11 KiB
Manual Test Plan: CodeQL CI Alignment
Test Date: December 24, 2025 Feature: CodeQL CI/Local Execution Alignment Target Release: Next release after implementation merge Testers: Development team, QA, Security reviewers
Test Objective
Validate that local CodeQL scans match CI execution and that developers can catch security issues before pushing code.
Prerequisites
- Implementation merged to main branch
- CodeQL CLI installed (minimum v2.17.0)
- Check version:
codeql version - Upgrade if needed:
gh codeql set-version latest
- Check version:
- Pre-commit installed:
pip install pre-commit - Pre-commit hooks installed:
pre-commit install - VS Code with workspace open
Test Cases
TC1: VS Code Task Execution - Go Scan
Objective: Verify Go CodeQL scan runs successfully with CI-aligned parameters
Steps:
- Open VS Code Command Palette (
Ctrl+Shift+P) - Type "Tasks: Run Task"
- Select
Security: CodeQL Go Scan (CI-Aligned) [~60s] - Wait for completion (~60 seconds)
Expected Results:
- Task completes successfully (no errors)
- Output shows database creation progress
- Output shows query execution progress
- SARIF file generated:
codeql-results-go.sarif - Database created:
codeql-db-go/ - Terminal output includes findings count (e.g., "79 results")
- Uses
security-and-qualitysuite (visible in output)
Pass Criteria: All items checked ✅
TC2: VS Code Task Execution - JavaScript Scan
Objective: Verify JavaScript/TypeScript CodeQL scan runs with CI-aligned parameters
Steps:
- Open VS Code Command Palette
- Type "Tasks: Run Task"
- Select
Security: CodeQL JS Scan (CI-Aligned) [~90s] - Wait for completion (~90 seconds)
Expected Results:
- Task completes successfully
- Output shows database creation for frontend source
- Output shows query execution progress (202 queries)
- SARIF file generated:
codeql-results-js.sarif - Database created:
codeql-db-js/ - Terminal output includes findings count (e.g., "105 results")
- Uses
security-and-qualitysuite
Pass Criteria: All items checked ✅
TC3: VS Code Combined Task
Objective: Verify sequential execution of both scans
Steps:
- Open VS Code Command Palette
- Type "Tasks: Run Task"
- Select
Security: CodeQL All (CI-Aligned) - Wait for completion (~3 minutes)
Expected Results:
- Go scan executes first
- JavaScript scan executes second (after Go completes)
- Both SARIF files generated
- Both databases created
- No errors or failures
- Terminal shows sequential progress
Pass Criteria: All items checked ✅
TC4: Pre-Commit Hook - Quick Security Check
Objective: Verify govulncheck runs on commit
Steps:
- Open terminal in project root
- Make a trivial change to any
.gofile (add comment) - Stage file:
git add <file> - Attempt commit:
git commit -m "test: manual test" - Observe pre-commit execution
Expected Results:
- Pre-commit hook triggers automatically
security-scanstage executesgovulncheckruns on backend code- Completes in < 10 seconds
- Shows "Passed" if no vulnerabilities
- Commit succeeds if all hooks pass
Pass Criteria: All items checked ✅
Note: This is a fast check. Full CodeQL scans are manual stage (next test).
TC5: Pre-Commit Hook - Manual CodeQL Scan
Objective: Verify manual-stage CodeQL scans work via pre-commit
Steps:
- Open terminal in project root
- Run manual stage:
pre-commit run --hook-stage manual codeql-go-scan --all-files - Wait for completion (~60s)
- Run:
pre-commit run --hook-stage manual codeql-js-scan --all-files - Run:
pre-commit run --hook-stage manual codeql-check-findings --all-files
Expected Results:
codeql-go-scanexecutes successfullycodeql-js-scanexecutes successfullycodeql-check-findingschecks SARIF files- All hooks show "Passed" status
- SARIF files generated/updated
- Error-level findings reported (if any)
Pass Criteria: All items checked ✅
TC6: Pre-Commit Hook - Severity Blocking
Objective: Verify that ERROR-level findings block the hook
Steps:
-
Temporarily introduce a known security issue (e.g., SQL injection)
// In any handler file, add: query := "SELECT * FROM users WHERE id = " + userInput -
Run:
pre-commit run --hook-stage manual codeql-go-scan --all-files -
Run:
pre-commit run --hook-stage manual codeql-check-findings --all-files -
Observe output
Expected Results:
- CodeQL scan completes
codeql-check-findingshook FAILS- Error message shows high-severity finding
- Hook exit code is non-zero (blocks commit)
- Error includes CWE number and description
Pass Criteria: Hook fails as expected ✅
Cleanup: Remove test code before proceeding.
