The 78-Test Inspection Suite provides a complete quality assurance matrix covering baseline functionality, security hardening, cluster-mode operations, and application-specific integration tests. Every CleanStart deployment runs this suite automatically; teams can add custom tests for domain-specific validation.
Test Categories
The 78-Test Inspection Suite is organized into five major categories covering different aspects of image and cluster validation.
Baseline Tests (25) verify fundamental image and container properties. These tests check image integrity and signature validation, container startup and health check responsiveness, security context verification, and basic network and storage functionality.
Cluster-Mode Tests (18) validate stateful systems operating in clustered configurations. These include testing Kafka quorum and replication behavior, PostgreSQL write-ahead log (WAL) and failover mechanics, Redis Sentinel and automatic failback, and service discovery and DNS resolution.
Application Integration Tests (20) ensure your application layers work correctly with CleanStart images. Tests cover API endpoint validation, database schema verification, cache coherency across instances, and message queue semantics.
Performance Tests (10) measure system performance against established baselines. Tests benchmark throughput, verify latency meets SLOs, measure memory efficiency, and monitor CPU utilization patterns.
Custom Tests (5) accommodate organization and domain-specific requirements. Teams can add custom validations for their compliance needs, domain-specific functionality, and third-party system integrations.
Running the Test Suite
Prerequisites
# Install test frameworkcurl -sSL https://releases.cleanstart.dev/test-suite-latest.tar.gz | tar xzchmod +x ./test-suite # Verify installation./test-suite --version# Output: CleanStart Test Suite v2.0.0Basic Execution
# Run all 78 teststest-suite run \ --image gcr.io/my-project/app:latest \ --output report.json \ --format junit # Run specific test categorytest-suite run \ --image gcr.io/my-project/app:latest \ --category baseline # Run specific testtest-suite run \ --image gcr.io/my-project/app:latest \ --test image_signature_verification # Run with concurrency (faster)test-suite run \ --image gcr.io/my-project/app:latest \ --parallel 8 # Runs 8 tests concurrentlyTest Categories Explained
Category 1: Baseline Tests (25 tests)
Image Integrity (5 tests)
1. test_image_exists # Verify image exists in registry # Expected: Image found and accessible 2. test_image_signature_valid # Verify Cosign signature is valid # Expected: Signature verification succeeds 3. test_image_no_layers_modified # Verify all layers are original (SHA256 match) # Expected: All layer digests match signed digest 4. test_sbom_attached # Verify SBOM attestation present # Expected: SBOM found and parseable 5. test_attestations_signed # Verify all attestations are cryptographically signed # Expected: All attestations have valid signaturesContainer Startup (5 tests)
6. test_container_starts # Verify container starts without errors # Expected: Container running after 30 seconds 7. test_healthcheck_passes # Verify health endpoint responds # Expected: HTTP 200 from /health 8. test_readiness_probe_ready # Verify readiness probe passes # Expected: Probe succeeds within timeout 9. test_no_crash_loop # Verify container doesn't crash immediately # Expected: Container stable for 60 seconds 10. test_log_output_present # Verify application produces logs # Expected: Logs contain startup messagesSecurity Context (5 tests)
11. test_non_root_user # Verify container runs as non-root # Expected: uid != 0, typically uid=65532 12. test_capabilities_dropped # Verify Linux capabilities are minimal # Expected: Capabilities list is empty (ALL dropped) 13. test_readonly_filesystem # Verify root filesystem is read-only # Expected: Writing to root filesystem fails 14. test_no_privilege_escalation # Verify allowPrivilegeEscalation is false # Expected: Cannot gain higher privileges 15. test_resource_limits_set # Verify resource requests/limits defined # Expected: Memory and CPU limits existNetwork & Storage (5 tests)
