[Coverage Report] Test Coverage Report — 2026-06-13 #4889
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-06-20T16:49:44.640Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Test Coverage Report — 2026-06-13
Overall Coverage
🔴 Critical Gaps (< 50% statement coverage)
None — all files are above 50% statement coverage.
🟡 Low Coverage (50–79% statement coverage)
src/commands/validators/network-options.tsOnly one file falls below 80%. It validates Docker-host, domain-resolution, and network-configuration options at CLI startup (Docker host, allowed/blocked domains, DNS, upstream proxy). Half its 10 conditional branches are untested — including the
--docker-host-path-prefixhint warning and the DinD split-filesystem detection path.🛡️ Security-Critical Path Status
src/host-iptables.ts(barrel)src/host-iptables-rules.tssrc/host-iptables-shared.tssrc/squid-config.ts(barrel)src/squid/access-rules.tssrc/squid/acl-generator.tssrc/squid/config-generator.tssrc/squid/domain-acl.tssrc/squid/validation.tssrc/squid/policy-manifest.tssrc/docker-manager.ts(barrel)src/domain-patterns.tssrc/cli.tsThe core iptables and Squid sub-modules are at 100% across all metrics. The policy-manifest module — which documents the logical access control policy for enrichment and auditing — has 3 uncovered functions.
🔍 Notable Findings
1.
src/squid/policy-manifest.ts— 70% function coverage (7/10 functions)Three functions within
generatePolicyManifestare not covered. These correspond to the conditional rule-building branches for: blocked-domain patterns (regex), HTTP-only regex allow rules, and HTTPS-only regex allow rules. If these branches fire with regex-pattern domains, the generatedPolicyManifestwill include rule objects that have never been tested — a risk for thelogs auditenrichment pipeline which relies on this manifest to attribute allow/deny decisions.2.
src/services/agent-volumes/etc-mounts.ts— 67.85% branch coverage (19/28)This file controls which
/etcfiles get bind-mounted into the agent container. The uncovered branches sit in the DinD/ARC staging path: specifically thepasswd/groupfile augmentation logic that adds a runner UID entry when the staged file already exists but lacks the runner's UID. These paths are only exercised whendockerHostPathPrefixis set, making them easy to miss in non-DinD test runs. A mismatch here could cause the chroot identity resolution to silently fall back to/etc/passwd, exposing/etc/shadow-adjacent risk surface.3.
src/logs/log-parser.ts— 68.57% branch coverage (48/70 branches)The Squid
firewall_detailedlog parser has the largest absolute number of uncovered branches (22). The file contains complex regex-based parsing with many defensive fallback paths for: non-standard HTTP methods, missing/malformed host headers, unusual dest IP formats, and edge-case status codes. Uncovered branches here mean that malformed or unusual log lines could silently fail to parse, producing gaps in theawf logs stats/summaryoutput used in CI job summaries.4.
src/services/agent-environment/environment-builder.ts— 66.66% branch coverage (4/6)Builds the final environment variable map passed into the agent container. Only 4 of 6 branches are covered. The two uncovered branches likely guard the API-proxy-enabled path or the DinD environment passthrough, meaning the exact variable set seen by agents in those configurations is not fully verified by tests.
🌱 Recent Code Without Full Coverage
Recent commits added OTLP fan-out for the API proxy (
feat(api-proxy): implement OTLP fan-out to multiple endpoints) and loopback TCP Docker host passthrough (fix(docker-host): pass through loopback TCP DOCKER_HOST for ARC/DinD). Thesrc/services/agent-volumes/etc-mounts.tsandsrc/services/agent-environment/environment-builder.tsbranch gaps may be partially attributable to these changes.📈 Recommendations
High — Cover
network-options.tsbranches: Add 2–3 test cases for the DinD warning path (dockerHostCheck.valid = false+ no path prefix) and thedindHintwarning path. These are security-relevant startup checks that currently have 0 coverage on the warning branches.Medium — Cover
etc-mounts.tsDinD augmentation paths: Write tests withdockerHostPathPrefixset where: (a) the stagedpasswdfile exists but lacks the runner UID, and (b) the stagedgroupfile exists but lacks the runner GID. This exercises the identity-file synthesis path that guards against silent fallback to the host/etc/passwd.Medium — Cover
log-parser.tsedge cases: Add fuzz-style test cases for: lines with-:-dest IP, lines with missing user-agent field, HTTP/1.0 entries, and CONNECT entries with non-standard port formats. The 70 branches suggest the parser has significant defensive logic that's never been exercised.Low — Cover
policy-manifest.tsregex-rule branches: Add a test callinggeneratePolicyManifestwith regex-pattern domains (e.g.,*.example.com) and with blocked domain patterns. This ensures the three uncovered functions produce validPolicyRuleobjects and that the audit enricher can correctly attribute deny decisions from those rules.Generated by test-coverage-reporter workflow. Trigger:
push· 2026-06-13T16:45:56ZBeta Was this translation helpful? Give feedback.
All reactions