TC7: SARIF File Validation
Objective: Verify SARIF files are GitHub-compatible
Steps:
- Run any CodeQL scan (TC1 or TC2)
- Open generated SARIF file in text editor
- Validate JSON structure
- Check for required fields
Expected Results:
- File is valid JSON
- Contains
$schemaproperty - Contains
runsarray with results - Each result has:
ruleId(e.g., "go/sql-injection")level(e.g., "error", "warning")messagewith descriptionlocationswith file path and line number
- Compatible with GitHub Code Scanning API
Pass Criteria: All items checked ✅
TC8: CI Workflow Verification
Objective: Verify CI behavior matches local execution
Steps:
- Create test branch:
git checkout -b test/codeql-alignment - Make trivial change and commit
- Push to GitHub:
git push origin test/codeql-alignment - Open pull request
- Monitor CI workflow execution
- Review security findings in PR
Expected Results:
- CodeQL workflow triggers on PR
- Go and JavaScript scans execute
- Workflow uses
security-and-qualitysuite - Finding count similar to local scans
- SARIF uploaded to GitHub Security tab
- PR shows security findings (if any)
- Workflow summary shows counts and links
Pass Criteria: All items checked ✅
TC9: Documentation Accuracy
Objective: Validate user-facing documentation
Steps:
- Review:
docs/security/codeql-scanning.md - Follow quick start instructions
- Review:
.github/instructions/copilot-instructions.md - Verify Definition of Done section
Expected Results:
- Quick start instructions work as documented
- Command examples are accurate
- Task names match VS Code tasks
- Pre-commit commands execute correctly
- DoD includes security scan requirements
- Links to documentation are valid
Pass Criteria: All items checked ✅
TC10: Performance Validation
Objective: Verify scan execution times are reasonable
Steps:
- Run Go scan via VS Code task
- Measure execution time
- Run JS scan via VS Code task
- Measure execution time
Expected Results:
- Go scan completes in 50-70 seconds
- JS scan completes in 80-100 seconds
- Combined scan completes in 2.5-3.5 minutes
- No memory exhaustion errors
- No timeout errors
Pass Criteria: All times within acceptable range ✅
Regression Tests
RT1: Existing Workflows Unaffected
Objective: Ensure other CI workflows still pass
Steps:
- Run full CI suite on test branch
- Check all workflow statuses
Expected Results:
- Build workflows pass
- Test workflows pass
- Lint workflows pass
- Other security scans pass (Trivy, gosec)
- Coverage requirements met
Pass Criteria: No regressions ✅
RT2: Developer Workflow Unchanged
Objective: Verify normal development isn't disrupted
Steps:
- Make code changes (normal development)
- Run existing VS Code tasks (Build, Test, Lint)
- Commit changes with pre-commit hooks
- Push to branch
Expected Results:
- Existing tasks work normally
- Fast pre-commit hooks run automatically
- Manual CodeQL scans are opt-in
- No unexpected delays or errors
- Developer experience is smooth
Pass Criteria: No disruptions ✅
Known Issues / Expected Findings
Expected CodeQL Findings (as of test date)
Based on QA report, these findings are expected:
Go (79 findings):
- Email injection (CWE-640): 3 findings
- SSRF (CWE-918): 2 findings
- Log injection (CWE-117): 10 findings
- Quality issues: 64 findings (redundant code, missing checks)
JavaScript (105 findings):
- DOM-based XSS (CWE-079): 1 finding
- Incomplete validation (CWE-020): 4 findings
- Quality issues: 100 findings (mostly in minified dist/ bundles)
Note: These are not test failures. They are real findings that should be triaged and addressed in future work.
Test Summary Template
Tester Name: _________________ Test Date: _________________ Branch Tested: _________________ CodeQL Version: _________________
| Test Case | Status | Notes |
|---|---|---|
| TC1: Go Scan | ☐ Pass ☐ Fail | |
| TC2: JS Scan | ☐ Pass ☐ Fail | |
| TC3: Combined | ☐ Pass ☐ Fail | |
| TC4: Quick Check | ☐ Pass ☐ Fail | |
| TC5: Manual Scan | ☐ Pass ☐ Fail | |
| TC6: Severity Block | ☐ Pass ☐ Fail | |
| TC7: SARIF Valid | ☐ Pass ☐ Fail | |
| TC8: CI Match | ☐ Pass ☐ Fail | |
| TC9: Docs Accurate | ☐ Pass ☐ Fail | |
| TC10: Performance | ☐ Pass ☐ Fail | |
| RT1: No Regressions | ☐ Pass ☐ Fail | |
| RT2: Dev Workflow | ☐ Pass ☐ Fail |
Overall Result: ☐ PASS ☐ FAIL
Blockers Found:
- None / List blockers here
Recommendations:
- None / List improvements here
Sign-Off:
- All critical tests passed
- Documentation is accurate
- No major issues found
- Ready for production use
Tester Signature: _________________ Date: _________________
Appendix: Troubleshooting
Issue: CodeQL not found
Solution:
# Install/upgrade CodeQL
gh codeql set-version latest
codeql version # Verify installation
Issue: Predicate compatibility error
Symptom: Error about missing predicates or incompatible query packs
Solution:
# Upgrade CodeQL to v2.17.0 or newer
gh codeql set-version latest
# Clear cache
rm -rf ~/.codeql/
# Re-run scan
Issue: Pre-commit hooks not running
Solution:
# Reinstall hooks
pre-commit uninstall
pre-commit install
# Verify
pre-commit run --all-files
Issue: SARIF file not generated
Solution:
# Check permissions
ls -la codeql-*.sarif
# Check disk space
df -h
# Re-run with verbose output
codeql database analyze --verbose ...
End of Manual Test Plan