16. test_network_connectivity # Verify container can reach external services # Expected: DNS resolution works, external connectivity 17. test_volume_mounts_writable # Verify mounted volumes are accessible # Expected: Can read/write to volumes 18. test_environment_variables_loaded # Verify environment variables are set # Expected: Expected env vars present 19. test_secrets_mounted # Verify secret volumes present # Expected: Secret files readable at expected paths 20. test_no_hardcoded_secrets # Verify no secrets in image (grep test) # Expected: No private keys, passwords, API keys foundImage Quality (5 tests)
21. test_fips_compliance # Verify image uses only FIPS-approved algorithms # Expected: No MD5, SHA1, DES, RC4 found 22. test_image_size_reasonable # Verify image size is within expected bounds # Expected: Size < 500MB for typical apps 23. test_layers_minimal # Verify number of layers is reasonable # Expected: < 20 layers 24. test_no_build_tools_in_prod # Verify no compiler/build tools in image # Expected: No gcc, make, npm in /usr/bin 25. test_documentation_present # Verify image has labels and documentation # Expected: org.opencontainers.image labels presentCategory 2: Cluster-Mode Tests (18 tests)
Kubernetes Integration (6 tests)
26. test_pod_runs_kubernetes # Verify pod starts in Kubernetes # Expected: Pod in Running state 27. test_service_dns_resolves # Verify Kubernetes service DNS works # Expected: nslookup service-name succeeds 28. test_headless_service # Verify headless service endpoints resolve # Expected: DNS returns pod IPs 29. test_configmap_mounted # Verify ConfigMap volume mounts # Expected: ConfigMap data accessible in pod 30. test_secret_volume_mounted # Verify Secret volume mounts # Expected: Secret files present in pod 31. test_initcontainer_completes # Verify initContainer runs and completes # Expected: InitContainer exits with code 0Stateful Operations (6 tests)
32. test_statefulset_identity # For StatefulSets: verify pod names are stable # Expected: Pod named app-0, app-1, app-2 33. test_persistent_volume_claim # Verify PVC is bound and accessible # Expected: PVC status Bound, storage available 34. test_data_persistence # Verify data survives pod restart # Expected: Data file present after delete/restart 35. test_ordered_pod_startup # Verify StatefulSet starts pods in order # Expected: Pod app-0 fully ready before app-1 36. test_pod_naming_sequential # Verify pod ordinal suffix increments # Expected: Pods named app-0, app-1, app-2 37. test_pvc_per_pod # Verify each pod gets its own PVC # Expected: N pods, N PVCsCluster Coordination (6 tests)
38. test_service_endpoints_updated # Verify service endpoints update as pods start # Expected: Service endpoints contain all pod IPs 39. test_leader_election # For coordinated services: test leader election # Expected: One leader, others standby 40. test_network_policy_enforcement # Verify NetworkPolicy blocks/allows traffic # Expected: Allowed traffic flows, blocked traffic fails 41. test_pod_disruption_budget # Verify PDB prevents too many pod evictions # Expected: Can evict N-1 pods but not N 42. test_cluster_service_discovery # Verify cross-namespace service discovery # Expected: svc.other-ns resolves correctly 43. test_headless_dns_round_robin # Verify headless service distributes DNS responses # Expected: Multiple DNS responses to same queryCategory 3: Application Integration Tests (20 tests)
API Endpoint Tests (5 tests)
