You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
🟢 OK src/docker-manager.ts: stmts=100% branch=100% funcs=100%
🟢 OK src/host-iptables.ts: stmts=100% branch=100% funcs=100%
🟢 OK src/squid-config.ts: stmts=100% branch=100% funcs=100%
🟡 LOW src/cli.ts: stmts=85.71% branch=50% funcs=100%
🟢 OK src/domain-patterns.ts: stmts=98.18% branch=94.52% funcs=100%
📋 Coverage Table (files < 80% stmts or security-critical)
File
Stmts
Branch
Funcs
Lines
Status
src/commands/validators/network-options.ts
66.66%
50%
100%
66.66%
❌
src/cli.ts
85.71%
50%
100%
85.71%
✅
src/domain-patterns.ts
98.18%
94.52%
100%
98.14%
✅
src/docker-manager.ts
100%
100%
100%
100%
✅
src/host-iptables.ts
100%
100%
100%
100%
✅
src/squid-config.ts
100%
100%
100%
100%
✅
TOTAL
96.77%
91.27%
98.81%
96.9%
Generated by test-coverage-reporter workflow. Trigger: workflow_dispatch
🔍 Notable Findings
1. commands/validators/network-options.ts — lowest coverage in the project (66.66% lines, 50% branches)
7 of 21 lines and 5 of 10 branches are uncovered. The missing paths are all warning branches for anomalous Docker host configurations:
Line 49–56: external DOCKER_HOST detected → redirect warning
Line 61–65: external host with no --docker-host-path-prefix set
Line 66–79: DinD hint detected without a path prefix (ARC runner split-filesystem)
These branches guard ARC/DinD network isolation correctness. An uncovered warning path isn't just cosmetic — it means the logic that detects misconfigured environments has never been exercised.
Overall coverage is good, but this file generates Squid ACL rules, so every uncovered branch is a potential domain allowlist bypass. The 4 remaining uncovered branches likely include edge cases in wildcard validation or backslash rejection in validateDomainOrPattern. Given the security-critical role of this file, 100% branch coverage should be the target.
The audit enricher classifies network traffic for reporting. With 15 uncovered branches, there are realistic log-entry shapes that have never been fed through the classifier. Misclassification bugs here produce incorrect allowed/denied totals in awf logs stats output.
📈 Recommendations
🔴 High — Test commands/validators/network-options.ts DinD/external-host warning branches
Mock process.env.DOCKER_HOST to a non-loopback TCP address (e.g., (192.168.1.5/redacted) and call validateNetworkOptions({}). Assert that logger.warnis called with the external-host message. Repeat with a non-standard Unix socket path (e.g.,/var/run/docker-alt.sock`) to hit the DinD hint branch. These are straightforward unit tests that would bring the file from 50% → ~90% branch coverage.
🔴 High — Improve logs/log-parser.ts branch coverage (68.57% → 90%+)
Add test cases to the existing log-parser.test.ts:
parseAuditJsonlLine with dest: "[2001:db8::1]:443" (IPv6 bracketed format)
parseAuditJsonlLine with timestamp: "not-a-date" and ts: 1234567890 (invalid ISO + valid legacy fallback)
parseAuditJsonlLine with dest: "192.168.1.1" and no port (bare IP, no colon)
extractDomain via parseLogLine with a CONNECT URL containing no colon (no port to strip)
These edge cases correspond to real log entries that arise from non-standard client tooling or IPv6 infrastructure.
🟡 Medium — Achieve 100% branch coverage in domain-patterns.ts
Inspect the 4 uncovered branches using coverage/lcov-report/src/domain-patterns.ts.html. Likely candidates: passing a domain containing a backslash (triggers the \ rejection path in validateDomainOrPattern), an empty-string input, or a wildcard-only pattern (*). Because this file's output feeds directly into Squid ACL rules, 100% branch coverage provides a stronger guarantee that no input can produce a mis-generated ACL line.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Test Coverage Report — 2026-06-15
Overall Coverage
🛡️ Security-Critical Path Status
📋 Coverage Table (files < 80% stmts or security-critical)
src/commands/validators/network-options.tssrc/cli.tssrc/domain-patterns.tssrc/docker-manager.tssrc/host-iptables.tssrc/squid-config.tsGenerated by test-coverage-reporter workflow. Trigger:
workflow_dispatch🔍 Notable Findings
1.
commands/validators/network-options.ts— lowest coverage in the project (66.66% lines, 50% branches)7 of 21 lines and 5 of 10 branches are uncovered. The missing paths are all warning branches for anomalous Docker host configurations:
DOCKER_HOSTdetected → redirect warning--docker-host-path-prefixsetThese branches guard ARC/DinD network isolation correctness. An uncovered warning path isn't just cosmetic — it means the logic that detects misconfigured environments has never been exercised.
2.
logs/log-parser.ts— 68.57% branch coverage (22 of 70 branches uncovered)The Squid audit log parser has the lowest branch coverage in the codebase. Key uncovered paths in
parseAuditJsonlLine:[2001:db8::1]:443format, lines 178–189)tsepoch fallback (line 218–220)extractDomainfallback URL parsing (try/catch path, lines 135–142)Missing branches here means malformed or IPv6-addressed log entries could be silently dropped, producing gaps in the security audit trail.
3.
domain-patterns.ts— 4 uncovered branches (94.52% of 73 branches covered)Overall coverage is good, but this file generates Squid ACL rules, so every uncovered branch is a potential domain allowlist bypass. The 4 remaining uncovered branches likely include edge cases in wildcard validation or backslash rejection in
validateDomainOrPattern. Given the security-critical role of this file, 100% branch coverage should be the target.4.
logs/audit-enricher.ts— 74.13% branch coverage (15 of 58 branches uncovered)The audit enricher classifies network traffic for reporting. With 15 uncovered branches, there are realistic log-entry shapes that have never been fed through the classifier. Misclassification bugs here produce incorrect allowed/denied totals in
awf logs statsoutput.📈 Recommendations
🔴 High — Test
commands/validators/network-options.tsDinD/external-host warning branchesMock
process.env.DOCKER_HOSTto a non-loopback TCP address (e.g.,(192.168.1.5/redacted) and callvalidateNetworkOptions({}). Assert thatlogger.warnis called with the external-host message. Repeat with a non-standard Unix socket path (e.g.,/var/run/docker-alt.sock`) to hit the DinD hint branch. These are straightforward unit tests that would bring the file from 50% → ~90% branch coverage.🔴 High — Improve
logs/log-parser.tsbranch coverage (68.57% → 90%+)Add test cases to the existing
log-parser.test.ts:parseAuditJsonlLinewithdest: "[2001:db8::1]:443"(IPv6 bracketed format)parseAuditJsonlLinewithtimestamp: "not-a-date"andts: 1234567890(invalid ISO + valid legacy fallback)parseAuditJsonlLinewithdest: "192.168.1.1"and no port (bare IP, no colon)extractDomainviaparseLogLinewith a CONNECT URL containing no colon (no port to strip)These edge cases correspond to real log entries that arise from non-standard client tooling or IPv6 infrastructure.
🟡 Medium — Achieve 100% branch coverage in
domain-patterns.tsInspect the 4 uncovered branches using
coverage/lcov-report/src/domain-patterns.ts.html. Likely candidates: passing a domain containing a backslash (triggers the\rejection path invalidateDomainOrPattern), an empty-string input, or a wildcard-only pattern (*). Because this file's output feeds directly into Squid ACL rules, 100% branch coverage provides a stronger guarantee that no input can produce a mis-generated ACL line.Beta Was this translation helpful? Give feedback.
All reactions