# Security Testing Configuration This directory contains security testing tools and configurations for StreamFlow IPTV. ## Tools Implemented ### SAST (Static Application Security Testing) 1. **ESLint Security Plugin** - Scans JavaScript/Node.js code for security vulnerabilities - Detects: SQL injection, XSS, unsafe regex, eval usage, etc. - Configuration: `backend/.eslintrc.js` and `frontend/.eslintrc.js` 2. **Semgrep** - Advanced static analysis for multiple languages - Rules: p/security-audit, p/nodejs, p/javascript, p/express - Detects: SQL injection, XSS, command injection, authentication issues 3. **NPM Audit** - Scans dependencies for known vulnerabilities - Checks both backend and frontend packages - Severity threshold: High 4. **Snyk** - Commercial-grade vulnerability scanning - Requires SNYK_TOKEN secret in GitHub - Sign up: https://snyk.io 5. **Docker Security** - **Trivy**: Vulnerability scanner for container images - **Dockle**: Docker image linter for best practices ### DAST (Dynamic Application Security Testing) 1. **OWASP ZAP** - Baseline scan: Quick security check - Full scan: Comprehensive security analysis - Tests running application for vulnerabilities - Configuration: `.zap/rules.tsv` ## Running Security Tests ### Locally ```bash # Run all local security checks ./scripts/security-check.sh # Run backend security checks only cd backend npm run security:check # Run frontend security checks only cd frontend npm run security:check # Run specific checks npm run security:audit # NPM audit only npm run security:lint # ESLint security scan ``` ### Automated (CI/CD) Security scans run automatically on: - Every push to `main` or `develop` branches - Every pull request - Daily at 2 AM (scheduled scan) View results in: - GitHub Actions → Security Testing workflow - GitHub Security → Code scanning alerts - Workflow artifacts (detailed reports) ## Pre-commit Hook The pre-commit hook runs automatically before each commit and checks for: - High/critical vulnerabilities in dependencies - Hardcoded passwords or API keys - Attempts to commit .env files To bypass (not recommended): ```bash git commit --no-verify ``` ## Security Report Artifacts After each scan, the following artifacts are available: - `eslint-security-reports`: ESLint scan results - `npm-audit-reports`: NPM audit JSON reports - `zap-scan-reports`: OWASP ZAP HTML/JSON/MD reports - `security-summary-report`: Overall security summary ## Configuration Files - `.github/workflows/security-scan.yml`: GitHub Actions workflow - `backend/.eslintrc.js`: Backend ESLint security rules - `frontend/.eslintrc.js`: Frontend ESLint security rules - `.zap/rules.tsv`: OWASP ZAP scanning rules - `scripts/security-check.sh`: Local security testing script ## Best Practices 1. **Run tests before pushing** ```bash ./scripts/security-check.sh ``` 2. **Review security alerts** - Check GitHub Security tab regularly - Address high/critical vulnerabilities immediately 3. **Keep dependencies updated** ```bash npm audit fix npm outdated ``` 4. **Never commit secrets** - Use environment variables - Add sensitive files to .gitignore - Use GitHub Secrets for CI/CD 5. **Review scan reports** - Download artifacts from GitHub Actions - Investigate all FAIL results from ZAP - Fix WARN results when possible ## Integration with Snyk (Optional) To enable Snyk scanning: 1. Sign up at https://snyk.io 2. Get your API token 3. Add as GitHub secret: `SNYK_TOKEN` 4. Uncomment Snyk job in workflow file ## Troubleshooting **Error: "npm audit found vulnerabilities"** - Run `npm audit fix` in affected directory - For breaking changes: `npm audit fix --force` - Update manually: `npm update ` **Error: "ESLint security issues found"** - Review output for security violations - Fix issues or add ESLint disable comments with justification - Never disable security rules without review **ZAP scan failures** - Review ZAP HTML report in artifacts - Check `.zap/rules.tsv` configuration - Some warnings may be false positives ## Additional Resources - [OWASP Top 10](https://owasp.org/www-project-top-ten/) - [Semgrep Rules](https://semgrep.dev/explore) - [ESLint Security Plugin](https://github.com/eslint-community/eslint-plugin-security) - [OWASP ZAP](https://www.zaproxy.org/docs/)