[Coverage Report] Test Coverage Report — 2026-06-13 #4913
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-06-20T20:56:19.034Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Overall Coverage
Overall health is strong. No files fall below 50% statement coverage.
🔴 Critical Gaps (< 50% statement coverage)
None. All files are above 50% statement coverage.
🟡 Low Coverage (50–79% statement coverage)
src/commands/validators/network-options.tsThis file validates Docker host, domain resolution, and network configuration options — security-relevant input validation with only half its branches tested.
🛡️ Security-Critical Path Status
The iptables rules engine and Squid ACL generation are fully covered. The gaps are in higher-level validators, log parsing, and the
etc-mountsisolation logic.📋 Notable Files by Coverage (sorted by statement %)
Full per-file coverage table (click to expand)
src/commands/validators/network-options.tssrc/squid-log-reader.tssrc/services/agent-volumes/etc-mounts.tssrc/logs/audit-enricher.tssrc/config-writer.tssrc/artifact-preservation.tssrc/logs/log-parser.tssrc/services/agent-volumes/docker-host-staging.tssrc/squid/policy-manifest.tssrc/commands/logs-command-helpers.tssrc/logs/log-aggregator.tssrc/logs/log-streamer.tssrc/commands/validators/log-and-limits.tssrc/workdir-setup.tssrc/services/agent-volumes/workspace-mounts.tssrc/pid-tracker.tssrc/host-env.tssrc/ssl-bump.tssrc/upstream-proxy.tssrc/domain-patterns.ts🔍 Notable Findings
1.
src/logs/log-parser.ts— 68.57% branch coverageThis file parses Squid's
firewall_detailedlog format. With 70 total branches and only 48 covered, there are ~22 untested decision points. Likely gaps: malformed log line handling inparseLogLine(), edge cases inextractDomain()(non-standard URLs, IPv6 addresses), and JSONL parse error paths inparseAuditJsonlLine(). Since this drives theawf logs statsandawf logs summaryreporting commands, bugs here could silently misclassify allowed/denied traffic.2.
src/services/agent-volumes/etc-mounts.ts— 67.85% branch coverageHandles the selective bind-mounting of
/etcfiles into the agent container sandbox (passwd, group, nsswitch.conf, etc.). 9 of 28 branches are uncovered. Missing coverage likely includes: fallback tosynthesizeIdentityFile()when host files are unreadable, DinD path-prefix interactions, and thereadFileContent()exception paths. Errors here can break UID/GID mapping in the container.3.
src/commands/validators/network-options.ts— 50% branch coverageThe
validateNetworkOptions()function is the security gatekeeper that assembles domain allowlists, DNS config, and upstream proxy settings before they're passed to Squid. Only 5 of 10 branches are exercised — the uncovered half likely includes invalid/absent domain lists, conflicting DNS-over-HTTPS settings, and upstream proxy validation failures. Given that misconfigured options here could weaken the domain ACL, this is the highest-priority gap.4.
src/squid/policy-manifest.ts— 70% function coverage (7/10 functions)Three functions in the policy manifest generator are entirely untested. The manifest is used by the audit enricher to classify Squid log entries as allowed/denied; uncovered functions may handle edge cases like empty domain lists or DLP rule generation.
generatePolicyManifest()with host-port access and DLP features enabled is likely undertested.📈 Recommendations
High —
src/commands/validators/network-options.ts: Add unit tests covering: (a) missing--allow-domainsflag, (b)--dns-over-httpscombined with custom--dns-servers, (c) invalid upstream proxy URLs. These are security-validation branches that determine what traffic Squid will allow.High —
src/logs/log-parser.ts: Add tests for malformed log lines (truncated entries, IPv6 client addresses, URLs with query strings, missing User-Agent field). Also cover theparseAuditJsonlLine()error branch when JSON is invalid. Ensures the reporting pipeline accurately reflects what the firewall allowed or blocked.Medium —
src/services/agent-volumes/etc-mounts.ts: Add tests for when host/etc/passwdor/etc/groupfiles are absent or unreadable (synthesize fallback path), and for DinD mode where path-prefix translation changes mount sources. These paths affect container sandbox integrity.Low —
src/squid/policy-manifest.ts: Cover the 3 uncovered functions with tests that enable--enable-host-access,--allow-host-ports, and--enable-dlptogether. This ensures the audit enricher correctly classifies log entries under complex policies.Generated by test-coverage-reporter workflow · Trigger:
push· Date: 2026-06-13Beta Was this translation helpful? Give feedback.
All reactions