Testing
All test commands run inside the dev container.
docker compose -f docker-compose.dev.yml exec scanner /bin/bash
RSpec
# Run all specs
RAILS_ENV=test bundle exec rspec
# Run a specific file
RAILS_ENV=test bundle exec rspec spec/models/target_spec.rb
# Run with coverage report
RAILS_ENV=test COVERAGE=true bundle exec rspec
Always use RAILS_ENV=test
Without RAILS_ENV=test, RSpec will run against the development database.
Static Analysis
# Security scan (Brakeman)
bundle exec brakeman
# Linter (RuboCop)
bundle exec rubocop
# Auto-fix RuboCop violations
bundle exec rubocop -A
# Check for vulnerable JavaScript dependencies
bundle exec importmap audit
End-to-End Tests (Cypress)
Cypress runs on the host machine (not in Docker) and requires Node.js:
# Install dependencies (first time)
npm install
# Open Cypress test runner (interactive)
npm run cypress:open
# Run headlessly
npm run cypress:run
CI Pipeline
The CI workflow (.github/workflows/ci.yml) runs on every PR:
- Garak lock file validation
- Brakeman security scan
- Importmap audit
- RuboCop lint
- RSpec with coverage
All checks must pass before merging.
Testing Garak Integration
Stub garak execution in tests to avoid real subprocess calls:
allow_any_instance_of(RunGarakScan).to receive(:call)
To test with mock Unix socket communication, see the existing scan job specs for patterns.
Test Factories
Test data is defined using FactoryBot in spec/factories/. Key factories:
| Factory | Model |
|---|---|
:company | Multi-tenant organization |
:user | Admin or regular user |
:target | Scan target (API or webchat) |
:scan | Scan configuration |
:report | Completed scan report |
:output_server | SIEM integration |