[Coverage Report] Test Coverage Report — 2026-06-13 #4915
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-06-20T21:38:18.902Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Overall Coverage
Overall coverage is strong. The test suite spans 107+ source files.
🔴 Critical Gaps (< 50% statement coverage)
None. All source files exceed 50% statement coverage.
🟡 Low Coverage (50–79% statement coverage)
src/commands/validators/network-options.ts🛡️ Security-Critical Path Status
src/host-iptables.tssrc/host-iptables-rules.tssrc/host-iptables-shared.tssrc/squid-config.tssrc/squid/access-rules.tssrc/squid/acl-generator.tssrc/squid/domain-acl.tssrc/squid/validation.tssrc/squid/policy-manifest.tssrc/domain-patterns.tssrc/docker-manager.tssrc/services/agent-volumes/etc-mounts.tssrc/services/agent-environment/environment-builder.tssrc/logs/log-parser.ts📋 Full Coverage Table
All files (click to expand)
🔍 Notable Findings
1.
src/commands/validators/network-options.ts— 66.66% stmt, 50% branchThe lowest-coverage file. It validates Docker-host detection, domain allowlists, and network config — security-relevant inputs. The uncovered branches are the warning paths for external Docker hosts (
!dockerHostCheck.valid) and the DinD hint path (dockerHostPathPrefixResolution.dindHint). Tests that mockDOCKER_HOSTpointing to a remote TCP socket andAWF_DIND=1would close these gaps.2.
src/services/agent-volumes/etc-mounts.ts— branch: 67.85%Controls which
/etcfiles are selectively bind-mounted into the agent container. The 32% of uncovered branches are likely thesynthesizeIdentityFilefallback (used when the runner has no/etc/passwdor/etc/group) and the edge cases inresolveUniqueNamefor duplicate username/groupname collisions. Because this module determines the boundary of agent filesystem access, untested branches carry real security risk.3.
src/logs/log-parser.ts— branch: 68.57% (22 of 70 branch points uncovered)The Squid access log parser is used for audit enrichment. Uncovered branches likely include malformed log line handling and edge-case field formats (e.g., missing Host header, unusual Squid decision codes). Gaps here mean anomalous or adversarial log entries could be silently dropped rather than reported.
4.
src/squid/policy-manifest.ts— func: 70% (3 of 10 functions uncovered)Generates the structured policy manifest that drives audit log enrichment. Three uncovered functions mean portions of the
generatePolicyManifest()output path — likely around dangerous-port rule generation and SSL-bump policy — are not tested. This risks policy manifests silently omitting rules from the audit trail.📈 Recommendations
High — Add unit tests for
src/commands/validators/network-options.tscovering the external-Docker-host warning branch (DOCKER_HOST=(remote/redacted) and the DinD hint branch (AWF_DIND=1`). This is low-effort (mock env vars) with high security relevance.High — Cover the
synthesizeIdentityFilefallback insrc/services/agent-volumes/etc-mounts.ts. Test with a config that lacks/etc/passwdand/etc/groupon the host (mockfs.readFileSyncto throw). These paths gate what identity files the agent container sees.Medium — Add branch coverage for
src/logs/log-parser.ts, specifically malformed-line handling and unusual Squid decision codes (TCP_MISS,TCP_REFRESH_HIT). This ensures the audit subsystem degrades gracefully rather than silently.Low — Cover the 3 uncovered functions in
src/squid/policy-manifest.ts(dangerous-port manifest entries and SSL-bump policy generation). These are needed for complete audit enrichment parity withgenerateSquidConfig().Generated by test-coverage-reporter workflow · Trigger:
push· Date: 2026-06-13Beta Was this translation helpful? Give feedback.
All reactions