6.6 KiB
6.6 KiB
QA/Security DoD Audit Report — Issue #929
Date: 2026-04-21 Repository: /projects/Charon Branch: feature/beta-release Scope assessed: backend/internal/services/docker_service.go (SA1019 fix) and mandatory DoD QA/Security gates
Final Recommendation
FAIL
Reason: DoD is blocked by failing mandatory gates (Playwright E2E first, frontend coverage, pre-commit version check).
Gate Summary
| # | DoD Gate | Status | Notes |
|---|---|---|---|
| 1 | Playwright E2E first | FAIL | Mandatory e2e rebuild repeatedly failed (docker build ... context canceled); fallback Firefox run failed auth (tests/auth.setup.ts login 401) |
| 2 | GORM security scan (conditional) | PASS (proactive run) | Scope does not touch models/migrations; scanner still executed: 0 Critical, 0 High, 0 Medium, 2 Info |
| 3a | Backend coverage | PASS | scripts/go-test-coverage.sh: 91.6% statements, artifact backend/coverage.txt |
| 3b | Frontend coverage | FAIL | scripts/frontend-test-coverage.sh: tests pass but coverage run exits non-zero due ENOENT frontend/coverage/.tmp/coverage-151.json |
| 4 | Local patch coverage report | PASS | scripts/local-patch-report.sh exit 0; artifacts generated; patch report shows 0 changed lines / 100% |
| 5 | Frontend type check | PASS | npm run type-check (tsc --noEmit) passes |
| 6 | Pre-commit hooks | FAIL | lefthook run pre-commit --all-files fails at check-version-match (.version v0.21.0 vs latest tag v0.27.0) |
| 7a | Trivy filesystem scan | PASS | security-scan-trivy: 0 vulnerabilities, 0 secrets findings |
| 7b | Docker image scan | PASS | security-scan-docker-image: 0 Critical, 0 High, 4 Medium |
| 7c | CodeQL Go + JS | PASS | Go: 0 errors; JS: 0 errors; no blocking findings |
| 8 | Lint/build checks | PASS | make lint-fast 0 issues, go build ./... pass, npm run build pass, go vet ./... pass |
Explicit SA1019 Verification
Status: RESOLVED
Evidence:
lefthook run pre-commit --all-filesoutput contains noSA1019occurrences.golangci-lint-fastpasses with 0 issues.- Root lint gate
make lint-fastpasses with 0 issues.
Conclusion: The deprecation warning SA1019 for the Issue #929 fix scope is no longer present in current lint/static analysis output.
Detailed Evidence
1) Playwright E2E first
Execution path:
- Attempted mandatory rebuild:
/projects/Charon/.github/skills/scripts/skill-runner.sh docker-rebuild-e2e --clean --no-cache - Result: repeated Docker build cancellation (
failed to solve: Canceled: context canceled) - Fallback run against available container:
npx playwright test -c /projects/Charon/playwright.config.js --project=firefox- Then with explicit base URL:
PLAYWRIGHT_BASE_URL=http://127.0.0.1:8787 ... - Result: 1 failed, 722 not run
- Failing spec:
tests/auth.setup.ts(authenticate), errorLogin failed: 401 - {"error":"invalid credentials"}
Gate disposition: FAIL (mandatory first gate not passing).
2) GORM scan (conditional)
Execution:
./scripts/scan-gorm-security.sh --check
Result:
- Exit code 0
- Critical 0, High 0, Medium 0, Info 2
- Info items are index recommendations in
backend/internal/models/user.go(non-blocking).
Gate disposition: PASS (proactively executed for audit completeness).
3) Coverage gates
Backend:
- Command:
bash scripts/go-test-coverage.sh - Result: PASS
- Coverage: 91.6%
- Artifact:
backend/coverage.txt
Frontend:
- Command:
bash scripts/frontend-test-coverage.sh - Test execution summary: 147 files passed, 5 skipped; 2035 tests passed, 90 skipped
- Final result: FAIL due unhandled rejection / filesystem error:
ENOENT: no such file or directory, open '/projects/Charon/frontend/coverage/.tmp/coverage-151.json'
- Command exit code: 1
- Artifact exists but gate is failing due non-zero exit.
Gate disposition: Backend PASS, Frontend FAIL.
4) Local patch coverage report
Execution:
bash scripts/local-patch-report.sh
Result:
- Exit code 0
- Artifacts present:
test-results/local-patch-report.mdtest-results/local-patch-report.json
- Patch summary: 0 changed lines, reported 100%
Gate disposition: PASS.
5) Frontend type check
Execution:
cd frontend && npm run type-check
Result:
- PASS (
tsc --noEmitexit 0)
6) Pre-commit hooks
Execution:
cd backend && lefthook run pre-commit --all-files
Result:
- FAIL at
check-version-match - Failure detail:
.versionreports v0.21.0 while latest tag is v0.27.0 - Important: no SA1019 in output; fast lint/static checks are green
Gate disposition: FAIL.
7) Security scans
Trivy filesystem:
- Command:
/projects/Charon/.github/skills/scripts/skill-runner.sh security-scan-trivy - Summary table reports zero vulnerabilities and zero secrets findings for scanned manifests/text targets
- Result: PASS
Docker image scan:
- Command:
/projects/Charon/.github/skills/scripts/skill-runner.sh security-scan-docker-image - Result: PASS
- Vulnerability summary: Critical 0, High 0, Medium 4, Low 0
CodeQL Go:
- Command:
/projects/Charon/.github/skills/scripts/skill-runner.sh security-scan-codeql go summary - Result: PASS (0 errors, 0 warnings, 0 notes)
CodeQL JavaScript:
- Command:
/projects/Charon/.github/skills/scripts/skill-runner.sh security-scan-codeql javascript summary - Result: PASS (0 errors, 0 warnings, 0 notes)
Gotify token exposure review:
- No active tokenized URLs or secret tokens were found in generated scan outputs during this rerun.
8) Lint/build checks
Execution:
make lint-fast(repo root) -> PASS (0 issues)cd backend && go build ./...-> PASScd frontend && npm run build-> PASScd backend && go vet ./...-> PASS
Gate disposition: PASS.
Remaining Non-Blocking Issues
- GORM scanner reports 2 informational index recommendations in
backend/internal/models/user.go(performance-oriented, not security-blocking). - Docker image scan still contains 4 Medium vulnerabilities (no Critical/High).
- Frontend test output contains warning noise (React key warning, CrowdSec query undefined warnings) but these are not current blocking gates by themselves.
Blocking Issues
- Playwright E2E-first gate failing:
- e2e rebuild repeatedly canceled during Docker build, and fallback Firefox auth setup fails with 401.
- Frontend coverage gate failing:
- coverage post-processing aborts with missing
.tmpcoverage file (ENOENT).
- coverage post-processing aborts with missing
- Pre-commit gate failing:
check-version-matchmismatch between.versionand latest git tag.
Decision
Overall DoD decision for Issue #929: FAIL
Promotion recommendation: Do not approve/merge as DoD-complete until the three blocking gates above are remediated and rerun successfully.