Testing Strategy - DTS-STN/sc-digital-centre GitHub Wiki
There are multiple phases (push, pull request), types (unit, end-to-end, ext.), and tools (Jest, Cypress, ext.) being used in our testing strategy. This strategy is based of the Branching Strategy, so it's important to understand that first.
Test suite
| Type of test | Technology | Additional Notes |
|---|---|---|
| Lint | Next | |
| Unit | Jest | Also performs some automated accessibility checks. |
| End-to-end | Cypress | Also perform some automated accessibility checks against a pages HTML. |
| SAST | LGTM | 3rd party tool, Looks good to me |
| SAST | CodeQL | Customised pre-built GitHub action |
| DAST | ZAP | |
| Smoke | Cypress | Executed in TeamCity as part of deploy |
| Dependency Check | snyk | 3rd party tool |
| Dependency Check | Dependabot | GitHub built in |
| A11y | Jest axe | Limited automated checks |
| A11y | Cypress axe | Page by page automated Checks |
| A11y | Manual by Dept. | |
| Performance | TBD | |
| Penetration | TBD |
Blocking Tests Prior to Merge
Merge To dev
To merge to dev, the *Feature branch must be passing all
- Lint & Unit tests
- End-to-end tests
- Static Application Security Tests (SAST)
- Smoke test (from dynamic branch deployment)
After the merge, it is expected that these test would run on the dev branch
- Lint & Unit tests
- End-to-end tests
Merge To main
To merge to main, the dev branch must be passing all
- Lint & Unit tests
- End-to-end tests
- Static Application Security Tests (SAST)
- Dynamic Application Security Tests (DAST)
- Smoke test (from dev branch deployment)
After the merge, it is expected that these test would run on the main branch
- Lint & Unit tests
- End-to-end tests
Other Tests & Checks
This section is to further describe other tests and checks that require additional information.
Dependency Checks
Snyc and Dependabot both look at all our dependency and notifying us, creating Pull Requests when a vulnerability and fix is available for one of our listed dependencies. We would have to decide if that fix needs to go directly to main as a hotfix or be merged to dev to test integration prior. Dependabot will also inform us of dependencies that have newer versions available.
Manual Accessability (A11y) tests
We have quite a few automated accessibility checks in place, however it's impossible to fully validate accessibility with automation. So we also will make use of the department provided accessibility audit. We send on requesting audits every 3-6 months as needed based on the changes made to the application in that time.
Performance & Penetration tests
This is still a work in progress as to how these tests will be done. We intend on running these tests every 3-6 months as needed based on the changes made to the application in that time.