[Coverage Report] Test Coverage Report — 2026-06-16 #5141
Closed
Replies: 2 comments
-
|
This discussion was automatically closed because it expired on 2026-06-23T23:06:44.264Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
-
|
🔮 The ancient spirits stir: the smoke test agent was here, and the run remains under favorable omens. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Overall Coverage
Test suite: all suites passing. Branches are the primary area with remaining gaps.
Security-Critical File Status
host-iptables-rules.tshost-iptables-shared.tssquid/acl-generator.tssquid/access-rules.tssquid/validation.tsdomain-validation.tsdomain-patterns.tssquid/policy-manifest.tsservices/agent-volumes/etc-mounts.tslogs/audit-enricher.ts🔍 Notable Findings
1.
/etcIdentity Mount Logic Has Significant Branch Gaps (etc-mounts.ts— 67.85% branches)etc-mounts.tscontrols which/etcfiles are bind-mounted into the agent container, including the DinD identity synthesis path for/etc/passwdand/etc/group. The 9 uncovered branches include:synthesizeIdentityFilecatch block — never tested whenmkdirSyncorwriteFileSyncfails, meaning the fallback-to-host-path (|| passwdPath) is untestedresolveUniqueNamecounter loop (lines 53–57) — only fires when both a base name and the first dash-suffixed form already exist in the file; no test exercises this collision pathfileHasPasswdUid/fileHasGroupGidnegative branches when a staged file exists and the UID/GID is already present (the no-synthesis-needed path inside the DinD branch)Because these paths govern whether the agent sees the correct identity files, a regression here could cause the container to run as the wrong user or fail to start.
2. Audit Enricher Has 15 Uncovered Branches (
audit-enricher.ts— 74.13% branches)logs/audit-enricher.tsreconstructs the effective allow/deny decision for each Squid log entry using the policy manifest. The 15 missing branches represent enrichment code paths that are never exercised by tests. This is security-relevant because incomplete enrichment meansawf logs auditcould misclassify blocked traffic as allowed or vice versa, giving a false picture of firewall effectiveness.3. Policy Manifest Generator Has 3 Uncovered Functions (
squid/policy-manifest.ts— 70% function coverage)generatePolicyManifest()builds the structured policy manifest consumed by the audit enricher. Three functions in this module are unreached by tests. The uncovered paths likely include the conditional branches for--enable-host-accessand--allow-host-portscombinations not exercised in the test suite. If these paths produce incorrect rules, the policy manifest will silently diverge from the actual Squid config, breaking audit log analysis.4. Two Uncovered Branches in Domain Pattern Matching (
domain-patterns.ts— 89.47% branches)domain-patterns.tsis the ACL boundary: it determines which string values are treated as regex patterns vs. plain domain names. The 2 uncovered branches (out of 19) are minor but directly affect the domain allow-list. Any edge case here could cause a domain to be misclassified — either blocked when it should be allowed, or passed through the regex path when it should be exact-matched.📈 Recommendations
🔴 High — Add error-path tests for
etc-mounts.tsWhy: The
synthesizeIdentityFilefailure branch and theresolveUniqueNamecollision loop are completely untested. A filesystem write failure silently falls back to/etc/passwdwithout synthesizing the correct UID entry, which can cause the agent to start as root or fail identity resolution inside the chroot.Action: Add unit tests that mock
fs.mkdirSync/fs.writeFileSyncto throw, and test a staged passwd file that already contains bothrunnerandrunner-<uid>to exercise the counter loop.🟡 Medium — Cover the 3 uncovered functions in
squid/policy-manifest.tsWhy: The policy manifest is the authoritative source used to enrich audit logs. Uncovered functions mean there are policy generation paths (e.g.,
enableHostAccess + allowHostPortscombinations,blockedDomainswith only regex patterns, or theenableDlpbranch) that have never been tested end-to-end. A misconfigured manifest silently breaksawf logs audit.Action: Add tests for
generatePolicyManifestwith (a)enableHostAccess: true, (b)blockedDomainscontaining only regex patterns, and (c)enableDlp: true, verifying the returnedrulesarray contains the expected entries in the correct order.🟢 Low — Close the 2 remaining branches in
domain-patterns.tsWhy: Domain pattern matching sits on the ACL trust boundary. The 2 remaining branches (out of 19) are the last gap in this otherwise well-tested module. Closing them brings the ACL decision logic to 100% and eliminates the risk of edge-case bypass.
Action: Inspect the uncovered branches (likely edge cases around empty strings or patterns with only a leading
.) and add targeted unit tests indomain-patterns.test.ts.Beta Was this translation helpful? Give feedback.
All reactions