[Coverage Report] Test Coverage Report — 2026-06-14 #4984
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-06-21T18:24:21.443Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Overall Coverage
139 source files tracked · 149 test files
🔴 Critical Gaps (< 50% statement coverage)
None — all 139 files exceed 50%.
🟡 Low Coverage (50–79% statement coverage)
src/commands/validators/network-options.ts🛡️ Security-Critical Path Status
src/host-iptables.ts(barrel)src/host-iptables-rules.tssrc/host-iptables-shared.tssrc/host-iptables-cleanup.tssrc/host-iptables-network.tssrc/squid-config.ts(barrel)src/squid/acl-generator.tssrc/squid/access-rules.tssrc/squid/domain-acl.tssrc/squid/validation.tssrc/squid/policy-manifest.tssrc/squid/config-sections.tssrc/docker-manager.ts(barrel)src/domain-patterns.tssrc/cli.tssrc/services/agent-volumes/etc-mounts.ts📋 Full Coverage Table
All 139 files (click to expand)
src/api-proxy-config.tssrc/artifact-preservation.tssrc/cli-options.tssrc/cli-workflow.tssrc/cli.tssrc/compose-generator.tssrc/compose-sanitizer.tssrc/config-file.tssrc/config-writer.tssrc/constants.tssrc/container-cleanup.tssrc/container-lifecycle.tssrc/container-startup-diagnostics.tssrc/container-stop.tssrc/copilot-api-resolver.internal.tssrc/copilot-api-resolver.tssrc/copilot-model.tssrc/diagnostic-collector.tssrc/dind-bootstrap.tssrc/dind-probe.tssrc/dlp.tssrc/dns-resolver.tssrc/docker-host.tssrc/docker-manager.tssrc/domain-patterns.tssrc/domain-utils.tssrc/env-utils.tssrc/github-env.tssrc/host-env.tssrc/host-identity.tssrc/host-iptables-cleanup.tssrc/host-iptables-network.tssrc/host-iptables-rules.tssrc/host-iptables-shared.tssrc/host-iptables.tssrc/image-tag.tssrc/log-paths.tssrc/logger.tssrc/option-parsers.tssrc/pid-tracker.tssrc/redact-secrets.tssrc/rules.tssrc/runner-tool-cache.tssrc/schema-validator.tssrc/squid-config.tssrc/squid-log-reader.tssrc/ssl-bump.tssrc/upstream-proxy.tssrc/workdir-setup.tssrc/commands/build-config.tssrc/commands/logs-audit.tssrc/commands/logs-command-helpers.tssrc/commands/main-action.tssrc/commands/network-setup.tssrc/commands/preflight.tssrc/commands/signal-handler.tssrc/commands/validators/agent-options.tssrc/commands/validators/config-assembly.tssrc/commands/validators/log-and-limits.tssrc/commands/validators/network-options.tssrc/logs/audit-enricher.tssrc/logs/log-aggregator.tssrc/logs/log-discovery.tssrc/logs/log-formatter.tssrc/logs/log-parser.tssrc/logs/log-streamer.tssrc/logs/stats-formatter.tssrc/services/agent-environment/environment-builder.tssrc/services/agent-volumes/docker-host-staging.tssrc/services/agent-volumes/etc-mounts.tssrc/services/agent-volumes/workspace-mounts.tssrc/squid/config-sections.tssrc/squid/policy-manifest.tssrc/squid/ssl-bump.ts🔍 Notable Findings
src/commands/validators/network-options.ts— 66.66% stmt / 50% branchNetwork option validation is security-critical (validates allowed domains, DNS override settings). With only 5 of 10 branches covered, paths that reject dangerous network configurations likely go untested. Prioritize adding tests for the uncovered validation rejection paths.
src/services/agent-volumes/etc-mounts.ts— 82.45% stmt / 67.85% branchControls which
/etcfiles are selectively bind-mounted into the agent container (the code that excludes/etc/shadow). Nine uncovered branches could mask edge-case file exposure scenarios. Tests for unusual host/etclayouts are warranted.src/logs/log-parser.ts— 86.9% stmt / 68.57% branch (22/70 branches uncovered)The Squid log parser has the most uncovered absolute branches (22). Gaps here can silently misparse access log entries, causing blocked traffic to appear allowed (or vice versa) in audit output. Fuzzing with malformed/truncated log lines would improve confidence.
src/workdir-setup.ts— 94.44% stmt / 79.62% branch (recently refactored)This file was decomposed from
writeConfigsin a recent commit (128f40a3). 11 uncovered branches remain; adding tests for temp-dir creation failure and cleanup edge cases would seal this newly extracted module.📈 Recommendations
High:
src/commands/validators/network-options.ts— Add unit tests that exercise every validation branch for domain lists and DNS server inputs, specifically the rejection/error paths (currently at 50% branch coverage). This is the only file below 80% coverage and directly guards network-isolation policy enforcement.Medium:
src/services/agent-volumes/etc-mounts.ts— Add tests covering the 9 uncovered conditional branches that govern selective/etcbind-mounts. Focus on edge cases where host files are missing, symlinked, or have unusual permissions.Low:
src/logs/log-parser.ts— Add parametrized tests with malformed Squid log lines (truncated entries, missing fields, unexpected HTTP methods) to cover the 22 uncovered branches and ensure audit-log integrity under adversarial conditions.Generated by test-coverage-reporter workflow. Trigger:
push· 139 files · 149 test files · 96.75% overall statement coverageBeta Was this translation helpful? Give feedback.
All reactions