[Coverage Report] Test Coverage Report — 2026-06-09 #4627
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-06-16T21:07:33.744Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Test Coverage Report — 2026-06-09
Overall Coverage
🔴 Critical Gaps (< 50% statement coverage)
None. All files are above 50% statement coverage.
🟡 Low Coverage (50–79% statement coverage)
src/commands/validators/network-options.ts🛡️ Security-Critical Path Status
src/host-iptables.tssrc/squid-config.tssrc/docker-manager.tssrc/domain-patterns.tssrc/cli.tssrc/cli.tsis a thin 12-line entry point — the sole uncovered branch is therequire.main === moduleguard (the "module imported" path is never exercised by tests, which is generally acceptable).📋 Files with Branch Coverage < 75% (all above 80% statements)
src/commands/validators/network-options.tssrc/dind-bootstrap.tssrc/services/agent-volumes/etc-mounts.tssrc/logs/log-parser.tssrc/services/agent-environment/environment-builder.tssrc/logs/audit-enricher.tssrc/services/agent-volumes/docker-host-staging.ts🔍 Notable Findings
1.
src/commands/validators/network-options.ts— No test file (66.7% stmt, 50% branch)The Docker-host detection warning paths (external TCP socket detected, DinD hint with no path-prefix set) are completely untested. These warnings directly affect DinD/ARC runner setups where misconfiguration causes silent bind-mount failures. A new
network-options.test.tswith mockedcheckDockerHost()/resolveDockerHostPathPrefix()returns would close this gap.2.
src/logs/log-parser.ts— 22 uncovered branches (86.9% stmt, 68.6% branch)The Squid log parser has significant branch coverage gaps. Given that log parsing feeds audit trails and the
awf logscommands, malformed or edge-case log lines (empty fields, unusual status codes, IPv6 addresses) likely hit uncovered paths. These are particularly important now thatawf logs auditis new functionality added in the last 7 days.3.
src/logs/audit-enricher.ts— 15 uncovered branches (83.6% stmt, 74.1% branch)The ACL-matching logic in
domainMatchesRule()andprotocolMatchesRule()has 15 uncovered branches. This is the code that determines whether a log entry is "allowed" or "blocked" in audit output — incorrect enrichment would produce misleading security reports.4.
src/dind-bootstrap.ts— 11 uncovered branches (88.9% stmt, 66.7% branch)The DinD bootstrap error paths (container start failures, network setup failures) are not covered. These code paths only execute in DinD environments, making them harder to test, but they protect against silent misconfiguration in ARC/DinD setups.
📈 Recommendations
High — Add
network-options.test.ts: This is the only file with no test coverage at all. The Docker-host detection warnings are user-visible and affect DinD users. MockcheckDockerHost()to return invalid/DinD states and assert the logger warning calls. Estimated: ~50 lines of tests.High — Expand
log-parser.test.tsbranch coverage: The 22 uncovered branches inlog-parser.tsrepresent log format variations. Add test cases for: IPv6 client addresses, missing/dash-placeholder fields,NONEhierarchy codes, and entries with unusual Squid status codes. This also validates theawf logs auditpipeline end-to-end.Medium — Cover
audit-enricher.tsprotocol-matching branches: Add cases whereentry.protocolishttp(nothttps) and where ACL domains use the.prefix wildcard form. TheallACL rule path (lines 101–106) also appears uncovered.Low —
dind-bootstrap.tserror paths: Add tests with mockedexecathat simulate container start failures and network setup errors. These paths are hard to trigger in a standard test environment but important for DinD reliability.Generated by test-coverage-reporter workflow · Trigger:
push· Commit:c2c9340(refactor: split model-resolver.js into focused modules)Beta Was this translation helpful? Give feedback.
All reactions