[Coverage Report] Test Coverage Report — 2026-05-26 #3833
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-06-02T02:48:06.454Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Overall Coverage
Test suite: 2187/2188 tests passing across 98 test files (1 flaky test in DNS pre-resolution — environment-specific).
🔴 Critical Gaps (< 50% statement coverage)
None. All files are above 50% statement coverage.
🟡 Low Coverage (50–79% statement coverage)
src/services/agent-volumes/hosts-file.tsOnly one file falls below 80%.
🛡️ Security-Critical Path Status
src/host-iptables.tssrc/squid-config.tssrc/docker-manager.tssrc/domain-patterns.tssrc/cli.tsAll four core security modules (
host-iptables,squid-config,docker-manager,domain-patterns) are at or near 100% coverage.src/cli.tshas lower branch coverage (50%) due to signal-handler and process-exit paths that are difficult to test in unit tests.📋 Notable Low-Coverage Files
src/services/agent-volumes/hosts-file.tssrc/commands/validators/network-options.tssrc/logs/audit-enricher.tssrc/cli.tssrc/logs/log-parser.tssrc/squid/policy-manifest.tssrc/commands/logs-command-helpers.tssrc/cli-workflow.tssrc/services/host-path-prefix.tssrc/config-writer.ts🔍 Notable Findings
src/services/agent-volumes/hosts-file.ts(69% stmts, 62% branches) — The lowest-covered file. This module handles pre-resolving allowed domains into a chroot hosts file for the agent container. Uncovered branches likely include DNS resolution failure paths, IPv6-only domain handling, and edge cases for wildcard domains. The one failing test (should pre-resolve allowed domains into chroot-hosts file) is an environment-specific DNS resolution test wheregithub.comresolves to a different IP than expected — worth making the test IP-agnostic.src/commands/validators/network-options.ts(81% stmts, 50% branches) — Branch coverage at 50% suggests many validation error paths (e.g., invalid IP ranges, conflicting options) are not tested. Since this validates user-supplied network configuration that feeds into iptables rules, missed branches here could allow malformed input to reach security-critical code.src/cli.ts(86% stmts, 50% branch) — The main entry point has 50% branch coverage. Uncovered paths include signal handlers (SIGINT/SIGTERM), some error propagation paths, and edge-case CLI flag combinations. These are hard to unit-test but important for graceful shutdown behavior.src/squid/policy-manifest.ts(87% stmts, 70% functions) — Three functions have zero coverage. The policy manifest controls which Squid ACL policies are applied — untested functions here could mean certain policy configurations are never validated by tests.📈 Recommendations
High — Fix
hosts-file.tstests and coverage: The failing test (should pre-resolve allowed domains) is IP-address-sensitive and breaks in CI due to different DNS resolution. Make the assertion check that the hostname is present with some IP (not a specific hardcoded IP). Then add tests for: DNS resolution failure handling, IPv6 address formatting, and the branch where a domain cannot be resolved.High — Cover
network-options.tsvalidation error paths: Add unit tests for rejected inputs insrc/commands/validators/network-options.ts— invalid CIDR ranges, overlapping subnets, malformed DNS server IPs. These validations protect security-critical iptables rule generation.Medium — Cover
squid/policy-manifest.tsuncovered functions: The 3 uncovered functions (30% of the module) represent untested policy combinations. Add tests exercising each policy manifest function to ensure ACL generation is correct for all configurations.Low — Improve
log-parser.tsandaudit-enricher.tsbranch coverage: At 67% and 74% branch coverage respectively, these log analysis files have multiple unexercised parsing edge cases (malformed log lines, missing fields, unusual timestamp formats). These don't affect firewall security but affect the reliability of theawf logsreporting commands.Generated by test-coverage-reporter workflow. Trigger:
push— Run ID: 26429094165Beta Was this translation helpful? Give feedback.
All reactions