        run: |
+          npm i --save=false --prefix .brightsec @sectester/core@0.49.0 @sectester/repeater@0.49.0 @sectester/scan@0.49.0 @sectester/runner@0.49.0 @sectester/reporter@0.49.0
+
+      - name: Authenticate with Bright
+        uses: ./.github/workflows/composite/configure-bright-credentials
+        with:
+          BRIGHT_HOSTNAME: development.playground.brightsec.com
+          BRIGHT_PROJECT_ID: 5naKKxNc3e4Akp1GuEdmiK
+          BRIGHT_TOKEN: ${{ secrets.BRIGHT_TOKEN }}
+
+      - name: Run security tests
+        env:
+          BRIGHT_HOSTNAME: development.playground.brightsec.com
+          BRIGHT_PROJECT_ID: 5naKKxNc3e4Akp1GuEdmiK
+          BRIGHT_AUTH_ID: m8XBzLrw8pWSjHQDhKQgCr
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRIGHT_TOKEN: ${{ env.BRIGHT_TOKEN }}
+          BRIGHT_TARGET_URL: http://127.0.0.1:3000
+          SECTESTER_SCAN_POOL_SIZE: ${{ vars.SECTESTER_SCAN_POOL_SIZE }}
         run: |
-          if ! curl -sSfL http://localhost:3000 | grep -F "Home"; then
-            echo "Homepage check failed"
-            exit 1
-          fi
+          node --experimental-transform-types --experimental-strip-types --experimental-detect-module --disable-warning=MODULE_TYPELESS_PACKAGE_JSON --disable-warning=ExperimentalWarning --test-force-exit --test-concurrency=4 --test .brightsec/tests/*.test.ts
\ No newline at end of file
diff --git a/.github/workflows/composite/configure-bright-credentials/action.yaml b/.github/workflows/composite/configure-bright-credentials/action.yaml
new file mode 100644
index 0000000..8498384
--- /dev/null
+++ b/.github/workflows/composite/configure-bright-credentials/action.yaml
@@ -0,0 +1,53 @@
+name: 'Configure BrightSec credentials'
+
+inputs:
+  BRIGHT_HOSTNAME:
+    description: 'Hostname for the BrightSec environment'
+    required: true
+  BRIGHT_PROJECT_ID:
+    description: 'Project ID for BrightSec'
+    required: true
+  BRIGHT_TOKEN:
+    description: 'Pre-configured token'
+    required: false
+
+runs:
+  using: 'composite'
+  steps:
+    - id: configure_env_from_input
+      name: 'Set existing token in env'
+      shell: bash
+      if: ${{ inputs.BRIGHT_TOKEN != '' }}
+      env:
+        BRIGHT_TOKEN: ${{ inputs.BRIGHT_TOKEN }}
+      run: |
+        echo "BRIGHT_TOKEN=${BRIGHT_TOKEN}" >> $GITHUB_ENV
+
+    - id: configure_bright_credentials_through_oidc
+      name: 'Exchange OIDC credentials for Bright token'
+      shell: bash
+      if: ${{ inputs.BRIGHT_TOKEN == '' }}
+      env:
+        BRIGHT_HOSTNAME: ${{ inputs.BRIGHT_HOSTNAME }}
+        BRIGHT_PROJECT_ID: ${{ inputs.BRIGHT_PROJECT_ID }}
+      run: |
+        # Retrieve OIDC token from GitHub
+        OIDC_TOKEN=$(curl -sS -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+        "${ACTIONS_ID_TOKEN_REQUEST_URL}" | jq -r '.value')
+
+        # Post the token to BrightSec
+        RESPONSE=$(curl -s -X POST "https://${BRIGHT_HOSTNAME}/api/v1/projects/${BRIGHT_PROJECT_ID}/api-keys/oidc" \
+        -H "Content-Type: application/json" \
+        -d "{\"token\": \"${OIDC_TOKEN}\"}")
+
+        if ! echo "$RESPONSE" | jq -e . > /dev/null 2>&1; then
+          echo "Error: $RESPONSE" 1>&2
+          exit 1
+        fi
+
+        # Extract the pureKey
+        PURE_KEY=$(echo "$RESPONSE" | jq -r '.pureKey')
+
+        # Mask and store in environment
+        echo "::add-mask::$PURE_KEY"
+        echo "BRIGHT_TOKEN=$PURE_KEY" >> $GITHUB_ENV