[Coverage Report] Test Coverage Report — 2026-06-14 #5002
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-06-21T20:12:20.620Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Overall Coverage
Test suite: 114 test files across 125 production modules. All passing.
🔴 Critical Gaps (< 50% statement coverage)
None. All 140 tracked files are above 50% statement coverage.
🟡 Low Coverage (50–79% statement coverage)
src/commands/validators/network-options.ts🛡️ Security-Critical Path Status
Notable branch gaps (branch% < 70%):
src/commands/validators/network-options.tssrc/services/agent-volumes/etc-mounts.ts/etcselective-mount logicsrc/logs/log-parser.tssrc/services/agent-environment/environment-builder.ts📋 Coverage Summary — Files Below 95%
Expand full table (files < 95% stmt coverage)
commands/validators/network-options.tssquid-log-reader.tsservices/agent-volumes/etc-mounts.tslogs/audit-enricher.tscli.tsconfig-writer.tslogs/log-parser.tssquid/policy-manifest.tsservices/agent-volumes/docker-host-staging.tscommands/logs-command-helpers.ts🔍 Notable Findings
1.
host-iptables-shared.ts— Silent IPv6 Bypass RiskdisableIpv6ViaSysctl()catches failures with a warning-only path. Ifsysctlis unavailable or returns an error, IPv6 traffic remains unfiltered with no exception raised. This is the highest-impact silent-failure path in the security stack. The fix path inenableIpv6ViaSysctlshares the same risk: it's guarded by a module-level boolean that could be wrong after a crash-recovery scenario.2.
network-options.ts— Lowest Coverage, Security-Relevant BranchingThis is the only file below 80% statement coverage (66.66%) and the lowest branch coverage at 50% (5/10). The 5 uncovered branches handle ARC/DinD scenarios: "external Docker host detected + no path prefix", and "DinD hint present + no path prefix". These are the exact paths where a misconfigured Docker socket could expose the host daemon without a hard error.
3.
logs/log-parser.ts— 22 Uncovered BranchesThe largest absolute branch gap. Uncovered paths include: IPv6 destination-address parsing (
[2001:db8::1]:443CONNECT format), legacyts-field JSON timestamp handling,Date.parse→NaNfallback, and CONNECT URLs with no colon. Incorrect parsing causes allowed traffic to be misclassified as denied (or vice versa) in audit reports — a silent audit integrity issue.4.
squid/policy-manifest.ts— 70% Function CoverageThree of ~10 functions are never exercised. The uncovered paths include:
apiProxyIp-conditional rules (allow-api-proxy-ip,allow-from-api-proxy),enableDlpconditional (deny-dlp), and wildcard-blocked-domain regex rules. Since this manifest drives the log enricher's audit trail, missing rules produce silent misattribution of allow/deny decisions.📈 Recommendations
High —
commands/validators/network-options.ts: Add tests for the ARC/DinD compound condition branches:!dockerHostCheck.valid && !dockerHostPathPrefixanddindHint && !dockerHostPathPrefix. These paths warn without throwing, making a broken DinD setup silently continue.High —
host-iptables-shared.ts: Add a test that simulatessysctlfailure (mockexecato throw) insidedisableIpv6ViaSysctl()and assert that the call site either throws or is considered a hard security failure rather than a warn-and-continue. This is the most security-critical uncovered path in the codebase.Medium —
logs/log-parser.ts: Add unit tests for: (a) CONNECT URL with no colon, (b) IPv6 bracketed destination parsing, (c) legacy JSONL withtsfield, (d)Date.parse→ NaN timestamp fallback. These are all pure-function branches that are straightforward to unit-test.Low —
squid/policy-manifest.ts: ExtendgeneratePolicyManifesttests to pass a config withapiProxyIpset andenableDlp: true. The manifest output is deterministic — these branches require only 2–3 new test cases.Generated by test-coverage-reporter workflow. Trigger:
pushBeta Was this translation helpful? Give feedback.
All reactions