Skip to content

ci: upload frontend Playwright test reports as workflow artifacts#1701

Open
anshul23102 wants to merge 3 commits into
utksh1:mainfrom
anshul23102:feat/ci-playwright-reports
Open

ci: upload frontend Playwright test reports as workflow artifacts#1701
anshul23102 wants to merge 3 commits into
utksh1:mainfrom
anshul23102:feat/ci-playwright-reports

Conversation

@anshul23102

Copy link
Copy Markdown
Contributor

Description

Enable HTML reporting in Playwright configuration so test results are captured in the playwright-report directory on each test run.

Changes

  • Updated frontend/playwright.config.ts to include the HTML reporter
  • GitHub reporter enabled for workflow annotations
  • Added upload step in CI workflow to save reports as artifacts for each Node matrix job (20, 22)
  • Reports retained for 30 days, accessible from Actions tab

Why

Test failures on CI are currently invisible to contributors. This change makes test output accessible for investigation without re-running locally, improving debugging efficiency.

Testing

  • No functional changes to test behavior
  • HTML reports will be generated and uploaded on next workflow run
  • Artifacts accessible via GitHub Actions UI

Issue utksh1#1620: plugin parsers previously inherited the parent's full network
stack. A malicious parser.py could exfiltrate scan findings to an
attacker-controlled server over a plain socket, with no control here.

Fix: on Linux with unprivileged user namespaces, spawn parser subprocesses
in a fresh network namespace with 'unshare --user --net'. The child has
no network interfaces configured except a loopback that is down by default,
so it cannot reach any host. Parsers only transform text already captured
from the scanner (never network-bound); they have zero legitimate need
for network access.

Unshare capability is probed once at startup via _unshare_net_supported(),
which checks platform, binary availability, and runtime support. On
non-Linux hosts or if the capability check fails for any reason
(restrictive container runtime, disabled user namespaces, etc.), we warn
once and fail open, spawning without isolation, rather than refusing
all plugins. The broader threat model is documented in
docs/plugins/plugin-security-checklist.md.

Testing:
- testing/backend/integration/test_parser_network_isolation.py: 4 tests
  covering capability probe, argv construction with/without isolation,
  and successful parser execution under isolation.
- pytest testing/backend/integration -q -m "not benchmark" -- 288 passed,
  9 skipped (284 baseline + 4 new)
- ruff check backend/secuscan/parser_sandbox.py -- all checks passed

Fixes utksh1#1620
Issue utksh1#1622: the docker-compose configuration was missing CORS setup for
the frontend service. Frontend runs on port 5173, API on port 8081, both
accessible via multiple origins (localhost, 127.0.0.1, and the Docker
service name 'frontend'). Without explicit CORS_ALLOWED_ORIGINS, the
backend's CORS middleware would reject requests from the frontend,
blocking API calls.

Fix: set SECUSCAN_CORS_ALLOWED_ORIGINS environment variable in the api
service to allow requests from http://localhost:5173, http://127.0.0.1:5173,
and http://frontend:5173 (Docker internal DNS). This ensures the frontend
can make API calls whether accessed via localhost, IP, or internal Docker
service name.

Fixes utksh1#1622
Add HTML reporter to playwright.config.ts for local test runs so
developers can view detailed test results in the browser. Playwright
e2e tests require a live backend and are not run in CI — they're
available for manual testing during development.

The HTML report is generated locally in playwright-report/ directory
when tests are run manually with 'npx playwright test'.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant