Charon/docs/reports/qa_report.md

QA Report: Integration Script Port Fix & curl→wget Remediation

Date: 2026-03-14 Branch: feature/beta-release Scope: 6 shell scripts in scripts/ — one-line changes each Reviewer: QA Security Agent

---

Overall Verdict: PASS

All 6 modified scripts pass syntax validation, ShellCheck, pre-commit hooks, verification greps, security review, and Trivy scanning. No new issues were introduced. The changes are minimal, correct, and safe for merge.

---

Change Summary

File	Change	Line
scripts/cerberus_integration.sh	Add -e PORT=80 to docker run ... mccutchen/go-httpbin	L174
scripts/waf_integration.sh	Add -e PORT=80 to docker run ... mccutchen/go-httpbin	L167
scripts/rate_limit_integration.sh	Add -e PORT=80 to docker run ... mccutchen/go-httpbin	L187
scripts/coraza_integration.sh	Add -e PORT=80 to docker run ... mccutchen/go-httpbin	L158
scripts/crowdsec_startup_test.sh	Replace curl -sf with wget -qO - in docker exec	L179
scripts/diagnose-test-env.sh	Replace curl -sf with wget -qO /dev/null in docker exec	L104

---

Gate Summary

#	Gate	Result	Details
1	Syntax Validation (bash -n)	PASS	All 6 scripts parse cleanly
2	ShellCheck (error severity)	PASS	0 errors; matches lefthook --severity=error
3	ShellCheck (all severities)	PASS	No findings on any modified line; all findings pre-existing
4	Pre-commit Hooks (lefthook)	PASS	All 6 hooks passed (shellcheck, actionlint, yaml, whitespace, eof, dockerfile)
5	Verification: go-httpbin PORT	PASS	4/4 docker run lines have -e PORT=80
6	Verification: docker exec curl	PASS	0 executed curl calls; 2 echo-only references (hints)
7	Security Review	PASS	No secrets, credentials, injection vectors, or Gotify tokens
8	Trivy Filesystem Scan	PASS	0 secrets, 0 misconfigurations

---

1. Syntax Validation (bash -n)

Script	Result
scripts/cerberus_integration.sh	PASS
scripts/waf_integration.sh	PASS
scripts/rate_limit_integration.sh	PASS
scripts/coraza_integration.sh	PASS
scripts/crowdsec_startup_test.sh	PASS
scripts/diagnose-test-env.sh	PASS

---

2. ShellCheck

At error severity (--severity=error, matching lefthook pre-commit)

Result: PASS — Zero errors across all 6 scripts. Exit code 0.

At default severity (full informational audit)

Exit code 1 (findings present, all note or warning severity).

Script	Findings	Severity	On Modified Lines?
cerberus_integration.sh	2× SC2086 (unquoted variable)	note	No (L204, L219)
waf_integration.sh	~30× SC2317 (unreachable code in trap), 3× SC2086	note	No
rate_limit_integration.sh	9× SC2086	note	No
coraza_integration.sh	10× SC2086, 2× SC2034 (unused variable)	note/warning	No
crowdsec_startup_test.sh	~10× SC2317, 1× SC2086	note	No
diagnose-test-env.sh	1× SC2034 (unused variable)	warning	No

No ShellCheck findings on any of the 6 modified lines. All findings are pre-existing.

---

3. Pre-commit Hooks (lefthook)

Ran lefthook run pre-commit:

Hook	Result	Duration
check-yaml	PASS	1.93s
actionlint	PASS	4.36s
end-of-file-fixer	PASS	9.23s
trailing-whitespace	PASS	9.49s
dockerfile-check	PASS	10.41s
shellcheck	PASS	11.24s

Hooks for Go, TypeScript, and Semgrep correctly skipped (no matching files).

---

4. Verification Greps

4a. All mccutchen/go-httpbin docker run instances have -e PORT=80

scripts/cerberus_integration.sh:174:  docker run ... -e PORT=80 mccutchen/go-httpbin
scripts/waf_integration.sh:167:       docker run ... -e PORT=80 mccutchen/go-httpbin
scripts/rate_limit_integration.sh:187:docker run ... -e PORT=80 mccutchen/go-httpbin
scripts/coraza_integration.sh:158:    docker run ... -e PORT=80 mccutchen/go-httpbin

Remaining mccutchen/go-httpbin matches are docker pull lines (no -e PORT needed).

Result: PASS — 4/4 confirmed.

4b. Zero executed docker exec ... curl calls

Only 2 matches found in scripts/verify_crowdsec_app_config.sh (L94–95) — both inside echo statements (user hint text, not executed). Confirmed by manual review.

Result: PASS — 0 executed docker exec ... curl calls.

---

5. Security Review

Check	Result	Notes
Secrets/credentials in diff	PASS	`git diff
Gotify tokens	PASS	grep -rn "Gotify|gotify|token=" across all 6 scripts — no matches
Injection vectors	PASS	-e PORT=80 is a static literal; no user-controlled input flows into new code
Command injection	PASS	wget -qO flags are hardcoded; no interpolated user input
SSRF	N/A	URLs are internal container addresses (127.0.0.1, localhost) in CI-only scripts
Sensitive data in logs	PASS	No new log/echo statements added
URL query parameters	PASS	No tokenized URLs (e.g., ?token=...) in changed or adjacent code

---

6. Trivy Filesystem Scan

Scanners: secret,misconfig. Severity filter: CRITICAL,HIGH,MEDIUM.

Target	Type	Secrets	Misconfigurations
backend/go.mod	gomod	—	—
frontend/package-lock.json	npm	—	—
package-lock.json	npm	—	—
Dockerfile	dockerfile	—	0
playwright/.auth/user.json	text	0	—

Result: 0 findings. Exit code 0.

---

7. Scope Exclusions

Check	Excluded?	Justification
E2E Playwright tests	Yes	Scripts are CI-only; no UI changes
Backend unit coverage	Yes	No Go code changes
Frontend unit coverage	Yes	No TypeScript/React changes
Docker image scan	Yes	No Dockerfile or image changes
CodeQL	Yes	No Go or JavaScript changes
GORM security scan	Yes	No model/database changes
Local patch coverage report	Yes	No application code; scripts not coverage-tracked

---

8. Pre-existing Issues (Not Introduced by This Change)

Category	Count	Scripts Affected	Risk
SC2086 (unquoted variables)	~25	All 6	Low — CI-controlled variables
SC2317 (unreachable code)	~40	waf, crowdsec	None — trap cleanup functions (ShellCheck false positive)
SC2034 (unused variables)	3	coraza, diagnose	Low — may be planned for future use

---

Remaining Validation (CI)

The integration scripts cannot be executed locally without a built charon:local image and Docker network. Full end-to-end validation will occur when the PR triggers CI:

• .github/workflows/cerberus-integration.yml
• .github/workflows/waf-integration.yml
• .github/workflows/rate-limit-integration.yml
• .github/workflows/crowdsec-integration.yml