streamflow/docs/SECURITY_TESTING.md

# Security Testing Configuration

This directory contains security testing tools and configurations for StreamFlow IPTV.

## Tools Implemented

### SAST (Static Application Security Testing)

1. **ESLint Security Plugin**
   - Scans JavaScript/Node.js code for security vulnerabilities
   - Detects: SQL injection, XSS, unsafe regex, eval usage, etc.
   - Configuration: `backend/.eslintrc.js` and `frontend/.eslintrc.js`

2. **Semgrep**
   - Advanced static analysis for multiple languages
   - Rules: p/security-audit, p/nodejs, p/javascript, p/express
   - Detects: SQL injection, XSS, command injection, authentication issues

3. **NPM Audit**
   - Scans dependencies for known vulnerabilities
   - Checks both backend and frontend packages
   - Severity threshold: High

4. **Snyk**
   - Commercial-grade vulnerability scanning
   - Requires SNYK_TOKEN secret in GitHub
   - Sign up: https://snyk.io

5. **Docker Security**
   - **Trivy**: Vulnerability scanner for container images
   - **Dockle**: Docker image linter for best practices

### DAST (Dynamic Application Security Testing)

1. **OWASP ZAP**
   - Baseline scan: Quick security check
   - Full scan: Comprehensive security analysis
   - Tests running application for vulnerabilities
   - Configuration: `.zap/rules.tsv`

## Running Security Tests

### Locally

```bash
# Run all local security checks
./scripts/security-check.sh

# Run backend security checks only
cd backend
npm run security:check

# Run frontend security checks only
cd frontend
npm run security:check

# Run specific checks
npm run security:audit  # NPM audit only
npm run security:lint   # ESLint security scan
```

### Automated (CI/CD)

Security scans run automatically on:
- Every push to `main` or `develop` branches
- Every pull request
- Daily at 2 AM (scheduled scan)

View results in:
- GitHub Actions → Security Testing workflow
- GitHub Security → Code scanning alerts
- Workflow artifacts (detailed reports)

## Pre-commit Hook

The pre-commit hook runs automatically before each commit and checks for:
- High/critical vulnerabilities in dependencies
- Hardcoded passwords or API keys
- Attempts to commit .env files

To bypass (not recommended):
```bash
git commit --no-verify
```

## Security Report Artifacts

After each scan, the following artifacts are available:

- `eslint-security-reports`: ESLint scan results
- `npm-audit-reports`: NPM audit JSON reports
- `zap-scan-reports`: OWASP ZAP HTML/JSON/MD reports
- `security-summary-report`: Overall security summary

## Configuration Files

- `.github/workflows/security-scan.yml`: GitHub Actions workflow
- `backend/.eslintrc.js`: Backend ESLint security rules
- `frontend/.eslintrc.js`: Frontend ESLint security rules
- `.zap/rules.tsv`: OWASP ZAP scanning rules
- `scripts/security-check.sh`: Local security testing script

## Best Practices

1. **Run tests before pushing**
   ```bash
   ./scripts/security-check.sh
   ```

2. **Review security alerts**
   - Check GitHub Security tab regularly
   - Address high/critical vulnerabilities immediately

3. **Keep dependencies updated**
   ```bash
   npm audit fix
   npm outdated
   ```

4. **Never commit secrets**
   - Use environment variables
   - Add sensitive files to .gitignore
   - Use GitHub Secrets for CI/CD

5. **Review scan reports**
   - Download artifacts from GitHub Actions
   - Investigate all FAIL results from ZAP
   - Fix WARN results when possible

## Integration with Snyk (Optional)

To enable Snyk scanning:

1. Sign up at https://snyk.io
2. Get your API token
3. Add as GitHub secret: `SNYK_TOKEN`
4. Uncomment Snyk job in workflow file

## Troubleshooting

**Error: "npm audit found vulnerabilities"**
- Run `npm audit fix` in affected directory
- For breaking changes: `npm audit fix --force`
- Update manually: `npm update <package>`

**Error: "ESLint security issues found"**
- Review output for security violations
- Fix issues or add ESLint disable comments with justification
- Never disable security rules without review

**ZAP scan failures**
- Review ZAP HTML report in artifacts
- Check `.zap/rules.tsv` configuration
- Some warnings may be false positives

## Additional Resources

- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [Semgrep Rules](https://semgrep.dev/explore)
- [ESLint Security Plugin](https://github.com/eslint-community/eslint-plugin-security)
- [OWASP ZAP](https://www.zaproxy.org/docs/)
Initial commit: StreamFlow IPTV platform 2025-12-17 00:42:43 +00:00			`# Security Testing Configuration`

			`This directory contains security testing tools and configurations for StreamFlow IPTV.`

