[Coverage Report] Test Coverage Report — 2026-06-10 #4705
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-06-17T16:35:19.730Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Test Coverage Report — 2026-06-10
Overall Coverage
🔴 Critical Gaps (< 50% statement coverage)
None — all 136 source files are above 50% statement coverage.
🟡 Low Coverage (50–79% statement coverage)
src/commands/validators/network-options.ts🛡️ Security-Critical Path Status
src/host-iptables.tssrc/squid-config.tssrc/docker-manager.tssrc/domain-patterns.tssrc/cli.tsAll four primary security-critical files are at or near 100% coverage. The
cli.tsbranch gap is therequire.main === moduleguard — only 1 of 2 branches is exercised in unit tests (expected for an entry-point guard).📋 Full Coverage Table
Files 80–89% statement coverage (10 files)
src/squid-log-reader.tssrc/services/agent-volumes/etc-mounts.tssrc/logs/audit-enricher.tssrc/artifact-preservation.tssrc/cli.tssrc/logs/log-parser.tssrc/squid/policy-manifest.tssrc/services/agent-volumes/docker-host-staging.tssrc/commands/logs-command-helpers.tssrc/dind-bootstrap.tsFiles 90–99% statement coverage (selected)
src/services/doh-proxy-service.tssrc/commands/validators/log-and-limits.tssrc/services/host-path-prefix.tssrc/config-writer.tssrc/services/api-proxy-service.tssrc/services/agent-volumes/system-mounts.tssrc/logs/log-streamer.tssrc/services/agent-environment/environment-builder.tssrc/logs/audit-enricher.tssrc/services/agent-volumes/workspace-mounts.tsFiles at 100% statement coverage (58 files)
src/api-proxy-config.ts,src/cli-options.ts,src/cli-workflow.ts,src/constants.ts,src/container-lifecycle-state.ts,src/container-stop.ts,src/copilot-api-resolver.ts,src/copilot-model.ts,src/dind-probe.ts,src/dlp.ts,src/dns-resolver.ts,src/docker-host.ts,src/docker-manager.ts,src/domain-patterns.ts,src/domain-utils.ts,src/env-utils.ts,src/github-env.ts,src/host-iptables.ts,src/host-iptables-cleanup.ts,src/host-iptables-network.ts,src/host-iptables-rules.ts,src/host-iptables-shared.ts,src/image-tag.ts,src/log-paths.ts,src/logger.ts,src/redact-secrets.ts,src/schema-validator.ts,src/squid-config.ts,src/commands/logs-audit.ts,src/commands/logs-stats.ts,src/commands/logs-summary.ts,src/commands/logs.ts,src/commands/main-action.ts,src/commands/network-setup.ts,src/commands/predownload.ts,src/commands/preflight.ts,src/commands/signal-handler.ts,src/commands/subcommands.ts,src/commands/validate-options.ts,src/squid/access-rules.ts,src/squid/acl-generator.ts,src/squid/config-generator.ts,src/squid/domain-acl.ts,src/squid/upstream-proxy.ts,src/squid/validation.ts, and many more.🔍 Notable Findings
1.
src/commands/validators/network-options.ts— Only file below 80% (66.7% stmt, 50.0% branch)This was recently added as part of the validator refactor. It handles Docker host detection, domain resolution (
--allow-domains,--block-domains), DNS, and upstream proxy configuration. The 50% branch coverage (5/10 branches) means ~5 error-handling or conditional paths are untested — these include warning paths for external Docker hosts and missing path-prefix detection. Security-relevant because domain resolution feeds directly into the Squid ACL allowlist.2.
src/logs/log-parser.ts— 68.6% branch coverage (48/70 branches uncovered)This file has the largest absolute number of uncovered branches (22 uncovered). Log parsers are important for security audit trails — uncovered branches may include malformed-log handling and edge-case timestamp/IP parsing that could silently drop audit events. File was recently changed.
3.
src/services/agent-volumes/etc-mounts.ts— 67.8% branch coverage (9/28 uncovered)Generates
/etcbind-mounts inside the agent container, controlling which host system files the agent can read. Uncovered branches likely include platform-specific file existence checks and optional-mount conditions. Gaps here mean mount configurations for edge-case OS layouts aren't tested — a miss could expose or hide/etcfiles unintentionally.4.
src/dind-bootstrap.ts— 66.7% branch coverage (11/33 uncovered)Docker-in-Docker bootstrap logic recently modified; 11 uncovered branch paths. DinD mode is used in ARC/GitHub Actions setups and failure to handle edge cases here could break network isolation in those environments.
📈 Recommendations
High —
src/commands/validators/network-options.ts: Add tests for the warning paths: (a)checkDockerHost()returning invalid (external TCP socket), (b) missing--docker-host-path-prefixwhen DinD is active. These are security-gating checks; untested paths could allow a misconfigured firewall to silently proceed.High —
src/logs/log-parser.ts: Add tests for malformed Squid log lines (missing fields, truncated timestamps, IPv6 addresses) and the edge-case branches in log-line parsing. Security audit trails should never silently drop events.Medium —
src/services/agent-volumes/etc-mounts.ts: Test the conditional mount paths for files that may or may not exist on the host (e.g.,/etc/ld.so.cache,/etc/alternatives). Ensure both "file exists" and "file absent" branches are covered to guard against accidental exposure.Low —
src/dind-bootstrap.ts: Expand DinD bootstrap tests to cover the 11 uncovered branches — particularly the fallback paths when the DinD socket is unavailable or when path-prefix resolution fails.Generated by test-coverage-reporter workflow. Trigger:
push. 108 test files · 136 source files measured.Beta Was this translation helpful? Give feedback.
All reactions