diff --git a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
index dafc754b2..f8df51174 100644
--- a/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
+++ b/Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs
@@ -7,6 +7,7 @@
using System;
using System.Net;
using System.Threading.Tasks;
+using static Lombiq.Tests.UI.Services.OrchardCoreUITestExecutorConfiguration;
namespace Lombiq.Tests.UI.SecurityScanning;
@@ -50,6 +51,49 @@ public static Task RunAndAssertFullSecurityScanAsync(
configure,
assertSecurityScanResult);
+ ///
+ /// If the bot is configured to sign in as admin first.
+ /// Time limit for the active scan altogether.
+ /// Time limit for the individual rules in the active scan.
+ ///
+ /// This extension method makes changes to the normal configuration of the test to be more suited for CI operation.
+ /// It changes the to not do any retries because this is a long running
+ /// test. It also replaces the app log assertion logic with the specialized version for security scans, . The scan is configured to ignore the admin dashboard, optionally log
+ /// in as admin, and use the provided time limits for the "active scan" portion of the security scan.
+ ///
+ public static Task RunAndConfigureAndAssertFullSecurityScanForAutomationAsync(
+ this UITestContext context,
+ Action additionalConfiguration = null,
+ Action assertSecurityScanResult = null,
+ bool doSignIn = true,
+ int maxScanDurationInMinutes = 10,
+ int maxRuleDurationInMinutes = 2)
+ {
+ // Ignore some validation errors that only happen during security tests.
+ context.Configuration.AssertAppLogsAsync = UseAssertAppLogsForSecurityScan();
+
+ // This takes over 10 minutes and the session will certainly time out with retries.
+ context.Configuration.MaxRetryCount = 0;
+
+ return context.RunAndAssertFullSecurityScanAsync(
+ configuration =>
+ {
+ // Signing in ensures full access and that the bot won't have to interact with the login screen.
+ if (doSignIn) configuration.SignIn();
+
+ // There is no need to security scan the admin dashboard.
+ configuration.ExcludeUrlWithRegex(@".*/Admin/.*");
+
+ // Active scan takes a very long time, this is not practical in CI.
+ configuration.ModifyZapPlan(plan => plan
+ .SetActiveScanMaxDuration(maxScanDurationInMinutes, maxRuleDurationInMinutes));
+
+ additionalConfiguration?.Invoke(configuration);
+ },
+ assertSecurityScanResult);
+ }
+
///
/// Run a Zed Attack Proxy (ZAP) security scan against an app with the
/// GraphQL Automation Framework profile and runs assertions on the result (see
/// Time limit for the active scan altogether.
- /// Time limit for the individual rule scans in minutes.
+ /// Time limit for the individual rule scans.
public static void SetActiveScanMaxDuration(
this YamlDocument yamlDocument,
int maxScanDurationInMinutes,