Unified Web Testing and Code Analysis - Mega Report

Mega Report is CodeFrog’s all-encompassing web testing and code analysis tool. It combines multiple testing and analysis tools into a single, unified report that runs all tests in parallel for comprehensive coverage.

Overview

Mega Report is designed to be your one-stop solution for comprehensive website and codebase validation. Instead of running individual tests separately, Mega Report runs everything in parallel and combines all results into a single, easy-to-review report.

What Makes It “Mega”

• Unified Testing: Combines web testing and code analysis in one report
• Parallel Execution: All tests run simultaneously for faster results
• Comprehensive Coverage: Tests accessibility, security, SEO, link integrity, content quality, code quality, and more
• Single View: All results in one place for easy review
• Export Options: Export to Markdown for sharing and documentation
• Report History: Track and compare results over time

Web Testing Components

Mega Report includes comprehensive web testing capabilities:

Accessibility Testing

• WCAG AA Compliance: Tests against Web Content Accessibility Guidelines Level AA
• Automated Scanning: Uses axe-core for comprehensive accessibility checks
• Issue Detection: Identifies accessibility barriers and violations
• Recommendations: Provides actionable fixes for accessibility issues
• Automation Limits: Automated checks catch only a subset of WCAG issues (approximately 57% in controlled audits and typically 20-30% in real-world testing), so manual assistive-technology testing is still required for full conformance

See Accessibility Testing for detailed guidance. Note: axe-core works iteratively — fixing issues may reveal new ones. See Understanding Axe-Core Iterative Testing for details.

Security Testing

• OWASP-based Checks: Industry-standard security validation
• Security Headers: Validates security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, COEP, and cookie security flags) to prevent XSS, clickjacking, MITM attacks, and information leakage
• SSL/TLS Configuration: Checks certificate validity and configuration
• Vulnerability Detection: Identifies common security issues
• Severity Classification: Findings categorized by severity (Critical, High, Medium, Low, Info)

Security headers provide defense-in-depth protection by instructing browsers how to handle your site’s content. Missing or misconfigured headers leave your site vulnerable to common attacks. See Security Headers: Why They Matter for detailed information about each header and what it prevents.

See Security Scanning for detailed security guidance.

Meta Tags Analysis

• SEO Meta Tags: Validates title, description, keywords, and Open Graph tags
• Social Media Tags: Checks Twitter Cards and Facebook Open Graph
• Missing Tags: Identifies important meta tags that are missing
• Tag Quality: Validates tag content and format

HTML Validation

• W3C Standards: Validates HTML against W3C standards using Nu Html Checker
• Semantic Correctness: Ensures proper HTML structure
• Cross-Browser Compatibility: Identifies markup issues that could cause browser problems
• Error Reporting: Detailed error messages with line numbers

SEO Testing

• SEO Analysis: Comprehensive SEO validation and optimization
• Page Structure: Validates heading hierarchy and content structure
• Content Quality: Analyzes content for SEO best practices
• Technical SEO: Checks technical SEO factors

Link & Content Analysis

Mega Report includes deep link and content analysis capabilities that go beyond basic web testing:

Broken Links

• Link Checking: Checks all internal and external links for broken URLs (404, 5xx, timeouts)
• Link Classification: Classifies links as internal vs external
• Status Reporting: Reports HTTP status codes for each broken link
• Comprehensive Coverage: Crawls anchor tags, images, scripts, and stylesheets

Redirect Analysis

• Redirect Chain Detection: Analyzes redirect chains for loops and excessive hops
• Mixed Protocol Detection: Detects mixed HTTP/HTTPS protocols in redirect chains
• Redirect Type Analysis: Identifies mixed 301/302 redirect types
• Chain Length Reporting: Reports the number of hops in each redirect chain

Canonical URL Validation

• Canonical Tag Checking: Validates <link rel="canonical"> tags for correctness
• Missing Canonicals: Detects pages missing canonical tags
• Self-Referencing Detection: Identifies self-referencing canonical URLs
• Target Validation: Verifies canonical targets return HTTP 200

Hreflang Validation

• Hreflang Tag Checking: Validates <link rel="alternate" hreflang="..."> tags
• Language Code Validation: Checks ISO 639-1 language codes for correctness
• Cross-Reference Checking: Verifies cross-references between pages (return links)
• Missing Alternate Detection: Identifies pages missing expected hreflang alternates

Structured Data Validation

• JSON-LD Validation: Validates JSON-LD structured data against Schema.org types
• Rich Result Requirements: Checks Google rich result requirements for each type
• Required Properties: Validates required and recommended properties are present
• Syntax Checking: Detects malformed or invalid structured data

