akanealw
eec8c28fb3
Some checks are pending
Go Benchmark / Performance Regression Check (push) Waiting to run
Cerberus Integration / Cerberus Security Stack Integration (push) Waiting to run
Upload Coverage to Codecov / Backend Codecov Upload (push) Waiting to run
Upload Coverage to Codecov / Frontend Codecov Upload (push) Waiting to run
CodeQL - Analyze / CodeQL analysis (go) (push) Waiting to run
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Waiting to run
CrowdSec Integration / CrowdSec Bouncer Integration (push) Waiting to run
Docker Build, Publish & Test / build-and-push (push) Waiting to run
Docker Build, Publish & Test / Security Scan PR Image (push) Blocked by required conditions
Quality Checks / Auth Route Protection Contract (push) Waiting to run
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Waiting to run
Quality Checks / Backend (Go) (push) Waiting to run
Quality Checks / Frontend (React) (push) Waiting to run
Rate Limit integration / Rate Limiting Integration (push) Waiting to run
Security Scan (PR) / Trivy Binary Scan (push) Waiting to run
Supply Chain Verification (PR) / Verify Supply Chain (push) Waiting to run
WAF integration / Coraza WAF Integration (push) Waiting to run
4.9 KiB
Executable File
4.9 KiB
Executable File
QA Report — PR #754: Enable and Test Gotify and Custom Webhook Notifications
Branch: feature/beta-release
Date: 2026-02-25
Auditor: QA Security Agent
Summary
| # | Check | Result | Details |
|---|---|---|---|
| 1 | Local Patch Coverage Preflight | WARN | 79.5% overall (threshold 90%), 78.3% backend (threshold 85%) — advisory only |
| 2 | Backend Coverage ≥ 85% | PASS | 87.0% statement / 87.3% line (threshold 87%) |
| 3 | Frontend Coverage ≥ 85% | PASS | 88.21% statement / 88.97% line (threshold 85%) |
| 4 | TypeScript Type Check | PASS | Zero errors |
| 5 | Pre-commit Hooks | PASS | All 15 hooks passed |
| 6a | Trivy Filesystem Scan | PASS | 0 CRITICAL/HIGH in project code (findings only in Go module cache) |
| 6b | Docker Image Scan | WARN | 1 HIGH in Caddy transitive dep (CVE-2026-25793, nebula v1.9.7 → fixed 1.10.3) |
| 6c | CodeQL (Go + JavaScript) | PASS | 0 errors, 0 warnings across both languages |
| 7 | GORM Security Scan | PASS | 0 CRITICAL/HIGH (2 INFO suggestions: missing indexes on UserPermittedHost) |
| 8 | Go Vulnerability Check | PASS | No vulnerabilities found |
Detailed Findings
1. Local Patch Coverage Preflight
- Status: WARN (advisory, not blocking per policy)
- Overall patch coverage: 79.5% (threshold: 90%)
- Backend patch coverage: 78.3% (threshold: 85%)
- Artifacts generated but
test-results/directory was not persisted at repo root - Action: Consider adding targeted tests for uncovered changed lines in notification service/handler
2. Backend Unit Test Coverage
- Status: PASS
- Statement coverage: 87.0%
- Line coverage: 87.3%
- All tests passed (0 failures)
3. Frontend Unit Test Coverage
- Status: PASS
- Statement coverage: 88.21%
- Branch coverage: 80.58%
- Function coverage: 85.20%
- Line coverage: 88.97%
- All tests passed (0 failures)
- Coverage files generated:
lcov.info,coverage-summary.json,coverage-final.json
4. TypeScript Type Check
- Status: PASS
tsc --noEmitcompleted with zero errors
5. Pre-commit Hooks
- Status: PASS
- All hooks passed:
- fix end of files
- trim trailing whitespace
- check yaml
- check for added large files
- shellcheck
- actionlint (GitHub Actions)
- dockerfile validation
- Go Vet
- golangci-lint (Fast Linters - BLOCKING)
- Check .version matches latest Git tag
- Prevent large files not tracked by LFS
- Prevent committing CodeQL DB artifacts
- Prevent committing data/backups files
- Frontend TypeScript Check
- Frontend Lint (Fix)
6a. Trivy Filesystem Scan
- Status: PASS
- Scanned
backend/andfrontend/directories: 0 CRITICAL, 0 HIGH - Full workspace scan found 3 CRITICAL + 14 HIGH across Go module cache dependencies (not project code)
- Trivy misconfig scanner crashed (known Trivy bug in ansible parser — nil pointer dereference in
discovery.go:82). Vuln scanner completed successfully.
6b. Docker Image Scan
- Status: WARN (not blocking — upstream dependency)
- Image:
charon:local - 1 HIGH finding:
- CVE-2026-25793 —
github.com/slackhq/nebulav1.9.7 (inusr/bin/caddybinary) - Description: Blocklist evasion via ECDSA Signature Malleability
- Fixed in: v1.10.3
- Impact: Caddy transitive dependency, not Charon code
- CVE-2026-25793 —
- Remediation: Upgrade Caddy to a version that pulls nebula ≥ 1.10.3 when available
6c. CodeQL Scans
- Status: PASS
- Go: 0 errors, 0 warnings
- JavaScript: 0 errors, 0 warnings (347/347 files scanned)
- SARIF outputs:
codeql-results-go.sarif,codeql-results-javascript.sarif
7. GORM Security Scan
- Status: PASS
- Scanned: 41 Go files (2207 lines), 2 seconds
- 0 CRITICAL, 0 HIGH, 0 MEDIUM
- 2 INFO suggestions:
backend/internal/models/user.go:109—UserPermittedHost.UserIDmissing indexbackend/internal/models/user.go:110—UserPermittedHost.ProxyHostIDmissing index
8. Go Vulnerability Check
- Status: PASS
govulncheck ./...— No vulnerabilities found
Gotify Token Security Review
- No Gotify tokens found in logs, test artifacts, or API examples
- No tokenized URL query parameters exposed in diagnostics or output
- Token handling follows
json:"-"pattern (verified viaHasTokencomputed field approach in PR)
Recommendation
GO / NO-GO: GO (conditional)
All blocking gates pass. Two advisory warnings exist:
- Patch coverage (79.5% overall, 78.3% backend) is below advisory thresholds but not a blocking gate per current policy
- Docker image has 1 HIGH CVE in Caddy's transitive dependency (nebula) — upstream fix required, not actionable in Charon code
Conditions:
- Track nebula CVE-2026-25793 remediation as a follow-up issue when a Caddy update incorporates the fix
- Consider adding targeted tests for uncovered changed lines in notification service/handler to improve patch coverage