Add master test suite runner for security tools

PROGRESS.md

@@ -30,6 +30,7 @@
 - Testing environment wiring added: dedicated namespace (`lomavuokraus-test`), deploy wrapper (`deploy/deploy-test.sh`), API host support, and a DNS updater for `test.lomavuokraus.fi` / `apitest.lomavuokraus.fi`.
 - Access control tightened: middleware now gates admin routes, admin-only pages check session/role, API handlers return proper 401/403, and listing removal is limited to owners/admins (no more moderator overrides).
 - Security: added OWASP ZAP baseline helper (`scripts/zap-baseline.sh`) and documentation (`docs/security.html`) for quick unauthenticated scans against test/staging/prod.
+- Added master test suite runner (`scripts/run-test-suite.sh`) that executes npm audit, Trivy scan, and ZAP baseline and writes HTML summaries under `reports/runs/`.
 - Backend/data: Added Prisma models (User/Listing/ListingTranslation/ListingImage), seed script creates sample listing; DB on Hetzner VM `46.62.203.202`, staging secrets set in `lomavuokraus-web-secrets`.
 - Auth: Register/login/verify flows; session cookie (`session_token`), NavBar shows email+role badge. Roles: USER, ADMIN, USER_MODERATOR (approve users), LISTING_MODERATOR (approve listings). Admin can change roles at `/admin/users`.
 - Listing flow: create listing (session required), pending/published with admin/moderator approvals; pages for “My listings,” “New listing,” “Profile.” Quick actions tile removed; all actions in navbar.

docs/security.html

@@ -22,6 +22,22 @@
           <li>Docker image: <code>owasp/zap2docker-stable</code> (override with <code>ZAP_IMAGE</code>).</li>
         </ul>
       </section>
+      <section class="card">
+        <h2>Full test suite</h2>
+        <ul>
+          <li>Script: <code>scripts/run-test-suite.sh</code></li>
+          <li>Runs: <code>npm audit</code> (high), Trivy fs scan, ZAP baseline.</li>
+          <li>Outputs: <code>reports/runs/&lt;timestamp&gt;/summary.html</code> with links to all tool reports.</li>
+          <li>Config:
+            <ul>
+              <li><code>TARGET</code>: ZAP target URL (default test env).</li>
+              <li><code>TRIVY_TARGET</code>/<code>TRIVY_MODE</code>: adjust Trivy scope (fs/image).</li>
+              <li><code>ZAP_IMAGE</code>: override container image if needed.</li>
+            </ul>
+          </li>
+          <li>Example: <code>TARGET=https://staging.lomavuokraus.fi TRIVY_MODE=fs ./scripts/run-test-suite.sh</code></li>
+        </ul>
+      </section>
       <section class="card">
         <h2>Auth considerations</h2>
         <ul>

