110 lines
3.4 KiB
HTML
110 lines
3.4 KiB
HTML
<!doctype html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="UTF-8" />
|
|
<title>Security Testing</title>
|
|
<link rel="stylesheet" href="./style.css" />
|
|
</head>
|
|
<body>
|
|
<header>
|
|
<h1>Security Testing</h1>
|
|
<div class="meta">
|
|
Quick OWASP ZAP baseline checks against any deployed environment.
|
|
</div>
|
|
</header>
|
|
<main class="grid">
|
|
<section class="card">
|
|
<h2>Baseline scan</h2>
|
|
<ul>
|
|
<li>Script: <code>scripts/zap-baseline.sh</code></li>
|
|
<li>
|
|
Default target: <code>https://test.lomavuokraus.fi</code> (override
|
|
with <code>TARGET</code>).
|
|
</li>
|
|
<li>
|
|
Reports: <code>reports/security/zap-report.html</code> (also
|
|
JSON/XML).
|
|
</li>
|
|
<li>
|
|
Example:
|
|
<code
|
|
>TARGET=https://staging.lomavuokraus.fi
|
|
./scripts/zap-baseline.sh</code
|
|
>
|
|
</li>
|
|
<li>
|
|
Duration: ~5 minutes by default (<code>TIMEOUT_MINUTES</code> env).
|
|
</li>
|
|
<li>
|
|
Docker image: <code>owasp/zap2docker-stable</code> (override with
|
|
<code>ZAP_IMAGE</code>).
|
|
</li>
|
|
</ul>
|
|
</section>
|
|
<section class="card">
|
|
<h2>Full test suite</h2>
|
|
<ul>
|
|
<li>Script: <code>scripts/run-test-suite.sh</code></li>
|
|
<li>
|
|
Runs: <code>npm audit</code> (high), Trivy fs scan, ZAP baseline.
|
|
</li>
|
|
<li>
|
|
Outputs:
|
|
<code>reports/runs/<timestamp>/summary.html</code> with links
|
|
to all tool reports and a textual summary printed to the console.
|
|
Index of all runs: <code>reports/index.html</code>.
|
|
</li>
|
|
<li>
|
|
Config:
|
|
<ul>
|
|
<li><code>TARGET</code>: ZAP target URL (default test env).</li>
|
|
<li>
|
|
<code>TRIVY_TARGET</code>/<code>TRIVY_MODE</code>: adjust Trivy
|
|
scope (fs/image).
|
|
</li>
|
|
<li>
|
|
<code>ZAP_IMAGE</code>: override container image if needed.
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
<li>
|
|
Example:
|
|
<code
|
|
>TARGET=https://staging.lomavuokraus.fi TRIVY_MODE=fs
|
|
./scripts/run-test-suite.sh</code
|
|
>
|
|
</li>
|
|
</ul>
|
|
</section>
|
|
<section class="card">
|
|
<h2>Auth considerations</h2>
|
|
<ul>
|
|
<li>
|
|
The baseline scan is unauthenticated; it covers public pages and
|
|
APIs.
|
|
</li>
|
|
<li>
|
|
For authenticated testing, generate a session cookie manually and
|
|
pass via <code>-z</code> extras in the script or run an active scan
|
|
with a ZAP context file.
|
|
</li>
|
|
<li>
|
|
Keep admin creds out of the script; prefer test accounts and the
|
|
testing environment.
|
|
</li>
|
|
</ul>
|
|
</section>
|
|
<section class="card">
|
|
<h2>Next steps</h2>
|
|
<ul>
|
|
<li>
|
|
Add ZAP active scans with context + logged-in session for deeper
|
|
coverage.
|
|
</li>
|
|
<li>Consider scheduling scans against test env before releases.</li>
|
|
<li>Track findings in issues; rerun after auth/role changes.</li>
|
|
</ul>
|
|
</section>
|
|
</main>
|
|
</body>
|
|
</html>
|