iulian/streamflow
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
streamflow/docs/SECURITY_TESTING.md
aiulian25 73a8ae9ffd Initial commit: StreamFlow IPTV platform
2025-12-17 00:42:43 +00:00

161 lines
4.3 KiB
Markdown
Raw Blame History

# Security Testing Configuration
This directory contains security testing tools and configurations for StreamFlow IPTV.
## Tools Implemented
### SAST (Static Application Security Testing)
1. **ESLint Security Plugin**
- Scans JavaScript/Node.js code for security vulnerabilities
- Detects: SQL injection, XSS, unsafe regex, eval usage, etc.
- Configuration: `backend/.eslintrc.js` and `frontend/.eslintrc.js`
2. **Semgrep**
- Advanced static analysis for multiple languages
- Rules: p/security-audit, p/nodejs, p/javascript, p/express
- Detects: SQL injection, XSS, command injection, authentication issues
3. **NPM Audit**
- Scans dependencies for known vulnerabilities
- Checks both backend and frontend packages
- Severity threshold: High
4. **Snyk**
- Commercial-grade vulnerability scanning
- Requires SNYK_TOKEN secret in GitHub
- Sign up: https://snyk.io
5. **Docker Security**
- **Trivy**: Vulnerability scanner for container images
- **Dockle**: Docker image linter for best practices
### DAST (Dynamic Application Security Testing)
1. **OWASP ZAP**
- Baseline scan: Quick security check
- Full scan: Comprehensive security analysis
- Tests running application for vulnerabilities
- Configuration: `.zap/rules.tsv`
## Running Security Tests
### Locally
```bash
# Run all local security checks
./scripts/security-check.sh
# Run backend security checks only
cd backend
npm run security:check
# Run frontend security checks only
cd frontend
npm run security:check
# Run specific checks
npm run security:audit # NPM audit only
npm run security:lint # ESLint security scan
```
### Automated (CI/CD)
Security scans run automatically on:
- Every push to `main` or `develop` branches
- Every pull request
- Daily at 2 AM (scheduled scan)
View results in:
- GitHub Actions → Security Testing workflow
- GitHub Security → Code scanning alerts
- Workflow artifacts (detailed reports)
## Pre-commit Hook
The pre-commit hook runs automatically before each commit and checks for:
- High/critical vulnerabilities in dependencies
- Hardcoded passwords or API keys
- Attempts to commit .env files
To bypass (not recommended):
```bash
git commit --no-verify
```
## Security Report Artifacts
After each scan, the following artifacts are available:
- `eslint-security-reports`: ESLint scan results
- `npm-audit-reports`: NPM audit JSON reports
- `zap-scan-reports`: OWASP ZAP HTML/JSON/MD reports
- `security-summary-report`: Overall security summary
## Configuration Files
- `.github/workflows/security-scan.yml`: GitHub Actions workflow
- `backend/.eslintrc.js`: Backend ESLint security rules
- `frontend/.eslintrc.js`: Frontend ESLint security rules
- `.zap/rules.tsv`: OWASP ZAP scanning rules
- `scripts/security-check.sh`: Local security testing script
## Best Practices
1. **Run tests before pushing**
```bash
./scripts/security-check.sh
```
2. **Review security alerts**
- Check GitHub Security tab regularly
- Address high/critical vulnerabilities immediately
3. **Keep dependencies updated**
```bash
npm audit fix
npm outdated
```
4. **Never commit secrets**
- Use environment variables
- Add sensitive files to .gitignore
- Use GitHub Secrets for CI/CD
5. **Review scan reports**
- Download artifacts from GitHub Actions
- Investigate all FAIL results from ZAP
- Fix WARN results when possible
## Integration with Snyk (Optional)
To enable Snyk scanning:
1. Sign up at https://snyk.io
2. Get your API token
3. Add as GitHub secret: `SNYK_TOKEN`
4. Uncomment Snyk job in workflow file
## Troubleshooting
**Error: "npm audit found vulnerabilities"**
- Run `npm audit fix` in affected directory
- For breaking changes: `npm audit fix --force`
- Update manually: `npm update <package>`
**Error: "ESLint security issues found"**
- Review output for security violations
- Fix issues or add ESLint disable comments with justification
- Never disable security rules without review
**ZAP scan failures**
- Review ZAP HTML report in artifacts
- Check `.zap/rules.tsv` configuration
- Some warnings may be false positives
## Additional Resources
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [Semgrep Rules](https://semgrep.dev/explore)
- [ESLint Security Plugin](https://github.com/eslint-community/eslint-plugin-security)
- [OWASP ZAP](https://www.zaproxy.org/docs/)
Reference in a new issue View git blame Copy permalink