Baseline scan

• Script: scripts/zap-baseline.sh
• Default target: https://test.lomavuokraus.fi (override with TARGET).
• Reports: reports/security/zap-report.html (also JSON/XML).
• Example: TARGET=https://staging.lomavuokraus.fi ./scripts/zap-baseline.sh
• Duration: ~5 minutes by default (TIMEOUT_MINUTES env).
• Docker image: owasp/zap2docker-stable (override with ZAP_IMAGE).

Full test suite

• Script: scripts/run-test-suite.sh
• Runs: npm audit (high), Trivy fs scan, ZAP baseline.
• Outputs: reports/runs/<timestamp>/summary.html with links to all tool reports and a textual summary printed to the console. Index of all runs: reports/index.html.
• Config:
  • TARGET: ZAP target URL (default test env).
  • TRIVY_TARGET/TRIVY_MODE: adjust Trivy scope (fs/image).
  • ZAP_IMAGE: override container image if needed.
• Example: TARGET=https://staging.lomavuokraus.fi TRIVY_MODE=fs ./scripts/run-test-suite.sh

Auth considerations

• The baseline scan is unauthenticated; it covers public pages and APIs.
• For authenticated testing, generate a session cookie manually and pass via -z extras in the script or run an active scan with a ZAP context file.
• Keep admin creds out of the script; prefer test accounts and the testing environment.

Next steps

• Add ZAP active scans with context + logged-in session for deeper coverage.
• Consider scheduling scans against test env before releases.
• Track findings in issues; rerun after auth/role changes.