scripts/run-test-suite.sh

@@ -0,0 +1,108 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Master test/security runner.
+# - npm audit (high+)
+# - Trivy file-system scan (HIGH/CRITICAL)
+# - OWASP ZAP baseline (unauthenticated)
+#
+# Outputs are written under reports/runs/<timestamp>/ and summarized in summary.html.
+#
+# Env vars:
+#   TARGET           - URL to scan with ZAP (default: https://test.lomavuokraus.fi)
+#   TRIVY_TARGET     - Path or image to scan (default: current directory)
+#   TRIVY_MODE       - "fs" (default) or "image"
+#   ZAP_IMAGE        - Override ZAP image (default in zap-baseline.sh)
+#   TIMEOUT_MINUTES  - ZAP timeout minutes (default in zap-baseline.sh)
+
+RUN_TS=$(date +"%Y%m%d-%H%M%S")
+RUN_DIR="reports/runs/${RUN_TS}"
+mkdir -p "$RUN_DIR"
+
+SUMMARY_ROWS=()
+
+log() {
+  echo "[$(date +"%H:%M:%S")] $*"
+}
+
+record_result() {
+  local name="$1"; shift
+  local status="$1"; shift
+  local detail="$1"; shift
+  SUMMARY_ROWS+=("<tr><td>${name}</td><td>${status}</td><td>${detail}</td></tr>")
+}
+
+# 1) npm audit
+if command -v npm >/dev/null 2>&1; then
+  log "Running npm audit (high)..."
+  AUDIT_JSON="$RUN_DIR/npm-audit.json"
+  AUDIT_TXT="$RUN_DIR/npm-audit.txt"
+  if npm audit --audit-level=high --json >"$AUDIT_JSON" 2>"$AUDIT_TXT"; then
+    record_result "npm audit" "PASS" "<a href=\"npm-audit.txt\">text</a> | <a href=\"npm-audit.json\">json</a>"
+  else
+    record_result "npm audit" "FAIL" "<a href=\"npm-audit.txt\">text</a> | <a href=\"npm-audit.json\">json</a>"
+  fi
+else
+  log "npm not found; skipping npm audit"
+  record_result "npm audit" "SKIP" "npm not available"
+fi
+
+# 2) Trivy (fs by default)
+TRIVY_TARGET="${TRIVY_TARGET:-.}"
+TRIVY_MODE="${TRIVY_MODE:-fs}"
+if command -v trivy >/dev/null 2>&1; then
+  log "Running Trivy (${TRIVY_MODE}) on ${TRIVY_TARGET}..."
+  TRIVY_TXT="$RUN_DIR/trivy.txt"
+  if trivy "${TRIVY_MODE}" --severity HIGH,CRITICAL --timeout 5m "$TRIVY_TARGET" >"$TRIVY_TXT"; then
+    record_result "Trivy (${TRIVY_MODE})" "PASS" "<a href=\"trivy.txt\">report</a>"
+  else
+    record_result "Trivy (${TRIVY_MODE})" "FAIL" "<a href=\"trivy.txt\">report</a>"
+  fi
+else
+  log "Trivy not found; skipping"
+  record_result "Trivy" "SKIP" "trivy not available"
+fi
+
+# 3) OWASP ZAP baseline
+TARGET="${TARGET:-https://test.lomavuokraus.fi}"
+ZAP_DIR="$RUN_DIR/zap"
+mkdir -p "$ZAP_DIR"
+log "Running ZAP baseline against ${TARGET}..."
+if TARGET="$TARGET" REPORT_DIR="$ZAP_DIR" "${BASH_SOURCE%/*}/zap-baseline.sh"; then
+  record_result "OWASP ZAP baseline" "PASS" "<a href=\"zap/zap-report.html\">HTML</a> | <a href=\"zap/zap-report.json\">JSON</a>"
+else
+  record_result "OWASP ZAP baseline" "FAIL" "<a href=\"zap/zap-report.html\">HTML</a> | <a href=\"zap/zap-report.json\">JSON</a>"
+fi
+
+# Summary HTML
+SUMMARY_FILE="$RUN_DIR/summary.html"
+cat >"$SUMMARY_FILE" <<EOF
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <title>Test Suite Summary - ${RUN_TS}</title>
+  <style>
+    body { font-family: Arial, sans-serif; padding: 20px; background: #0b0d11; color: #e9ecf1; }
+    table { border-collapse: collapse; width: 100%; margin-top: 12px; }
+    th, td { border: 1px solid #333; padding: 8px; }
+    th { background: #111827; }
+    a { color: #7cc7ff; }
+  </style>
+</head>
+<body>
+  <h1>Test Suite Summary</h1>
+  <div>Run: ${RUN_TS}</div>
+  <div>Target: ${TARGET}</div>
+  <table>
+    <thead><tr><th>Check</th><th>Status</th><th>Details</th></tr></thead>
+    <tbody>
+      ${SUMMARY_ROWS[*]}
+    </tbody>
+  </table>
+</body>
+</html>
+EOF
+
+log "Done. Reports in ${RUN_DIR}"
+echo "Open ${SUMMARY_FILE} in a browser for the summary."