Post-deployment smoke tests automated or documented; key user flows verified after every production deployment
Why it matters
A deployment that succeeds at the infrastructure level can still break login, payment processing, or core data flows — the CI/CD pipeline passes, but users hit errors. Without automated post-deployment smoke tests (NIST SA-11, SSDF PW.8), the first signal of a broken deployment is a user support ticket. ISO 25010 reliability.maturity requires that production changes be verified as correct after deployment, not just before it. A 3-minute automated smoke test covering the critical user journey is the difference between a 5-minute rollback and a 45-minute incident.
Severity rationale
Info because smoke tests are a post-deployment safety net rather than a preventive control — their absence extends time-to-detect when a deployment breaks production flows.
Remediation
Add automated post-deployment smoke tests using Playwright. Run them immediately after the production deployment step in CI/CD.
npm install --save-dev @playwright/test
// tests/smoke.spec.ts
import { test, expect } from '@playwright/test';
test('homepage loads', async ({ page }) => {
await page.goto(process.env.BASE_URL!);
await expect(page).toHaveTitle(/my app/i);
});
test('login flow completes', async ({ page }) => {
await page.goto(`${process.env.BASE_URL}/login`);
await page.fill('[name=email]', process.env.SMOKE_TEST_EMAIL!);
await page.fill('[name=password]', process.env.SMOKE_TEST_PASSWORD!);
await page.click('[type=submit]');
await expect(page).toHaveURL(/\/dashboard/);
});
# .github/workflows/deploy.yml
- name: Deploy to production
run: npm run deploy:prod
- name: Run smoke tests
run: npx playwright test tests/smoke.spec.ts
env:
BASE_URL: https://your-app.com
SMOKE_TEST_EMAIL: ${{ secrets.SMOKE_TEST_EMAIL }}
SMOKE_TEST_PASSWORD: ${{ secrets.SMOKE_TEST_PASSWORD }}
Detection
-
ID:
smoke-tests -
Severity:
info -
What to look for: Enumerate every relevant item. Look for post-deployment test scripts in CI/CD workflow (typically after deployment step). Check for documented smoke test procedures in README or DEPLOYMENT.md. Smoke tests should verify key user flows: login, core features, payment processing (if applicable).
-
Pass criteria: Smoke tests are automated in the CI/CD pipeline after production deployment, OR documented and regularly executed. Tests verify critical user flows.
-
Fail criteria: No smoke tests found, or tests exist but are not automated or documented.
-
Skip (N/A) when: The project is API-only with no user flows.
-
Detail on fail:
"No smoke tests found after deployment step in CI/CD pipeline."or"Smoke test runbook exists but is not automated." -
Remediation: Add automated smoke tests. For Next.js with Playwright:
npm install --save-dev @playwright/testCreate
tests/smoke.spec.ts:import { test, expect } from '@playwright/test'; test.describe('Smoke Tests', () => { test('homepage loads and login visible', async ({ page }) => { await page.goto('https://your-app.com'); await expect(page.locator('text=Login')).toBeVisible(); }); test('user can login', async ({ page }) => { await page.goto('https://your-app.com/login'); await page.fill('input[name=email]', 'test@example.com'); await page.fill('input[name=password]', 'password'); await page.click('button[type=submit]'); await expect(page).toHaveURL(/.*dashboard/); }); });Then add to CI/CD after deployment:
# .github/workflows/deploy.yml - name: Deploy to production run: npm run deploy:prod - name: Smoke tests run: npx playwright test tests/smoke.spec.ts
External references
- iso-25010:2011 · reliability.maturity — Maturity — post-deployment verification prevents regressions reaching users
- nist:rev5 · SA-11 — Developer Testing and Evaluation
- ssdf:800-218 · PW.8 — Test executable code to identify and address vulnerabilities
Taxons
History
- 2026-04-18·v1.0.0·Initial import from deployment-readiness·automated