[Coverage Report] Test Coverage Report — 2026-06-13 #4914
Closed
Replies: 2 comments
-
|
🔮 The ancient spirits stir, and the smoke test agent has passed through this discussion. The omens are green, the build is whole, and the firewall holds. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
0 replies
-
|
This discussion was automatically closed because it expired on 2026-06-20T21:10:31.777Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Overall Coverage
138 source files tracked. 64 dedicated test files at the top-level
src/layer alone (more test files than top-level source files).🔴 Critical Gaps (< 50% statement coverage)
None. All 138 files are above 50% statement coverage.
🟡 Low Coverage (50–79% statement coverage)
src/commands/validators/network-options.tsOnly one file falls in this range. It validates Docker host detection, domain resolution, and network config — the key warning-branch paths (external Docker host, missing path prefix, DinD hint) are never exercised in tests.
🛡️ Security-Critical Path Status
All core security modules (iptables rule generation, Squid ACL/config generation, domain pattern matching) have 100% coverage. The one flag is
cli.ts's branch coverage — though with only 2 total branches in that file (it's an entry-point bootstrap), the absolute exposure is minimal.📋 Full Coverage Table — Notable Files
Files with any metric below 90% (test utilities excluded):
src/commands/validators/network-options.tssrc/services/agent-volumes/etc-mounts.tssrc/logs/audit-enricher.tssrc/logs/log-parser.tssrc/services/agent-volumes/docker-host-staging.tssrc/squid/policy-manifest.tssrc/commands/logs-command-helpers.tssrc/cli.tssrc/config-writer.tssrc/squid-log-reader.tssrc/artifact-preservation.tssrc/commands/validators/log-and-limits.tssrc/logs/log-streamer.tssrc/workdir-setup.tssrc/services/agent-environment/environment-builder.tssrc/services/agent-volumes/workspace-mounts.tssrc/services/agent-volumes/system-mounts.tssrc/host-env.tssrc/pid-tracker.tsAll remaining files (≥ 90% all metrics)
src/api-proxy-config.tssrc/cli-options.tssrc/cli-workflow.tssrc/compose-generator.tssrc/compose-sanitizer.tssrc/config-file.tssrc/container-cleanup.tssrc/container-lifecycle.tssrc/container-startup-diagnostics.tssrc/container-stop.tssrc/copilot-api-resolver.internal.tssrc/copilot-model.tssrc/diagnostic-collector.tssrc/dind-bootstrap.tssrc/dind-probe.tssrc/dlp.tssrc/dns-resolver.tssrc/docker-host.tssrc/domain-utils.tssrc/env-utils.tssrc/github-env.tssrc/host-identity.tssrc/image-tag.tssrc/logger.tssrc/option-parsers.tssrc/redact-secrets.tssrc/rules.tssrc/schema-validator.tssrc/ssl-bump.tssrc/upstream-proxy.tssrc/commands/build-config.tssrc/commands/logs-audit.tssrc/commands/main-action.tssrc/commands/network-setup.tssrc/commands/preflight.tssrc/commands/signal-handler.tssrc/commands/validators/agent-options.tssrc/commands/validators/config-assembly.tssrc/logs/log-aggregator.tssrc/logs/log-discovery.tssrc/logs/log-formatter.tssrc/logs/stats-formatter.tssrc/services/agent-service.tssrc/services/api-proxy-credential-env.tssrc/services/api-proxy-service-config.tssrc/services/api-proxy-service.tssrc/services/cli-proxy-service.tssrc/services/doh-proxy-service.tssrc/services/host-path-prefix.tssrc/services/agent-environment/environment-builder.tssrc/services/agent-volumes/docker-socket.tssrc/services/agent-volumes/hosts-file.tssrc/squid/config-sections.tssrc/squid/ssl-bump.ts🔍 Notable Findings
1.
src/commands/validators/network-options.ts— 66.66% stmt, 50% branchesThe function
validateNetworkOptions()has no dedicated test file (the only test in this directory,config-assembly.test.ts, doesn't call it). Four warning branches are entirely uncovered: whenDOCKER_HOSTpoints to an external daemon, when the path prefix is absent on an external host, and when a DinD hint is detected without a prefix. These are exactly the paths most likely to trip up ARC/DinD deployments.2.
src/logs/log-parser.ts— 68.57% branch coverage (22 of 70 branches uncovered)Despite 100% function coverage, nearly a third of the parser's branches are untested. The
firewall_detailedlog format parser covers: IPv6 addresses, missing host headers (-), non-CONNECT methods (plain HTTP), and unusual user-agent strings. Misclassification here silently corrupts audit output —allowedvsdeniedcounts could be wrong.3.
src/services/agent-volumes/etc-mounts.ts— 82.45% stmt, 67.85% branches (9/28 uncovered)Handles construction of the
/etc/passwd,/etc/group, and other/etcbind mounts for the agent container. The uncovered branches include thecatchpath ofsynthesizeIdentityFile(disk write failure) and conditional UID/GID augmentation logic. A regression here could cause the agent to run as the wrong UID or expose host identity data.4.
src/logs/audit-enricher.ts— 83.6% stmt, 74.13% branchesReplays Squid ACL evaluation order to attribute each log entry to a firewall rule. Untested branches here mean certain rule-match paths (e.g., upstream-proxy rules, DoH rules) have no verified match-reason output. This affects the accuracy of
awf logs statsandawf logs summarysecurity reports.📈 Recommendations
High —
src/commands/validators/network-options.ts: Add a test file coveringvalidateNetworkOptions()with mockedcheckDockerHost()returningvalid: false, with/without adockerHostPathPrefix, and withdindHint: true. This covers all 5 currently uncovered branches and brings the only sub-70% file above 90%.Medium —
src/logs/log-parser.ts: Expandlog-parser.test.tswith adversarial/edge-case inputs: IPv6 client addresses,-in the host field, plain HTTP GET lines (non-CONNECT), very long user-agent strings, and partial/malformed lines. Targeting 22 specific uncovered branches improves security audit reliability.Medium —
src/services/agent-volumes/etc-mounts.ts: Mockfs.writeFileSyncto throw in thesynthesizeIdentityFiletests, and exercise the UID/GID augmentation paths with UIDs already present inpasswd/missing fromgroup. The 9 uncovered branches are almost entirely in error-handling paths for credential file synthesis.Low —
src/squid/policy-manifest.ts: Cover the 3 uncovered functions (function coverage 70%) — these handle policy manifest serialization. Add round-trip tests (serialize → deserialize → compare) to verify policy state is preserved acrossawf logs auditruns.Generated by test-coverage-reporter workflow. Trigger:
pushBeta Was this translation helpful? Give feedback.
All reactions