This document outlines testing practices and policies for Secrets-LE development.
No broken or failed tests are allowed in commits.
All tests must pass before code can be committed or merged. This ensures code quality and prevents regressions.
bun run testbun run test:coveragebun run test:watchbun x vitest run src/extraction/detectors.test.tsLocated in src/**/*.test.ts and src/**/*.spec.ts:
- Detector tests - Test secret detection logic
- Utility tests - Test helper functions
- Configuration tests - Test config validation
Located in src/sampleFiles.spec.ts:
- Sample file tests - Test detection against real file formats
- Cross-platform tests - Ensure case-sensitivity compatibility
- End-to-end workflows - Test complete command flows
- Minimum Coverage: Maintain reasonable coverage across core functionality
- Critical Paths: All detection logic must be tested
- Error Handling: All error paths must be covered
- Edge Cases: Boundary conditions must be tested
- All tests pass (
bun run test) - No broken tests
- No skipped tests (unless intentionally)
- Type checking passes (
bun x tsc -p ./) - Linting passes (
bun run lint)
The CI pipeline automatically:
- Runs all tests on Ubuntu, macOS, and Windows
- Generates coverage reports
- Verifies all tests pass
- Fails the build if any tests fail
- Don't commit the failure - Fix the test or the code
- Run locally first - Verify fix works before pushing
- Check all platforms - Ensure fix works on Linux/Windows (case sensitivity, etc.)
- Update test if needed - If behavior changed intentionally, update test
- Case sensitivity - Use exact case for file references (
README.mdnotreadme.md) - Mock issues - Ensure mocks are properly reset in
beforeEach - Pattern matching - Test with realistic secret patterns
// ✅ Good
it('should detect AWS access keys', () => {
// ...
});
// ❌ Bad
it('works', () => {
// ...
});// ✅ Good - separate tests
it('should detect AWS keys', () => { /* ... */ });
it('should detect GitHub tokens', () => { /* ... */ });
// ❌ Bad - multiple concerns
it('should detect AWS keys and GitHub tokens', () => { /* ... */ });it('should detect secret with high confidence', () => {
// Arrange
const content = 'const apiKey = "AKIAIOSFODNN7EXAMPLE"';
// Act
const result = detectSecretsInContent(content, {
includeApiKeys: true,
sensitivity: 'high',
});
// Assert
expect(result.success).toBe(true);
expect(result.secrets.length).toBeGreaterThan(0);
});beforeEach(() => {
vi.clearAllMocks();
// Reset mocks to default state
});Always use exact case for file references:
// ✅ Good - works on all platforms
const content = readSampleFile('README.md');
// ❌ Bad - fails on Linux
const content = readSampleFile('readme.md');Use platform-agnostic path handling:
import { join } from 'path';
const filePath = join(SAMPLE_DIR, filename);Coverage reports are generated automatically:
- Location:
coverage/index.html - Format: HTML, LCOV, JSON
- CI/CD: Coverage uploaded as artifact
Tests run automatically on:
- Ubuntu (latest)
- macOS (latest)
- Windows (latest)
All platforms must pass for the build to succeed.
Consider setting up pre-commit hooks to run tests before commits:
# Install husky (if needed)
bun add -d husky
# Add pre-commit hook
echo "bun run test" > .husky/pre-commitIf you encounter test failures:
- Run locally - Verify it fails consistently
- Check CI logs - See platform-specific errors
- Reproduce - Document steps to reproduce
- Fix or report - Either fix or create an issue
- Performance Monitoring - Performance monitoring and workspace scanning efficiency