Image Optimization

• Alt Text Checking: Verifies all images have descriptive alt text
• Dimension Attributes: Checks for width and height attributes to prevent layout shift
• Lazy Loading: Validates lazy loading attributes for below-the-fold images
• File Size Analysis: Flags oversized images (>200KB)
• Format Recommendations: Recommends modern formats (WebP/AVIF) for better compression

Internal Link Structure

• BFS Crawl Analysis: Breadth-first search crawl of internal link graph
• Orphan Page Detection: Identifies pages with no internal links pointing to them
• Deep Page Detection: Flags pages requiring 3+ clicks from the homepage
• Anchor Text Distribution: Analyzes anchor text variety and distribution

Duplicate Content Detection

• Duplicate Titles: Detects pages sharing the same title tag
• Duplicate Meta Descriptions: Identifies pages with identical meta descriptions
• Thin Content Detection: Flags pages with fewer than 200 words of content
• Near-Duplicate Detection: Uses Jaccard similarity to find near-duplicate page content

Browser-based Testing

Console Errors

• JavaScript Errors: Captures console.error, unhandled exceptions, and unhandled promise rejections
• Network Failures: Detects failed resource loads, HTTP 4xx/5xx responses from fetch and XMLHttpRequest
• CORS Errors: Identifies cross-origin request failures
• CSP Violations: Captures Content Security Policy violations
• Mixed Content: Detects insecure content loaded on HTTPS pages
• Deprecated APIs: Reports browser deprecation warnings
• Iframe Support: Captures errors from iframes via postMessage relay

Console Errors testing uses the platform’s native headless WebView engine (WKWebView on macOS and iOS, WebView2 on Windows, Android WebView on Android) to load the page and capture runtime errors. This test is available on all platforms.

Note: Due to differences between WebView engines and full browsers like Chrome, some categories of errors cannot be detected (such as Chrome-internal permissions policy violations and authenticated API failures). See Known Limitations for full details.

Code Analysis Components

When you have a project open, Mega Report can also analyze your codebase:

Secrets Detection (Gitleaks)

• Secret Scanning: Detects hardcoded secrets, API keys, and credentials
• Multiple Formats: Supports various secret patterns and formats
• Exclusions: Automatically excludes build directories, dependencies, and common false positives
• Severity Levels: Classifies findings by risk level

See Secrets Detection for detailed information.

Supply Chain Vulnerabilities (OSV)

• Dependency Scanning: Detects vulnerabilities in project dependencies
• OSV Database: Uses Open Source Vulnerabilities database
• Vulnerability Details: Provides CVE information and remediation guidance
• Severity Assessment: Categorizes vulnerabilities by severity

See OSV / Supply Chain for detailed information.

Static Analysis

• Semgrep: Advanced static analysis for code quality and security
• OpenGrep: Pattern-based code search and analysis
• Code Quality: Identifies code smells and potential bugs
• Best Practices: Enforces coding standards and best practices

Running a Mega Report

Accessing Mega Report

1. From Welcome Screen: Click “Mega Report (Mega)” button
2. From Navigation: Go to “Generate Mega Report” in the navigation menu
3. No Project Required: Mega Report can run on URLs without an open project (web testing only)
4. With Project: Open a project to include code analysis in the report

Configuration Options

When generating a report, you can configure:

Test Target

• Single URL: Test a specific webpage
• Sitemap: Test multiple URLs from a sitemap
  • Set maximum URLs to test (default: 100)
  • Set timeout per URL (default: 5 minutes)
  • Automatically discovers URLs from sitemap

Test Selection

Choose which tests to include:

Web Testing:

• ✅ Accessibility Testing
• ✅ Security Testing
• ✅ Meta Tags Analysis
• ✅ HTML Validation
• ✅ SEO Testing

Link & Content Analysis:

• ✅ Broken Links
• ✅ Redirect Analysis
• ✅ Canonical URL Validation
• ✅ Hreflang Validation
• ✅ Structured Data Validation
• ✅ Image Optimization
• ✅ Internal Link Structure
• ✅ Duplicate Content Detection

Browser-based Testing:

• ✅ Console Errors (JS errors, network failures, CORS/CSP issues)

Code Analysis (requires open project):

• ✅ Gitleaks (Secrets Detection)
• ✅ OSV (Supply Chain Vulnerabilities)
• ✅ Semgrep (Static Analysis)
• ✅ OpenGrep (Code Search)

Security Scan Options

• Skip Sensitive File Probing: Disables probing for exposed files and directories (.git, .svn, .env, composer.json, phpinfo.php, etc.) and directory listing checks. Enable this when the target site returns a default page (HTTP 200) for all routes instead of 404, which causes false positives. See Security Testing - Skipping Sensitive File Probing for details.
• Skip HTTPS Checks: Disables HTTPS/SSL checks for development sites that don’t use HTTPS.

