Initial commit: StreamFlow IPTV platform

2025-12-17 00:42:43 +00:00 · 2025-12-17 00:42:43 +00:00 · 73a8ae9ffd
commit 73a8ae9ffd
1240 changed files with 278451 additions and 0 deletions
--- a/docs/SECURITY_TESTING.md
+++ b/docs/SECURITY_TESTING.md
@ -0,0 +1,161 @@
+# Security Testing Configuration
+
+This directory contains security testing tools and configurations for StreamFlow IPTV.
+
+## Tools Implemented
+
+### SAST (Static Application Security Testing)
+
+1. **ESLint Security Plugin**
+   - Scans JavaScript/Node.js code for security vulnerabilities
+   - Detects: SQL injection, XSS, unsafe regex, eval usage, etc.
+   - Configuration: `backend/.eslintrc.js` and `frontend/.eslintrc.js`
+
+2. **Semgrep**
+   - Advanced static analysis for multiple languages
+   - Rules: p/security-audit, p/nodejs, p/javascript, p/express
+   - Detects: SQL injection, XSS, command injection, authentication issues
+
+3. **NPM Audit**
+   - Scans dependencies for known vulnerabilities
+   - Checks both backend and frontend packages
+   - Severity threshold: High
+
+4. **Snyk**
+   - Commercial-grade vulnerability scanning
+   - Requires SNYK_TOKEN secret in GitHub
+   - Sign up: https://snyk.io
+
+5. **Docker Security**
+   - **Trivy**: Vulnerability scanner for container images
+   - **Dockle**: Docker image linter for best practices
+
+### DAST (Dynamic Application Security Testing)
+
+1. **OWASP ZAP**
+   - Baseline scan: Quick security check
+   - Full scan: Comprehensive security analysis
+   - Tests running application for vulnerabilities
+   - Configuration: `.zap/rules.tsv`
+
+## Running Security Tests
+
+### Locally
+
+```bash
+# Run all local security checks
+./scripts/security-check.sh
+
+# Run backend security checks only
+cd backend
+npm run security:check
+
+# Run frontend security checks only
+cd frontend
+npm run security:check
+
+# Run specific checks
+npm run security:audit  # NPM audit only
+npm run security:lint   # ESLint security scan
+```
+
+### Automated (CI/CD)
+
+Security scans run automatically on:
+- Every push to `main` or `develop` branches
+- Every pull request
+- Daily at 2 AM (scheduled scan)
+
+View results in:
+- GitHub Actions → Security Testing workflow
+- GitHub Security → Code scanning alerts
+- Workflow artifacts (detailed reports)
+
+## Pre-commit Hook
+
+The pre-commit hook runs automatically before each commit and checks for:
+- High/critical vulnerabilities in dependencies
+- Hardcoded passwords or API keys
+- Attempts to commit .env files
+
+To bypass (not recommended):
+```bash
+git commit --no-verify
+```
+
+## Security Report Artifacts
+
+After each scan, the following artifacts are available:
+
+- `eslint-security-reports`: ESLint scan results
+- `npm-audit-reports`: NPM audit JSON reports
+- `zap-scan-reports`: OWASP ZAP HTML/JSON/MD reports
+- `security-summary-report`: Overall security summary
+
+## Configuration Files
+
+- `.github/workflows/security-scan.yml`: GitHub Actions workflow
+- `backend/.eslintrc.js`: Backend ESLint security rules
+- `frontend/.eslintrc.js`: Frontend ESLint security rules
+- `.zap/rules.tsv`: OWASP ZAP scanning rules
+- `scripts/security-check.sh`: Local security testing script
+
+## Best Practices
+
+1. **Run tests before pushing**
+   ```bash
+   ./scripts/security-check.sh
+   ```
+
+2. **Review security alerts**
+   - Check GitHub Security tab regularly
+   - Address high/critical vulnerabilities immediately
+
+3. **Keep dependencies updated**
+   ```bash
+   npm audit fix
+   npm outdated
+   ```
+
+4. **Never commit secrets**
+   - Use environment variables
+   - Add sensitive files to .gitignore
+   - Use GitHub Secrets for CI/CD
+
+5. **Review scan reports**
+   - Download artifacts from GitHub Actions
+   - Investigate all FAIL results from ZAP
+   - Fix WARN results when possible
+
+## Integration with Snyk (Optional)
+
+To enable Snyk scanning:
+
+1. Sign up at https://snyk.io
+2. Get your API token
+3. Add as GitHub secret: `SNYK_TOKEN`
+4. Uncomment Snyk job in workflow file
+
+## Troubleshooting
+
+**Error: "npm audit found vulnerabilities"**
+- Run `npm audit fix` in affected directory
+- For breaking changes: `npm audit fix --force`
+- Update manually: `npm update <package>`
+
+**Error: "ESLint security issues found"**
+- Review output for security violations
+- Fix issues or add ESLint disable comments with justification
+- Never disable security rules without review
+
+**ZAP scan failures**
+- Review ZAP HTML report in artifacts
+- Check `.zap/rules.tsv` configuration
+- Some warnings may be false positives
+
+## Additional Resources
+
+- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
+- [Semgrep Rules](https://semgrep.dev/explore)
+- [ESLint Security Plugin](https://github.com/eslint-community/eslint-plugin-security)
+- [OWASP ZAP](https://www.zaproxy.org/docs/)