diff --git a/scripts/run-test-suite.sh b/scripts/run-test-suite.sh
index b28e0bf..e5c846e 100755
--- a/scripts/run-test-suite.sh
+++ b/scripts/run-test-suite.sh
@@ -3,6 +3,7 @@ set -euo pipefail
 
 # Master test/security runner.
 # - npm audit (high+)
+# - lint / type-check / format check / tests
 # - Trivy file-system scan (HIGH/CRITICAL)
 # - OWASP ZAP baseline (unauthenticated)
 #
@@ -47,7 +48,36 @@ else
   record_result "npm audit" "SKIP" "npm not available"
 fi
 
-# 2) Trivy (fs by default)
+# 2) Lint / type-check / format / tests
+run_npm_check() {
+  local name="$1"; shift
+  local outfile="$RUN_DIR/${name}.txt"
+
+  if ! command -v npm >/dev/null 2>&1; then
+    log "npm not found; skipping ${name}"
+    record_result "${name}" "SKIP" "npm not available"
+    return
+  fi
+
+  if npm run 2>/dev/null | grep -qE "^  ${name}$"; then
+    log "Running ${name}..."
+    if npm run "${name}" >"$outfile" 2>&1; then
+      record_result "${name}" "PASS" "<a href=\"${name}.txt\">log</a>"
+    else
+      record_result "${name}" "FAIL" "<a href=\"${name}.txt\">log</a>"
+    fi
+  else
+    log "npm script '${name}' not defined; skipping"
+    record_result "${name}" "SKIP" "script not defined"
+  fi
+}
+
+run_npm_check "lint"
+run_npm_check "type-check"
+run_npm_check "format:check"
+run_npm_check "test"
+
+# 3) Trivy (fs by default)
 TRIVY_TARGET="${TRIVY_TARGET:-.}"
 TRIVY_MODE="${TRIVY_MODE:-fs}"
 if command -v trivy >/dev/null 2>&1; then
@@ -63,7 +93,7 @@ else
   record_result "Trivy" "SKIP" "trivy not available"
 fi
 
-# 3) OWASP ZAP baseline
+# 4) OWASP ZAP baseline
 TARGET="${TARGET:-https://test.lomavuokraus.fi}"
 ZAP_DIR="$RUN_DIR/zap"
 mkdir -p "$ZAP_DIR"