[Coverage Report] Test Coverage Report — 2026-06-15 #5008
Replies: 3 comments
-
|
This discussion was automatically closed because it expired on 2026-06-22T06:20:36.958Z.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir: the smoke test agent has passed through the GitHub veil, leaving a brief trace in the discussion winds. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
-
|
🔮 The ancient spirits stir, and the smoke test agent has passed through this thread. The omens were read, the build was tested, and the firewall stood its ground. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Overall Coverage Statistics
Total: 4,923 of 5,087 statements covered across 95 source files.
Security-Critical Path Status
host-iptables-rules.tshost-iptables-shared.tshost-iptables-network.tshost-iptables-cleanup.tssquid/config-generator.tssquid/acl-generator.tssquid/access-rules.tssquid/domain-acl.tssquid/validation.tsdomain-patterns.tssquid/policy-manifest.tscommands/validators/network-options.tsFiles with Lowest Branch Coverage
commands/validators/network-options.tslogs/log-parser.tsservices/agent-volumes/etc-mounts.tsservices/agent-volumes/docker-host-staging.tslogs/audit-enricher.tsservices/agent-volumes/workspace-mounts.tsservices/agent-volumes/system-mounts.tssquid/policy-manifest.ts🔍 Notable Findings
1.
commands/validators/network-options.ts— 50% branch coverage (no dedicated test file)This function is the first gate for Docker-host detection, DinD path-prefix hints, and domain/network option resolution. Five branches are entirely untested:
DOCKER_HOSTpoints at a non-loopback TCP endpoint--docker-host-path-prefixis not setAWF_DIND=1, warning the user about ARC split-filesystem setupsThese are all security-relevant warnings that guide users toward correct firewall isolation configuration. Silently broken warnings mean users may misconfigure their setup without knowing it.
2.
squid/policy-manifest.ts— 70% function coverage (no test file exists)generatePolicyManifest()is the source-of-truth for the audit enricher and any downstream tooling that interprets access-control rules. Three functions are uncovered — the most likely candidates are the branches for protocol-specific regex rules (allow-http-only-regex,allow-https-only-regex,allow-both-regex). These are generated only when domains are specified with wildcard patterns and a protocol prefix (e.g.,https://*.example.com). If this code path is broken, wildcard pattern rules would silently disappear from the policy manifest, causing audit mismatches.3.
services/agent-volumes/etc-mounts.ts— 67.85% branch coverageThis file controls which
/etcfiles are mounted into the container filesystem — including/etc/passwdand/etc/group. The 9 uncovered branches all live in the DinD staging path (lines 80–118): specifically the cases where a stagedpasswd/groupfile exists but does not contain an entry for the current runner UID/GID. TheresolveUniqueName()collision loop (lines 50–57) is also untested. A bug here could cause the container to run with a mismatched identity, breaking least-privilege isolation.4.
logs/log-parser.ts— 68.57% branch coverage (22 uncovered branches)The Squid log parser has the largest absolute count of uncovered branches. Key untested paths in
parseAuditJsonlLine():rawDest.startsWith('[')branch is uncovered — any IPv6 destination would parse incorrectlytimestampstring present but non-parseable, falling back toobj.ts— not testedextractDomainURL fallback (lines 135–141):try/catcharoundnew URL()for non-CONNECT requests with neither a valid host header nor a protocol prefixBroken parsing means allowed/denied decisions in the audit log are silently miscategorized.
📈 Recommendations
🔴 High — Add tests for
commands/validators/network-options.tsWhy: This is the entry point for all network security option validation. With 50% branch coverage and no dedicated test file, three distinct warning code paths that communicate security misconfigurations to users are completely untested.
Action: Create
src/commands/validators/network-options.test.ts. MockcheckDockerHost()to returnvalid: falseandresolveDockerHostPathPrefix()to return no prefix. Verify eachlogger.warnpath fires. This is a ~20-line test with high security payoff.🔴 High — Create
squid/policy-manifest.test.tsWhy:
generatePolicyManifest()has 3 uncovered functions (30% gap) and no test file. The uncovered functions correspond to wildcard domain patterns with protocol restrictions — a combination users can specify in production (https://*.mycompany.com). The policy manifest is consumed by the audit enricher; a silent regression here would cause audit logs to misclassify allowed traffic as unknown.Action: Add tests for: (a) config with
https://wildcard domains to exerciseallow-https-only-regex, (b)(redacted) wildcard domains forallow-http-only-regex, (c)allowHostPortsandenableDlp` flags together to exercise the remaining branches.🟡 Medium — Extend
logs/log-parser.tstests with IPv6 and edge casesWhy: 22 uncovered branches is the highest absolute gap in the codebase. The IPv6 parsing path in
parseAuditJsonlLine()is entirely untested — any deployment routing traffic through an IPv6 upstream would produce silently malformed audit entries.Action: Add to
src/logs/log-parser.test.ts: (a) a JSONL line with a bracketed IPv6 destination ([2001:db8::1]:443), (b) a line with a validtimestampISO string but also atsfield (to test the legacy fallback), (c) a non-CONNECT request with a malformed URL to exercise theextractDomaintry/catchfallback.Beta Was this translation helpful? Give feedback.
All reactions