akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
98cf52ff579efcc514a428d43b64f8d031b625ca
Charon/docs/reports/qa_report.md
GitHub Actions 98cf52ff57 fix: upgrade supply-chain workflow to use modern grype binary 
Replaced anchore/scan-action with manual grype v0.107.1 installation
Explicitly output scan results to avoid "file not found" errors
Updated parsing logic to read generated grype-results.json directly
Ensures latest vulnerability definitions are used for PR checks
2026-02-06 08:42:49 +00:00

12 KiB
Raw Blame History

QA Report - Supply Chain Workflow Audit

Date: February 6, 2026 Target: .github/workflows/supply-chain-pr.yml Trigger: Manual Lint Request Auditor: QA Security Engineer (Gemini 3 Pro)

1. Executive Summary

A manual audit and linting session was performed on the supply-chain-pr.yml workflow. Critical logic errors were identified that would have prevented the workflow from correctly downloading artifacts during a PR event. Security vulnerabilities related to script injection were also mitigated.

Status: 🟡 REMEDIATED (Issues found and fixed)

2. Findings & Remediation

A. Logic Error: Circular Dependency

  • Severity: 🔴 CRITICAL
  • Issue: The steps "Download PR image artifact" and "Load Docker image" conditionally depended on steps.set-target.outputs.image_name. However, the set-target step is defined after these steps in the workflow execution order.
  • Impact: These steps would invariably evaluate to false or crash, causing the workflow to skip image verification for PRs.
  • Fix: Updated the conditions to depend on steps.check-artifact.outputs.artifact_found == 'true', which is correctly populated by the preceding step.

B. Security: Script Injection Risk

  • Severity: 🟠 HIGH
  • Issue: User-controlled inputs (github.head_ref, inputs.pr_number) were used directly in inline scripts (run blocks).
  • Impact: A malicious branch name or PR number could potentially execute arbitrary commands in the runner environment.
  • Fix: Mapped all user inputs to environment variables (env block) and referenced them via shell variables (e.g., ${BRANCH_NAME}) instead of template injection.

C. Syntax & Linting

  • Tool: actionlint
  • Result: Identified the logic errors and security warnings mentioned above.
  • Status: All reported errors logic/security errors addressed. Shellcheck style warnings (redirects) noted but lower priority.

D. Security Scan (Trivy)

  • Tool: trivy fs
  • Command: trivy fs --scanners secret,misconfig .github/workflows/supply-chain-pr.yml
  • Result: PASS
    • No secrets detected.
    • No infrastructure misconfigurations detected by Trivy policies.

3. Verification

The workflow file has been updated with the fixes. It is recommended to trigger a test run (via PR or workflow_dispatch) to verify the runtime behavior.

QA Report - Phase 6 Audit (Playwright Config Update)

Date: February 6, 2026 Trigger: Update of playwright.config.js to separate and sequence security tests. Auditor: QA Security Engineer (Gemini 3 Pro)

1. Executive Summary

The Phase 6 Audit was performed to validate the new Playwright configuration which splits security tests into a separate project that runs prior to standard browser tests.

Status: 🔴 FAILED

While the configuration successfully enforced the execution order (security tests ran first), the security tests themselves failed due to authentication issues in the test environment. This failure, combined with the new dependency structure, caused the majority of the standard E2E suite (1964 tests) to be skipped.

Security scans identified 1 High-severity misconfiguration in the Dockerfile and 2 High-severity vulnerabilities in the container base image.

2. E2E Test Execution Analysis

Execution Order Verification

  • Result: Verified
  • Observation: The security-tests project executed before chromium, firefox, and webkit projects as configured.

Test Results

  • Total Tests Run: 219
  • Passed: 201
  • Failed: 18
  • Skipped / Not Run: 1,964
  • Pass Rate: ~9% (of total suite) / 91% (of executed tests)

Failure Analysis

The 18 failed tests were all within the security-tests project. The failures were consistent 401 Unauthorized errors during test setup/teardown helpers.

Key Error:

Failed to enable Cerberus: Error: Failed to set cerberus to true: 401 {"error":"Authorization header required"}

Impacted Areas:

  1. Security Helpers: setSecurityModuleEnabled(), getSecurityStatus(), configureAdminWhitelist() in tests/utils/security-helpers.ts.
  2. Tests:
    • security-enforcement/acl-enforcement.spec.ts
    • security-enforcement/combined-enforcement.spec.ts
    • security-enforcement/crowdsec-enforcement.spec.ts
    • security-enforcement/rate-limit-enforcement.spec.ts
    • security-enforcement/waf-enforcement.spec.ts
    • security/acl-integration.spec.ts (Also failed finding UI modals)

Root Cause Hypothesis: The test environment (charon-e2e container) requires authentication for the management API (/api/v1/security/*), but the test helper functions are failing to provide a valid Authorization header or session cookie in the current context.

Blocking Issue: Because chromium etc. depend on security-tests, the failure of the security suite prevented the standard browser tests from running.

3. Security Scan Findings

Trivy Filesystem Scan

  • Command: trivy fs /projects/Charon --skip-dirs .cache
  • Findings:
    • Dockerfile: 1 🔴 HIGH Misconfiguration
      • ID: DS-0002
      • Message: "Image user should not be 'root'"
      • Resolution: Add USER <non-root> instruction.

Trivy Docker Image Scan

  • Target: charon:local (Debian 13.3)
  • Findings:
    • Total: 2 🔴 HIGH Vulnerabilities
    • CVE-2026-0861 (libc-bin, libc6): Integer overflow in memalign leading to heap corruption.
    • Status: Fix available in upstream Debian (upgrade required).