			`## Tools Implemented`

			`### SAST (Static Application Security Testing)`

			`1. ESLint Security Plugin`
			`- Scans JavaScript/Node.js code for security vulnerabilities`
			`- Detects: SQL injection, XSS, unsafe regex, eval usage, etc.`
			- Configuration: `backend/.eslintrc.js` and `frontend/.eslintrc.js`

			`2. Semgrep`
			`- Advanced static analysis for multiple languages`
			`- Rules: p/security-audit, p/nodejs, p/javascript, p/express`
			`- Detects: SQL injection, XSS, command injection, authentication issues`

			`3. NPM Audit`
			`- Scans dependencies for known vulnerabilities`
			`- Checks both backend and frontend packages`
			`- Severity threshold: High`

			`4. Snyk`
			`- Commercial-grade vulnerability scanning`
			`- Requires SNYK_TOKEN secret in GitHub`
			`- Sign up: https://snyk.io`

			`5. Docker Security`
			`- Trivy: Vulnerability scanner for container images`
			`- Dockle: Docker image linter for best practices`

			`### DAST (Dynamic Application Security Testing)`

			`1. OWASP ZAP`
			`- Baseline scan: Quick security check`
			`- Full scan: Comprehensive security analysis`
			`- Tests running application for vulnerabilities`
			- Configuration: `.zap/rules.tsv`

			`## Running Security Tests`

			`### Locally`

			```bash
			`# Run all local security checks`
			`./scripts/security-check.sh`

			`# Run backend security checks only`
			`cd backend`
			`npm run security:check`

			`# Run frontend security checks only`
			`cd frontend`
			`npm run security:check`

			`# Run specific checks`
			`npm run security:audit # NPM audit only`
			`npm run security:lint # ESLint security scan`
			```

			`### Automated (CI/CD)`

			`Security scans run automatically on:`
			- Every push to `main` or `develop` branches
			`- Every pull request`
			`- Daily at 2 AM (scheduled scan)`

			`View results in:`
			`- GitHub Actions → Security Testing workflow`
			`- GitHub Security → Code scanning alerts`
			`- Workflow artifacts (detailed reports)`

			`## Pre-commit Hook`

			`The pre-commit hook runs automatically before each commit and checks for:`
			`- High/critical vulnerabilities in dependencies`
			`- Hardcoded passwords or API keys`
			`- Attempts to commit .env files`

			`To bypass (not recommended):`
			```bash
			`git commit --no-verify`
			```

			`## Security Report Artifacts`

			`After each scan, the following artifacts are available:`

			- `eslint-security-reports`: ESLint scan results
			- `npm-audit-reports`: NPM audit JSON reports
			- `zap-scan-reports`: OWASP ZAP HTML/JSON/MD reports
			- `security-summary-report`: Overall security summary

			`## Configuration Files`

			- `.github/workflows/security-scan.yml`: GitHub Actions workflow
			- `backend/.eslintrc.js`: Backend ESLint security rules
			- `frontend/.eslintrc.js`: Frontend ESLint security rules
			- `.zap/rules.tsv`: OWASP ZAP scanning rules
			- `scripts/security-check.sh`: Local security testing script

			`## Best Practices`

			`1. Run tests before pushing`
			```bash
			`./scripts/security-check.sh`
			```

			`2. Review security alerts`
			`- Check GitHub Security tab regularly`
			`- Address high/critical vulnerabilities immediately`

			`3. Keep dependencies updated`
			```bash
			`npm audit fix`
			`npm outdated`
			```

			`4. Never commit secrets`
			`- Use environment variables`
			`- Add sensitive files to .gitignore`
			`- Use GitHub Secrets for CI/CD`

			`5. Review scan reports`
			`- Download artifacts from GitHub Actions`
			`- Investigate all FAIL results from ZAP`
			`- Fix WARN results when possible`

			`## Integration with Snyk (Optional)`

			`To enable Snyk scanning:`

			`1. Sign up at https://snyk.io`
			`2. Get your API token`
			3. Add as GitHub secret: `SNYK_TOKEN`
			`4. Uncomment Snyk job in workflow file`

			`## Troubleshooting`

			`Error: "npm audit found vulnerabilities"`
			- Run `npm audit fix` in affected directory
			- For breaking changes: `npm audit fix --force`
			- Update manually: `npm update <package>`

			`Error: "ESLint security issues found"`
			`- Review output for security violations`
			`- Fix issues or add ESLint disable comments with justification`
			`- Never disable security rules without review`

			`ZAP scan failures`
			`- Review ZAP HTML report in artifacts`
			- Check `.zap/rules.tsv` configuration
			`- Some warnings may be false positives`

			`## Additional Resources`

			`- [OWASP Top 10](https://owasp.org/www-project-top-ten/)`
			`- [Semgrep Rules](https://semgrep.dev/explore)`
			`- [ESLint Security Plugin](https://github.com/eslint-community/eslint-plugin-security)`
			`- [OWASP ZAP](https://www.zaproxy.org/docs/)`