Authorization

• Authorization Confirmation: Confirm you have permission to test the target
• Ethical Use: Only test systems you own or have explicit authorization to test

Report Generation

1. Enter URL or Sitemap: Provide the target URL or sitemap URL
2. Select Tests: Choose which tests to run (all enabled by default)
3. Configure Options: Set max URLs and timeout for sitemap mode
4. Confirm Authorization: Check the authorization checkbox
5. Generate Report: Click to start the report generation

During Report Generation

• Real-time Progress: See progress for each test section
• Parallel Execution: All selected tests run simultaneously
• Status Updates: Watch as each test completes
• Cancel Option: You can cancel the report if needed

Understanding Report Results

Report Structure

The Mega Report presents results in organized sections:

1. Summary View: Overview of all findings by severity
2. Section Details: Detailed results for each test type
3. Finding Details: Individual findings with descriptions and recommendations

Severity Levels

Findings are categorized by severity:

• Critical: Immediate action required (security vulnerabilities, breaking issues)
• High: Important issues that should be addressed soon
• Medium: Issues that should be addressed in normal development cycle
• Low: Minor issues or suggestions for improvement
• Info: Informational findings without immediate action required

Health Score

The report includes an overall health score (A through F) that aggregates findings from all test sections. The grade provides a quick visual assessment of your project’s overall health.

How Grades Are Calculated

The grade is calculated based on the total count of findings across all 19 test sections (accessibility, security, SEO, HTML validation, link & content analysis, console errors, secrets detection, OSV vulnerabilities, and static analysis). The calculation uses the following thresholds:

• F: Any critical findings (1 or more critical issues)
• D: More than 5 high severity findings (6+ high issues)
• C: Any high findings OR more than 10 medium findings (1+ high OR 11+ medium)
• B: Any medium findings OR more than 20 low findings (1+ medium OR 21+ low)
• A: No critical, no high, no medium, and low ≤ 20

Examples:

• 1 critical finding = F (regardless of other findings)
• 6 high findings = D
• 1 high finding = C
• 11 medium findings (no high) = C
• 1 medium finding (no high) = B
• 21 low findings (no medium, no high) = B
• 0 critical, 0 high, 0 medium, 5 low = A

Important Note on Info Findings:

• Info findings are counted and displayed in reports
• Most info findings do NOT directly affect the A-F grade calculation (the calculation only checks critical, high, medium, and low)
• OSV (supply chain) findings are treated as real security issues and are included in grading. OSV findings are mapped to severity based on CVSS scores:
  • CVSS ≥ 9.0 → Critical
  • CVSS ≥ 7.0 → High
  • CVSS ≥ 4.0 → Medium
  • CVSS > 0 (but < 4.0) → Low
  • OSV entries without CVSS scores (or invalid/≤0 scores) are promoted to High severity to ensure they are properly prioritized
• Any OSV findings cause that section to fail
• Always review OSV findings carefully, as they represent real security vulnerabilities in your dependencies

Understanding Your Grade

• A (Excellent): No critical, high, or medium issues; low issues ≤ 20. Your project is in excellent shape.
• B (Good): Some medium issues or low issues > 20. Good overall, but improvements can be made.
• C (Needs Improvement): High issues present OR medium issues > 10. Significant issues need attention.
• D (Poor): High issues > 5. Multiple high-priority issues require immediate attention.
• F (Critical): Any critical findings present. Critical security or functionality issues must be addressed immediately.

Improving Your Grade

1. Prioritize by Severity: Start with critical and high issues first
2. Fix Critical Issues: Any critical finding results in an F grade
3. Address High Issues: More than 5 high issues drops you to D; any high issues drop you to C
4. Reduce Medium Issues: More than 10 medium issues drops you to C
5. Manage Low Issues: More than 20 low issues drops you to B
6. Address OSV Findings: OSV findings are treated as real security issues and are included in grading. Findings without CVSS scores (or invalid scores) are promoted to high severity. Any OSV findings cause that section to fail.
7. Re-run Report: After fixing issues, generate a new report to see your improved grade

Trend Tracking

Compare grades across multiple reports to track improvement over time. A grade that improves from F → D → C → B → A shows clear progress in addressing issues.