4. Recommendations & Next Steps

Immediate Actions (Blockers)

  1. Fix Test Authentication: Investigate tests/utils/security-helpers.ts. Ensure it properly authenticates (e.g., logs in via UI or uses a valid API token) before attempting to configure security modules. Inspect .env usage in the E2E container.
  2. Fix UI Interaction: Investigate waitForModal failures in acl-integration.spec.ts. The UI might have changed, breaking the locator "/edit|proxy/i".

Security Remediation

  1. Dockerfile Hardening: implementation of a non-root user in the Dockerfile.
  2. Base Image Update: Re-pull the base image (debian:bookworm-slim or equivalent) to pick up the patch for CVE-2026-0861, or ensure apt-get upgrade runs during build.

Configuration Adjustment

  • Consider Fail-Open for Dev: While serial execution is good for CI, consider if local development requires dependencies: ['security-tests'] to be strict, or if we can allow specific headers/tokens to bypass this for easier debugging.

5. Conclusion

The separation of security tests is sound, but the current state of the security test suite is unstable. Prioritize fixing the 401 errors in the security helpers to unblock the rest of the E2E suite.

QA Report: Project Health Check (Previous)

Date: 2026-02-05 Version: v0.18.13 Scope: Full project health check via pre-commit hooks and YAML validation.

Executive Summary

Category Status Details
YAML Syntax PASS All YAML files are valid
Pre-commit Hooks PASS All hooks passed (after version fix)
Version Sync PASS .version synced with git tag v0.18.13
File Consistency PASS No trailing whitespace or end-of-file issues
LFS Usage PASS No untracked large files

Overall Status: APPROVED - The codebase is clean and compliant with all quality gates.

1. YAML Syntax Validation

Results

  • Status: PASS
  • Command: pre-commit run check-yaml --all-files
  • Output:
check yaml...............................................................Passed

Analysis

  • All YAML files (workflows, config, docker-compose) are syntactically correct.
  • No parsing errors detected.

2. Pre-commit Hook Validation

Results

  • Status: PASS
  • Command: pre-commit run --all-files (alias qa-precommit-all)
  • Issues Found:
    • Initial Run: FAIL - .version (v0.17.1) did not match Git tag (v0.18.13).
    • Resolution: Updated .version file to v0.18.13.
    • Final Run: PASS

Hook Details

Hook Status Notes
fix end of files Pass
trim trailing whitespace Pass
check yaml Pass
check for added large files Pass
dockerfile validation Pass
Go Vet Pass
golangci-lint (Fast) Pass
Check .version matches tag Pass Fixed: synced to v0.18.13
LFS large files check Pass
Prevent CodeQL DB commits Pass
Prevent data/backups commits Pass
Frontend TypeScript Check Pass
Frontend Lint (Fix) Pass

3. Version Synchronization

Issue Detected

The .version file contained v0.17.1 while the latest git tag was v0.18.13, causing the version check hook to fail.

Remediation

Executed:

echo "v0.18.13" > /projects/Charon/.version

This aligns the project version file with the source control tag.

4. Final Verification

A final run of all checks confirmed the project is in a consistent state:

fix end of files.........................................................Passed
trim trailing whitespace.................................................Passed
check yaml...............................................................Passed
check for added large files..............................................Passed
dockerfile validation....................................................Passed
Go Vet...................................................................Passed
golangci-lint (Fast Linters - BLOCKING)..................................Passed
Check .version matches latest Git tag....................................Passed
Prevent large files that are not tracked by LFS..........................Passed
Prevent committing CodeQL DB artifacts...................................Passed
Prevent committing data/backups files....................................Passed
Frontend TypeScript Check................................................Passed
Frontend Lint (Fix)......................................................Passed

5. Recommendations

  1. Commit Changes: Commit the updated .version file.
  2. Proceed: The codebase is ready for further development or release processes.

QA Report generated: 2026-02-05 Agent: QA Security Engineer Validation Type: Health Check

QA Report - Style & Syntax Validation (Automated)

Date: February 6, 2026 Target: .github/workflows/supply-chain-pr.yml Trigger: Manual validation request Auditor: QA Security Engineer (Gemini 3 Pro)

1. Syntax & Style (Yamllint)

Command: yamllint .github/workflows/supply-chain-pr.yml Status: ⚠️ WARNINGS

Findings

  • Line Length: Multiple violations of 80-character limit.

    • Context: Most violations are within run scripts or conditional if expressions.
    • Impact: Style only. Does not affect execution validity.
    • Decision: Accept Risk. Maintaining readability of inline bash scripts and complex GitHub Actions expressions is prioritized over strict line wrapping.

  • Boolean Values: Warning: truthy value should be one of [false, true] at line 5 (cancel-in-progress: true).

    • Context: Yamllint prefers precise boolean strictness.
    • Impact: None. GitHub Actions parser handles this correctly.

2. Logic Verification

  • Artifact Handling: Verified correct flow for workflow_run events.
    • Skip if no artifact correctly exits job early.
    • Set Target Image correctly depends on execution path.
  • Filename Consistency: Verified charon-pr-image.tar expectation matches docker-build.yml artifact generation.

3. Security Scan (Trivy)

Command: trivy fs --scanners secret,misconfig .github/workflows/supply-chain-pr.yml Status: PASS

  • Secrets: No hardcoded secrets detected.
  • Misconfigurations: No significant infrastructure misconfigurations found by Trivy policies.

4. Conclusion

The workflow file is syntactically valid and logically sound. Style warnings from yamllint are noted but considered non-blocking for functionality.

Reference in New Issue View Git Blame Copy Permalink