[Coverage Report] Test Coverage Report — 2026-06-11 #4728
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-06-18T01:49:22.792Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Overall Coverage
Overall coverage is healthy. The weakest dimension is branch coverage at 90.78%, which warrants attention in a security-critical codebase.
🔴 Critical Gaps (< 50% statement coverage)
None — all files are above 50% statement coverage.
🟡 Low Coverage (50–89% statement coverage)
src/commands/validators/network-options.tssrc/squid-log-reader.tssrc/services/agent-volumes/etc-mounts.tssrc/logs/audit-enricher.tssrc/artifact-preservation.tssrc/cli.tssrc/logs/log-parser.tssrc/squid/policy-manifest.tssrc/services/agent-volumes/docker-host-staging.tssrc/commands/logs-command-helpers.tssrc/dind-bootstrap.ts🛡️ Security-Critical Path Status
src/host-iptables.tssrc/squid-config.tssrc/docker-manager.tssrc/domain-patterns.tssrc/cli.tsThe four core security enforcement modules (
host-iptables,squid-config,docker-manager,domain-patterns) are all at or near 100% — excellent posture for the most attack-surface-critical code.🔍 Notable Findings
1.
src/commands/validators/network-options.ts— newly added, no dedicated test file (66.66% stmt / 50% branch)This file was introduced in the last 7 days (commit
102c422— "Add opt-in diagnostics artifact for blocked LLM request bodies"). It has no dedicated*.test.tsfile; coverage is only incidentally achieved viaconfig-assembly.test.ts. The uncovered branches are warning-path conditionals:!dockerHostCheck.valid,dockerHostPathPrefixResolution.dindHint, and the combined DinD hint + missing prefix check. These paths govern how AWF handles external Docker hosts and ARC/DinD split-filesystem setups — a security-relevant misconfiguration scenario.2.
src/services/agent-volumes/etc-mounts.ts— bind-mount security, 67.85% branch coverageThis file controls which
/etcfiles are selectively bind-mounted into the agent container (excluding/etc/shadowand unwhitelisted paths). The uncovered branches at lines 49, 69, 82, 91, 104, and 113 include: content-based passwd/group UID/GID validation (the!stagedPasswdContentandfileHasPasswdUidchecks), and theshouldUseDockerHostStagingguard. Since these paths affect which credential-containing files land in the container, they are worth covering.3.
src/logs/log-parser.ts— audit log integrity, 68.57% branch coverageLog parsing underpins
awf logs statsandawf logs summary(used in GitHub Actions step summaries). At 68.57% branch coverage, edge-case parsing failures could silently corrupt audit data. The uncovered branches likely include malformed-line handling and timestamp edge cases.4.
src/services/api-proxy-service.ts— API proxy credential isolation, 50% branch coverageAt 50% branch coverage (91.66% stmt), the unhappy paths in the API proxy service — which is responsible for injecting real API credentials — lack test coverage. Credential-injection failures in unexpected conditions should be tested.
📈 Recommendations
High — Add
network-options.test.ts: The recently-addedvalidateNetworkOptionsfunction has no dedicated tests. Add unit tests covering: (a)!dockerHostCheck.validwarning path, (b)dindHintdetected but no prefix set, (c) the combined DinD+no-prefix warning. This is the highest-ROI gap given it was just added.High — Cover branch gaps in
src/services/agent-volumes/etc-mounts.ts: Add tests forstagedPasswdContentnull path,fileHasPasswdUidmismatch, and theshouldUseDockerHostStaging(false)branch. These validate that credential-containing files are only bind-mounted when expected.Medium — Improve
src/logs/log-parser.tsbranch coverage (68.57%): Add tests for malformed/truncated log lines, missing fields, and non-numeric timestamps to ensure audit log integrity under adversarial or corrupt input.Low — API proxy service unhappy paths (
src/services/api-proxy-service.ts, 50% branch): Test failure conditions such as missing credentials, unreachable upstream, and mismatched port configuration.Generated by test-coverage-reporter workflow. Trigger:
push· Commit:102c422108 test files | 155 source files | 1 commit in last 7 days
Beta Was this translation helpful? Give feedback.
All reactions