Testing Pyramid — UK Regulated Software
| Test Type | Coverage Target | Framework | UK Regulatory Value | Run Frequency |
|---|---|---|---|---|
| Unit tests | 80%+ line coverage | Vitest / Jest | DTAC Domain 3 evidence — code quality | Every PR (< 30 seconds) |
| Integration tests | All API contracts | Vitest + supertest | FCA: API behaviour verifiable | Every PR (1–3 minutes) |
| Contract tests | All third-party APIs | Pact | NHS FHIR R4 contract compliance | Daily against sandbox |
| E2E tests | All critical user journeys | Playwright | NHS DTAC Domain 5 — user journey evidence | Every PR (5–15 minutes) |
| Performance tests | p95 < SLA target | k6 | FCA PS21/3 Impact Tolerance, GDS 3s standard | Weekly + pre-release |
| Security tests | OWASP Top 10 | OWASP ZAP + Semgrep | PCI-DSS Req 6, Cyber Essentials patching | Every release + quarterly DAST |
| Accessibility tests | WCAG 2.1 AA — zero critical | axe-core + NVDA manual | DTAC Domain 5, GDS, PSBAR | Every PR (axe automated) + quarterly manual |
Performance Testing Standards — UK Regulations
| Standard | Load Target | Response Time Target | ClickMasters Test Profile |
|---|---|---|---|
| GDS Service Standard | 1,000 concurrent users | p95 < 3 seconds on 3G | k6 ramp-up 0→1K in 60s, steady 30 min |
| FCA PS21/3 Impact Tolerance | 3× peak production load | IBS continues within tolerance | k6 3× peak simulation + AZ failure injection |
| NHS DTAC Domain 3 | Normal production load | 99.9% availability target | k6 production load + 30-day availability monitoring |
| PCI-DSS (payment flows) | Peak transaction volume | < 3 seconds p99 | k6 payment journey with Stripe test cards |
| eCommerce (Black Friday) | 10× normal peak | LCP < 2.5 seconds (Core Web Vitals) | k6 10× spike + Lighthouse CI LCP monitoring |
Security Testing — UK Compliance Requirements
OWASP ZAP Dynamic Application Security Testing (DAST): automated scan in CI/CD on every release — OWASP Top 10. ClickMasters: ZAP configured to scan all authenticated pages (ZAP with API key context). Critical findings block deployment.
Semgrep SAST (Static Application Security Testing): scans code for hardcoded secrets, SQL injection patterns, and insecure dependencies in CI/CD. Runs on every pull request.
Dependabot: automated dependency CVE monitoring — critical vulnerabilities create PRs automatically. Cyber Essentials: critical CVEs patched within 14 days.
CREST penetration test: annual external pen test by CREST-certified assessor. Required for: PCI-DSS, NHS DSP Toolkit, FCA operational resilience, ISO 27001. Cost: £3,000–£15,000 depending on scope.
Trivy container image scanning: scan Docker images for CVEs in OS packages and application dependencies. Runs in CI/CD on every Docker build. Blocks deployment if critical CVEs present.
Security testing for UK regulated software must be structured around specific compliance requirements: