Skip to content

fix: wave 5 - security hardening, CI permissions, and test health#280

Merged
jongio merged 2 commits into
mainfrom
swarm/wave-5-quality-tests
May 19, 2026
Merged

fix: wave 5 - security hardening, CI permissions, and test health#280
jongio merged 2 commits into
mainfrom
swarm/wave-5-quality-tests

Conversation

@jongio
Copy link
Copy Markdown
Owner

@jongio jongio commented May 19, 2026

Wave 5: Security, CI, and Test Health

Issues Resolved

Security Fixes (#270)

  • CRITICAL: Fix \pr-build.yml\ \pull_request_target\ vulnerability (checkout uses base SHA now)
  • CRITICAL: Add command allowlist in
    eqs.go\ for \�xec.CommandContext\ calls
  • HIGH: Harden dashboard \sanitizeHtml()\ to block <iframe>, <object>, <embed>, <base>, <link>\
  • HIGH: Fix CodeQL workflow: remove \continue-on-error, enable SARIF upload
  • HIGH: Add explicit \permissions: contents: read\ to ci.yml and release.yml jobs

CI/Config Fixes (#270)

  • Pin \govulncheck\ to @v1.1.4\ in scheduled workflow
  • Enforce codecov patch coverage at 60% (was informational-only)
  • Add \ imeout-minutes: 30\ to sync-demo-template smoke-test
  • Note extension.yaml vs registry.json version discrepancy

Test Health (#275)

  • Replace \ ime.Sleep\ with
    equire.Eventually\ in state_monitor_test.go and pipeline_test.go
  • Add \ .Parallel()\ to table-driven tests in logbuffer_context_test.go and query_builder_test.go

Deferred (requires manual review)

  • Remaining 37 test files with time.Sleep (incremental improvement)
  • Adding missing test coverage for service_process.go, detector_commands.go
  • Raising codecov coverage threshold (currently 40% floor)

Closes #270, #275

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 19, 2026
edited
Loading

🚀 Website Preview

Your PR preview was available here.

Preview has been cleaned up as the PR was closed.

github-actions Bot added a commit that referenced this pull request May 19, 2026
@github-actions
Deploy PR #280 preview
eaf0ef7
jongio and others added 2 commits May 19, 2026 10:28
@jongio
fix: wave 5 - security hardening, CI permissions, and test health
47550d6 
Security (#270):
- Fix pr-build.yml pull_request_target to checkout base SHA
- Add command allowlist validation in reqs.go for exec.CommandContext
- Harden dashboard sanitizeHtml against iframe/object/embed/base/link XSS
- Fix codeql.yml: remove continue-on-error, enable SARIF upload
- Add explicit permissions blocks to ci.yml and release.yml
- Pin govulncheck to v1.1.4 in govulncheck.yml
- Enforce codecov patch coverage at 60%
- Add timeout-minutes to sync-demo-template smoke-test
- Note extension.yaml vs registry.json version discrepancy

Test health (#275):
- Replace time.Sleep with require.Eventually in state_monitor_test.go
- Replace time.Sleep in notifications/pipeline_test.go
- Add t.Parallel() to logbuffer_context_test.go and query_builder_test.go

Closes #270, #275

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
fix: align pnpm overrides and dashboard artifact paths
b86e01e 
- Add pnpm.overrides to web/package.json to match lockfile yaml security fix
- Fix dashboard-dist artifact path in ci.yml: cli/dashboard/dist/ → cli/src/internal/dashboard/dist/ (matches vite outDir and Go embed)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio jongio force-pushed the swarm/wave-5-quality-tests branch 2 times, most recently from f8a858e to b86e01e Compare May 19, 2026 17:28
@jongio jongio merged commit 19c6586 into main May 19, 2026
7 of 9 checks passed
github-actions Bot added a commit that referenced this pull request May 19, 2026
@github-actions
Cleanup PR #280 preview
6c3227b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

full quality audit: findings for azd-app

1 participant

@jongio