44. test_api_health_endpoint # GET /health returns 200 OK # Expected: HTTP 200 45. test_api_readiness_endpoint # GET /ready returns 200 when ready # Expected: HTTP 200, body indicates ready=true 46. test_api_metrics_endpoint # GET /metrics returns Prometheus metrics # Expected: HTTP 200, Prometheus format 47. test_api_request_response # POST request returns valid response # Expected: HTTP 2xx, valid JSON/XML response 48. test_api_error_handling # Invalid request returns 4xx, valid error message # Expected: HTTP 400/404, error detailsDatabase Operations (5 tests)
49. test_database_connection # Verify app connects to database # Expected: Connection successful, no errors in logs 50. test_database_query_execution # Verify basic query works # Expected: Query result present 51. test_database_transaction_rollback # Verify failed transaction doesn't persist # Expected: Data reverted on rollback 52. test_database_schema_migration # Verify schema migration ran successfully # Expected: All tables present, columns match 53. test_database_connection_pool # Verify connection pooling works # Expected: Handles concurrent connections without errorCache Operations (5 tests)
54. test_cache_write_read # Write to cache, read back same value # Expected: Read returns written value 55. test_cache_expiration # Write value with TTL, verify expires # Expected: Value absent after TTL 56. test_cache_invalidation # Explicit cache invalidation works # Expected: Value gone after invalidation call 57. test_cache_concurrency # Multiple readers/writers to same key # Expected: No data corruption 58. test_cache_size_limits # Cache respects max size configuration # Expected: Cache doesn't exceed max sizeMessage Queue Operations (5 tests)
59. test_queue_publish_subscribe # Publish message, subscribe and receive # Expected: Subscriber receives published message 60. test_queue_message_ordering # Publish N messages, consume in order # Expected: Messages received in publish order 61. test_queue_acknowledgment # Message acknowledged after processing # Expected: Message marked consumed 62. test_queue_dead_letter # Failed message goes to dead-letter queue # Expected: Message in DLQ after max retries 63. test_queue_scaling # Multiple consumers scale horizontally # Expected: Messages distributed across consumersCategory 4: Performance Tests (10 tests)
64. test_response_time_p95 # 95th percentile response time < SLO # Expected: p95 < 200ms 65. test_response_time_p99 # 99th percentile response time < SLO # Expected: p99 < 500ms 66. test_throughput_rps # System handles required requests/second # Expected: Sustain 1000 RPS without errors 67. test_concurrent_connections # System handles N concurrent connections # Expected: 100 concurrent connections active 68. test_memory_usage # Memory usage within expected bounds # Expected: Memory < 512MB under load 69. test_cpu_utilization # CPU usage stays below limits # Expected: CPU < 80% under sustained load 70. test_garbage_collection_pauses # GC pauses don't exceed threshold (if applicable) # Expected: Pause time < 100ms 71. test_database_query_latency # Database queries complete within SLO # Expected: 95% queries < 50ms 72. test_cache_hit_ratio # Cache hit ratio meets expectation # Expected: Cache hit ratio > 80% 73. test_startup_time # Application starts within time limit # Expected: Ready within 60 secondsCategory 5: Custom Application Tests (5 tests)
These are examples; customize for your application:
74. test_custom_business_logic # Your application-specific validation # Example: Invoice calculation correct 75. test_third_party_integration # Integration with external service works # Example: Payment gateway returns success 76. test_compliance_requirement # Regulatory compliance check # Example: GDPR data minimization verified 77. test_data_validation # Input validation and sanitization # Example: SQL injection attempt blocked 78. test_custom_metrics # Application-specific metric generation # Example: Business KPI metrics presentTest Execution and Reporting
Run and Generate Report