Exporting Reports

Export to Markdown

1. Open Completed Report: Navigate to the Mega Report screen
2. Click Export: Use the “Export Markdown” button
3. File Location: Report is saved automatically
4. Shareable Format: Markdown format is easy to share and review

Use Cases for Exported Reports

• Client Reporting: Share comprehensive test results with clients
• Documentation: Include in project documentation
• Team Review: Share with team members for review
• Compliance: Use for compliance and audit documentation
• Historical Record: Keep records of project health over time

Report History

Viewing History

• Report List: View all previously generated reports
• Compare Reports: Compare results across different time periods
• Trend Analysis: See how project health changes over time

Report Details

Each saved report includes:

• Timestamp: When the report was generated
• Target URL: What was tested
• Test Configuration: Which tests were run
• Results Summary: Overall findings and health score
• Full Results: Complete detailed findings

Best Practices

When to Use Mega Report

• Pre-Launch Validation: Comprehensive testing before going live
• Regular Audits: Periodic health checks (weekly, monthly)
• After Major Changes: Validate after significant updates
• Client Deliverables: Generate reports for client review
• Compliance Checks: Verify compliance with standards

Recommended Workflow

1. Before Launch: Run full Mega Report with all tests
2. Address Critical Issues: Fix all critical and high-severity findings
3. Re-run Report: Generate new report to verify fixes
4. Document Results: Export and save report for records
5. Schedule Regular Reports: Set up periodic reports

Optimization Tips

• Selective Testing: Disable tests you don’t need for faster reports
• Sitemap Mode: Use sitemap mode for comprehensive site coverage
• Batch Processing: Use max URLs limit for large sites
• Project Context: Open project for code analysis when needed

Use Cases

Pre-Launch Checklist

Run Mega Report before launching to ensure:

• ✅ Accessibility compliance (WCAG AA)
• ✅ Security best practices
• ✅ SEO optimization
• ✅ HTML validity
• ✅ No broken links or redirect issues
• ✅ Correct canonical and hreflang tags
• ✅ Valid structured data
• ✅ Optimized images
• ✅ Healthy internal link structure
• ✅ No duplicate content
• ✅ No hardcoded secrets
• ✅ No known vulnerabilities

Regular Quality Audits

Schedule regular Mega Reports to:

• Track project health over time
• Identify regressions early
• Maintain code quality standards
• Ensure ongoing compliance

Client Reporting

Generate Mega Reports for:

• Client deliverables
• Project status updates
• Compliance documentation
• Quality assurance reports

Development Workflow

Integrate Mega Report into your workflow:

• Run after major feature additions
• Validate before merging PRs
• Check staging environments
• Monitor production health

Limitations

Code Analysis Requirements

• Requires Open Project: Code analysis (Gitleaks, OSV, Semgrep) requires a project to be open
• Local Projects: Code analysis works best with local projects
• Remote Projects: Code analysis may have limitations with SSH projects

Sitemap Mode

• URL Limits: Set maximum URLs to prevent extremely long reports
• Timeout Settings: Configure timeouts to prevent hanging on slow URLs
• Resource Usage: Large sitemaps may take significant time and resources

Console Errors Testing

• WebView Differences: The headless WebView cannot detect certain Chrome-specific errors such as permissions policy violations or authenticated API failures
• See: Known Limitations for a complete list of what cannot be detected

Network Dependencies

• Internet Required: Web testing requires internet connectivity
• Target Availability: Target URLs must be accessible
• Rate Limiting: Some sites may rate-limit requests

Troubleshooting

Report Fails to Start

• Check Authorization: Ensure authorization checkbox is checked
• Verify URL: Confirm the URL is valid and accessible
• Check Internet: Ensure you have internet connectivity
• Project Status: For code analysis, ensure project is open and accessible

Tests Not Completing

• Timeout Issues: Increase timeout settings for slow URLs
• Network Problems: Check network connectivity
• Target Availability: Verify target URLs are accessible
• Cancel and Retry: Cancel and restart with adjusted settings

Missing Code Analysis

• Open Project: Code analysis requires an open project
• Check Project Type: Ensure project is accessible (local or SSH)
• Verify Test Selection: Ensure code analysis tests are enabled

Export Issues

• Report Must Complete: Wait for report to finish before exporting
• Check Permissions: Ensure you have write permissions for export location
• File Path: Check the file path shown in success message

Related Guides

• WCAG Levels Explained - Understanding WCAG A, AA, and AAA conformance levels
• Security Scanning - Security testing details
• OSV / Supply Chain - Dependency vulnerability scanning
• Secrets Detection - Secrets scanning with Gitleaks
• AI Suggestions - On-device AI analysis of report findings (macOS 26+)
• Known Limitations - What automated testing cannot detect

Summary

Mega Report is CodeFrog’s comprehensive solution for web testing and code analysis:

• ✅ Unified Testing: All tests in one place
• ✅ Parallel Execution: Fast, efficient testing
• ✅ Comprehensive Coverage: Web testing + link & content analysis + code analysis
• ✅ Easy Review: Single-page view of all results
• ✅ Exportable: Markdown export for sharing
• ✅ Historical Tracking: Compare results over time

Whether you’re preparing for launch, conducting regular audits, or generating client reports, Mega Report provides the comprehensive testing and analysis you need in a single, unified tool.