akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity
Files
1189fa59b6dd208df18bc5175d8efa09549ced32
Charon/docs/reports/qa_report.md

4.0 KiB
Raw Blame History

QA/Security Validation Report - PR1 Remediation Branch

Date: 2026-02-19 Scope: Mandatory QA/security gates for PR1 remediation in /projects/Charon.

Gate Results (Required Sequence)

# Gate Command(s) Status Evidence / Artifacts
1 E2E prerequisite rebuild decision git --no-pager diff --name-only + docker ps -a + /projects/Charon/.github/skills/scripts/skill-runner.sh docker-rebuild-e2e PASS Runtime-impacting changes detected in backend/** and frontend/**; E2E env rebuilt successfully; container charon-e2e healthy
2a Playwright targeted verification (notifications) npx playwright test tests/settings/notifications.spec.ts tests/security/security-dashboard.spec.ts --project=firefox PASS 28 passed (1.3m) for notifications suite
2b Security-project equivalent (required due config exclusion) npx playwright test tests/security/security-dashboard.spec.ts --project=firefox --list then npx playwright test tests/security/security-dashboard.spec.ts --project=security-tests PASS Firefox listing returned No tests found because tests/security/** is ignored for firefox project; equivalent security-tests run passed 10 passed (27.7s)
3 Local patch coverage preflight bash scripts/local-patch-report.sh PASS Artifacts verified: test-results/local-patch-report.md, test-results/local-patch-report.json
4 Backend coverage/tests /projects/Charon/.github/skills/scripts/skill-runner.sh test-backend-coverage PASS First attempt blocked by missing CHARON_ENCRYPTION_KEY; rerun with generated valid key passed. Coverage: statements 87.2%, lines 87.6%, gate min 85%
5a Frontend coverage/tests /projects/Charon/.github/skills/scripts/skill-runner.sh test-frontend-coverage PASS Coverage summary: statements 87.68%, lines 88.58%, gate PASS vs min 85%
5b Frontend type-check cd frontend && npm run type-check PASS tsc --noEmit completed with no TS errors
6 Pre-commit fast hooks pre-commit run --all-files FAIL Hook check-version-match failed: .version (v0.18.13) does not match latest Git tag (v0.19.0)
7a Trivy filesystem scan /projects/Charon/.github/skills/scripts/skill-runner.sh security-scan-trivy PASS Report summary shows 0 vulnerabilities and 0 secrets across scanned targets
7b Docker image scan (CI-aligned skill) /projects/Charon/.github/skills/scripts/skill-runner.sh security-scan-docker-image FAIL Grype summary: Critical 0, High 1, Total 14; skill exits failure on High/Critical policy
7c CodeQL Go CI-aligned Task: Security: CodeQL Go Scan (CI-Aligned) [~60s] PASS Completed; output file codeql-results-go.sarif
7d CodeQL JS CI-aligned Task: Security: CodeQL JS Scan (CI-Aligned) [~90s] PASS Completed; output file codeql-results-js.sarif
7e CodeQL High/Critical validation pre-commit run --hook-stage manual codeql-check-findings --all-files PASS No security issues found in go code and No security issues found in js code

Security Blocker Details

Docker Image Scan Failure (Blocking)

  • Source artifact: grype-results.json
  • Unresolved high/critical findings:
Severity ID Package Installed Fixed Version
High GHSA-69x3-g4r3-p962 github.com/slackhq/nebula v1.9.7 1.10.3

Notes on Non-Run/Blocked Conditions

  • No gate was skipped.
  • One intermediate command was blocked by environment precondition and immediately remediated:
    • Backend coverage initial failure: Error: CHARON_ENCRYPTION_KEY is required for backend tests.
    • Workaround used: set a valid generated base64 32-byte key, then reran backend coverage successfully.

Final Verdict

  • Overall Result: FAIL
  • Failing gates:
    1. pre-commit run --all-files (check-version-match)
    2. Docker image security gate (security-scan-docker-image) due unresolved High vulnerability
Reference in New Issue View Git Blame Copy Permalink