# Run tests with detailed outputtest-suite run \ --image gcr.io/my-project/app:v1.2.3 \ --format html \ --output report.html \ --verbose # Output report structure:# Report includes Executive Summary (78/78 passed, 0 skipped, 0 failed)# Baseline Tests section (25/25 passed)# Cluster-Mode Tests section (18/18 passed)# Integration Tests section (20/20 passed)# Performance Tests section (10/10 passed, details: p95=145ms, throughput=1240 RPS)# Custom Tests section (5/5 passed)# Detailed Results per individual testJSON Output for Automation
test-suite run \ --image gcr.io/my-project/app:v1.2.3 \ --format json \ --output results.json | jq '.' # Output:# {# "summary": {# "totalTests": 78,# "passed": 78,# "failed": 0,# "skipped": 0,# "duration": "245s"# },# "testResults": [# {# "name": "image_signature_verification",# "category": "baseline",# "status": "passed",# "duration": "2.3s",# "message": "Signature verified successfully"# }# ],# "performanceMetrics": {# "p95ResponseTime": "145ms",# "p99ResponseTime": "320ms",# "throughputRPS": 1240,# "memoryPeakMB": 380# }# }CI/CD Integration
# GitHub Actions- name: Run 78-Test Suite run: | test-suite run \ --image gcr.io/${{ env.GCP_PROJECT }}/app:${{ github.sha }} \ --format junit \ --output test-results.xml # Fail if any test failed test-suite check --results test-results.xml || exit 1 - name: Publish Test Results uses: actions/upload-artifact@v3 with: name: test-results path: test-results.xmlCustom Test Addition
Add Custom Test
# Create custom test filecat > custom_tests.yaml <<EOFtests: - name: custom_invoice_calculation type: application description: Verify invoice calculation matches expected formula steps: - action: http_request method: POST url: /api/invoices body: '{"items": [{"price": 10, "qty": 2}]}' expectedStatus: 201 - action: assert_json jsonPath: $.total expectedValue: 20 - name: custom_gdpr_compliance type: compliance description: Verify PII is not logged steps: - action: grep_logs pattern: "email=|password=|ssn=" expectedMatch: false # Should NOT find PII patternsEOF # Register custom teststest-suite register \ --custom-tests ./custom_tests.yaml # Run all 78 + custom teststest-suite run \ --image gcr.io/my-project/app:latest \ --include-customTroubleshooting Test Failures
Common Failures and Fixes
Image Signature Verification Fails
# Check if image is signedcosign verify --key cosign.pub gcr.io/my-project/app:latest# If fails: Sign the image firstclnstrt-cli sign --image gcr.io/my-project/app:latest --key cosign.keyReadiness Probe Fails
# Check what endpoint is being testedtest-suite run --test readiness_probe_ready --verbose# Verify endpoint existscurl http://localhost:8080/readyDatabase Connection Fails
# Check if database is accessiblekubectl get pods -l app=postgres# Verify credentials in environmentkubectl exec POD_NAME -- env | grep DATABASEPerformance Test Fails
# Check if system under load has enough resourceskubectl top pods# Increase resource limits if neededkubectl set resources deployment/app --limits=cpu=1000m,memory=1GiPerformance Metrics Interpretation
Metric | Excellent | Good | Acceptable | Poor |
|---|---|---|---|---|
p95 Response Time | <100ms | 100-200ms | 200-500ms | >500ms |
p99 Response Time | <300ms | 300-500ms | 500-1000ms | >1000ms |
Throughput (RPS) | >1000 | 500-1000 | 100-500 | <100 |
Error Rate | 0% | <0.1% | <1% | >1% |
Memory (startup) | <100MB | 100-300MB | 300-500MB | >500MB |
CPU (idle) | <5% | 5-15% | 15-30% | >30% |
Test Suite Output Example
The CleanStart 78-Test Inspection Suite v2.0.0 produces a summary report:
Image: gcr.io/my-project/app:v1.2.3 Timestamp: 2024-03-20T10:30:00Z Duration: 245 seconds
SUMMARY Total Tests: 78 Passed: 78 Failed: 0 Skipped: 0 Success Rate: 100%
📋 BASELINE TESTS (25) 25/25 passed
🔗 CLUSTER-MODE TESTS (18) 18/18 passed
🧪 APPLICATION INTEGRATION TESTS (20) 20/20 passed
⚡ PERFORMANCE TESTS (10) 10/10 passed P95 Response Time: 145ms Throughput: 1240 RPS
🎯 CUSTOM TESTS (5) 5/5 passed
╠════════════════════════════════════════════════════════════╣ ║ Result: ALL TESTS PASSED - READY FOR PRODUCTION ║ ╚════════════════════════════════════════════════════════════╝