Various doc fixes.

Lombiq.Tests.UI.Samples/Tests/SecurityScanningTests.cs

@@ -58,9 +58,11 @@ public Task BasicSecurityScanShouldPass() =>
     // - Configures sign in with a user account. This is what the scan will start with. This doesn't matter much with
     //   the Blog recipe, because nothing on the frontend will change. You can use this to scan authenticated features
     //   too. This is necessary because ZAP uses its own spider so it doesn't share session or cookies with the browser.
-    // The suppressions are not actually necessary here. The BasicSecurityScanShouldPass works fine without them. They
-    // are only present to illustrate the type of adjustments you may want for your own site.
-    // After the configuration, you can also configure the assertion that verifies test success.
+    // - The assertion on the scan results is custom. Use this if you (conditionally) want to assert on the results
+    //   differently from the global context.Configuration.SecurityScanningConfiguration.AssertSecurityScanResult. The
+    //   default there is "no scanning alert is allowed"; we expect some alerts here.
+    // - The suppressions are not actually necessary here. The BasicSecurityScanShouldPass works fine without them. They
+    //   are only present to illustrate the type of adjustments you may want for your own site.
     [Fact]
     public Task SecurityScanWithCustomConfigurationShouldPass() =>
         ExecuteTestAfterSetupAsync(

Lombiq.Tests.UI/SecurityScanning/SecurityScanConfiguration.cs

@@ -34,6 +34,13 @@ public class SecurityScanConfiguration
     public bool AjaxSpiderIsUsed { get; private set; }
     public string SignInUserName { get; private set; }
 
+    /// <summary>
+    /// Gets a value indicating whether the security scan should not visit the <see cref="ErrorController"/> to test
+    /// for correct error handling. This is achieved by adding the error page URL to the configuration with <see
+    /// cref="YamlDocumentExtensions.AddRequestor"/>.
+    /// </summary>
+    public bool DontScanErrorPage { get; private set; }
+
     internal SecurityScanConfiguration()
     {
     }

Lombiq.Tests.UI/SecurityScanning/SecurityScanningConfiguration.cs

@@ -31,12 +31,6 @@ public class SecurityScanningConfiguration
     /// </summary>
     public Action<UITestContext, SarifLog> AssertSecurityScanResult { get; set; } = AssertSecurityScanHasNoAlerts;
 
-    /// <summary>
-    /// Gets a value indicating whether the security scan should not visit the <see cref="ErrorController"/> to test
-    /// for correct error handling. This is achieved by running the scan a second time without leaving that page.
-    /// </summary>
-    public bool DontScanErrorPage { get; private set; }
-
     public static readonly Action<UITestContext, SarifLog> AssertSecurityScanHasNoAlerts = (_, sarifLog) =>
         sarifLog.Runs[0].Results.ShouldBeEmptyWhen(
             result =>

Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs

@@ -161,7 +161,7 @@ public static async Task RunAndAssertSecurityScanAsync(
             result = await context.RunSecurityScanAsync(automationFrameworkYamlPath, scanConfiguration =>
             {
                 // Verify that error page handling also works by visiting a known error page with no logging.
-                if (!configuration.DontScanErrorPage)
+                if (!scanConfiguration.DontScanErrorPage)
                 {
                     var errorUrl = context.GetAbsoluteUrlOfAction<ErrorController>(controller => controller.Index());
                     scanConfiguration.ModifyZapPlan(yamlDocument => yamlDocument.AddRequestor(errorUrl.AbsoluteUri));