thalla/lomavuokraus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
lomavuokraus/docs/security.html
Tero Halla-aho dbb2781c23 Add console summary to test suite runner
2025-12-11 20:36:04 +02:00

59 lines
2.7 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>Security Testing</title>
<link rel="stylesheet" href="./style.css" />
</head>
<body>
<header>
<h1>Security Testing</h1>
<div class="meta">Quick OWASP ZAP baseline checks against any deployed environment.</div>
</header>
<main class="grid">
<section class="card">
<h2>Baseline scan</h2>
<ul>
<li>Script: <code>scripts/zap-baseline.sh</code></li>
<li>Default target: <code>https://test.lomavuokraus.fi</code> (override with <code>TARGET</code>).</li>
<li>Reports: <code>reports/security/zap-report.html</code> (also JSON/XML).</li>
<li>Example: <code>TARGET=https://staging.lomavuokraus.fi ./scripts/zap-baseline.sh</code></li>
<li>Duration: ~5 minutes by default (<code>TIMEOUT_MINUTES</code> env).</li>
<li>Docker image: <code>owasp/zap2docker-stable</code> (override with <code>ZAP_IMAGE</code>).</li>
</ul>
</section>
<section class="card">
<h2>Full test suite</h2>
<ul>
<li>Script: <code>scripts/run-test-suite.sh</code></li>
<li>Runs: <code>npm audit</code> (high), Trivy fs scan, ZAP baseline.</li>
<li>Outputs: <code>reports/runs/&lt;timestamp&gt;/summary.html</code> with links to all tool reports and a textual summary printed to the console.</li>
<li>Config:
<ul>
<li><code>TARGET</code>: ZAP target URL (default test env).</li>
<li><code>TRIVY_TARGET</code>/<code>TRIVY_MODE</code>: adjust Trivy scope (fs/image).</li>
<li><code>ZAP_IMAGE</code>: override container image if needed.</li>
</ul>
</li>
<li>Example: <code>TARGET=https://staging.lomavuokraus.fi TRIVY_MODE=fs ./scripts/run-test-suite.sh</code></li>
</ul>
</section>
<section class="card">
<h2>Auth considerations</h2>
<ul>
<li>The baseline scan is unauthenticated; it covers public pages and APIs.</li>
<li>For authenticated testing, generate a session cookie manually and pass via <code>-z</code> extras in the script or run an active scan with a ZAP context file.</li>
<li>Keep admin creds out of the script; prefer test accounts and the testing environment.</li>
</ul>
</section>
<section class="card">
<h2>Next steps</h2>
<ul>
<li>Add ZAP active scans with context + logged-in session for deeper coverage.</li>
<li>Consider scheduling scans against test env before releases.</li>
<li>Track findings in issues; rerun after auth/role changes.</li>
</ul>
</section>
</main>
</body>
</html>
Reference in a new issue View git blame Copy permalink