4.3 KiB
4.3 KiB
Security Testing Configuration
This directory contains security testing tools and configurations for StreamFlow IPTV.
Tools Implemented
SAST (Static Application Security Testing)
-
ESLint Security Plugin
- Scans JavaScript/Node.js code for security vulnerabilities
- Detects: SQL injection, XSS, unsafe regex, eval usage, etc.
- Configuration:
backend/.eslintrc.jsandfrontend/.eslintrc.js
-
Semgrep
- Advanced static analysis for multiple languages
- Rules: p/security-audit, p/nodejs, p/javascript, p/express
- Detects: SQL injection, XSS, command injection, authentication issues
-
NPM Audit
- Scans dependencies for known vulnerabilities
- Checks both backend and frontend packages
- Severity threshold: High
-
Snyk
- Commercial-grade vulnerability scanning
- Requires SNYK_TOKEN secret in GitHub
- Sign up: https://snyk.io
-
Docker Security
- Trivy: Vulnerability scanner for container images
- Dockle: Docker image linter for best practices
DAST (Dynamic Application Security Testing)
- OWASP ZAP
- Baseline scan: Quick security check
- Full scan: Comprehensive security analysis
- Tests running application for vulnerabilities
- Configuration:
.zap/rules.tsv
Running Security Tests
Locally
# Run all local security checks
./scripts/security-check.sh
# Run backend security checks only
cd backend
npm run security:check
# Run frontend security checks only
cd frontend
npm run security:check
# Run specific checks
npm run security:audit # NPM audit only
npm run security:lint # ESLint security scan
Automated (CI/CD)
Security scans run automatically on:
- Every push to
mainordevelopbranches - Every pull request
- Daily at 2 AM (scheduled scan)
View results in:
- GitHub Actions → Security Testing workflow
- GitHub Security → Code scanning alerts
- Workflow artifacts (detailed reports)
Pre-commit Hook
The pre-commit hook runs automatically before each commit and checks for:
- High/critical vulnerabilities in dependencies
- Hardcoded passwords or API keys
- Attempts to commit .env files
To bypass (not recommended):
git commit --no-verify
Security Report Artifacts
After each scan, the following artifacts are available:
eslint-security-reports: ESLint scan resultsnpm-audit-reports: NPM audit JSON reportszap-scan-reports: OWASP ZAP HTML/JSON/MD reportssecurity-summary-report: Overall security summary
Configuration Files
.github/workflows/security-scan.yml: GitHub Actions workflowbackend/.eslintrc.js: Backend ESLint security rulesfrontend/.eslintrc.js: Frontend ESLint security rules.zap/rules.tsv: OWASP ZAP scanning rulesscripts/security-check.sh: Local security testing script
Best Practices
-
Run tests before pushing
./scripts/security-check.sh -
Review security alerts
- Check GitHub Security tab regularly
- Address high/critical vulnerabilities immediately
-
Keep dependencies updated
npm audit fix npm outdated -
Never commit secrets
- Use environment variables
- Add sensitive files to .gitignore
- Use GitHub Secrets for CI/CD
-
Review scan reports
- Download artifacts from GitHub Actions
- Investigate all FAIL results from ZAP
- Fix WARN results when possible
Integration with Snyk (Optional)
To enable Snyk scanning:
- Sign up at https://snyk.io
- Get your API token
- Add as GitHub secret:
SNYK_TOKEN - Uncomment Snyk job in workflow file
Troubleshooting
Error: "npm audit found vulnerabilities"
- Run
npm audit fixin affected directory - For breaking changes:
npm audit fix --force - Update manually:
npm update <package>
Error: "ESLint security issues found"
- Review output for security violations
- Fix issues or add ESLint disable comments with justification
- Never disable security rules without review
ZAP scan failures
- Review ZAP HTML report in artifacts
- Check
.zap/rules.tsvconfiguration - Some warnings may be false positives