Skip to main content

Security Testing Evidence

Reviewed on: 2026-01-21 Status: Draft (partial execution)

This document summarizes security-related test execution in the repository and lists gaps that still require action.

Executed Tests (Local Evidence)

The following .NET test projects were executed in this workspace (net8.0):

  • artifacts/test-results/PrimusSaaS.Security.Tests.trx
  • artifacts/test-results/PrimusSaaS.Security.Reporting.Tests.trx
  • artifacts/test-results/PrimusSaaS.Security.AI.Tests.trx
  • artifacts/test-results/PrimusSaaS.Identity.Validator.Tests.trx
  • artifacts/test-results/Primus.Payments.Tests.trx
  • artifacts/test-results/Primus.Notifications.Tests.trx
  • artifacts/test-results/Primus.Storage.Tests.trx
  • artifacts/test-results/Primus.Documents.Tests.trx
  • artifacts/test-results/Primus.AI.Tests.trx
  • artifacts/test-results/PrimusSaaS.FeatureFlags.Tests.trx
  • artifacts/test-results/PrimusSaaS.Logging.Tests.net8.trx
  • artifacts/test-results/LiveDemoApi.Tests.trx
  • artifacts/test-results/Primus.IntegrationTests.trx

Note: PrimusSaaS.Logging.Tests targets net7.0 and net8.0. Only net8.0 was executed in this workspace due to missing net7.0 runtime.

Dependency and Secret Scans (Local Evidence)

  • artifacts/test-results/dotnet-vulnerable.log (dotnet list package --vulnerable for solution)
  • artifacts/test-results/npm-audit/summary.json (multi-package npm audit summary)
  • artifacts/test-results/secret-scan.log (custom scan for hardcoded secrets with placeholder filtering)

Note: scripts/Run-SecurityScan.ps1 is available but did not complete in this workspace due to long-running dependency checks. Individual scans above were executed to provide evidence.

Summary (local):

  • dotnet-vulnerable.log: No vulnerable packages reported for solution projects.
  • npm-audit/summary.json: 0 vulnerabilities reported for audited packages.
  • secret-scan.log: 0 findings after placeholder filtering and directory exclusions.

Note: dotnet-vulnerable.log covers only projects referenced by Primus SaaS.sln. Projects outside the solution were not scanned.

Audited npm packages (summary.json):

  • packages/cli
  • packages/primus-cli
  • packages/create-primus-app
  • packages/docs
  • portal/frontend
  • sdk/logging/nodejs
  • sdk/nodejs/primus-ai-client
  • sdk/nodejs/primus-documents
  • sdk/nodejs/primus-identity-validator
  • sdk/nodejs/primus-onboarding
  • sdk/nodejs/primus-payments
  • sdk/nodejs/primus-feature-flags
  • sdk/react/primus-ui
  • sdk/angular/primus-ui
  • sdk/security/nodejs/eslint-plugin-primus-security
  • sdk/security/shared/taint-bridge

Examples, demos, and test apps were excluded from npm audit scope per current release criteria.

Known Gaps

  • No SAST pipeline evidence beyond unit tests.
  • No DAST or penetration test evidence.
  • No production load or performance testing evidence.
  • No compliance audit evidence (US or India).

Actions Required

  • Run SAST and dependency scan in CI and archive results.
  • Perform DAST against deployed environments.
  • Execute load tests aligned to expected production traffic.
  • Complete compliance review and sign-off.

Review Log

  • 2026-01-21: Evidence collected from local test runs. Further validation pending.