测试质量审计工具 - 自动化检测代码测试反模式与质量漏洞

Test Quality Audit by auldsyababua/instructor-workflow

5 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/auldsyababua/instructor-workflow --skill 'Test Quality Audit'

开发自动化测试

🇨🇳中文介绍

测试质量审计

使用时机

在以下情况时使用此技能：

测试审查（QA 代理）：在代码审查期间验证测试质量
测试审计（QA 代理）：对测试文件进行系统性审计，查找反模式
代码审查（任何代理）：检查是否存在 mesa-optimization 或 happy-path 测试
合并前验证（QA 代理）：在批准 PR 前确保测试有意义

触发场景：

在 QA 审查期间，当测试文件被修改时
当代码审查显示测试变更与功能无关时
在批准包含测试修改的 PR 之前
当测试失败且怀疑存在质量问题时
对整个代码库或功能区域进行系统性测试审计

需要警惕的危险信号：

测试被削弱（断言减少、检查项被替换、边界情况被移除）
断言被移除或削弱
错误处理被绕过
测试被无故禁用

工作流程

步骤 1：识别待审计的测试文件

针对代码审查（特定于 PR）：

仅扫描 PR 中修改的测试文件
重点关注对现有测试的更改（而非新创建的测试）
在差异中查找测试弱化模式

针对系统性审计（全代码库）：

扫描指定目录中的所有测试文件
常见的测试文件模式：*.test.js、*.spec.ts、、

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

步骤 2：扫描反模式

对测试文件运行以下检查：

检查 1：禁用的测试

目的：检测在已提交代码中被跳过或禁用的测试

待检测模式：

// JavaScript/TypeScript:
describe.skip("...", ...)
it.skip("...", ...)
test.skip("...", ...)
it.only("...", ...)  // 严重：意味着其他测试被忽略
test.only("...", ...)

// Python:
@unittest.skip("...")
@pytest.mark.skip
pytest.skip()
# TODO: fix this test

# JavaScript/TypeScript:
grep -rn -E "\.(skip|only)\(" tests/ spec/ __tests__/

# Python:
grep -rn -E "(@unittest\.skip|@pytest\.mark\.skip|pytest\.skip\(|# TODO.*test)" tests/

严重：在已提交代码中使用 .only()（所有其他测试被忽略）
高：使用 .skip() 但没有问题引用或理由说明
中：使用 .skip() 并带有 TODO 注释但没有时间线

通过标准：没有禁用的测试，或者所有禁用的测试都满足：

有 Linear 问题引用（# LAW-123: Re-enable when feature X ships）
有明确的理由说明测试为何被禁用
有重新启用的时间线

检查 2：琐碎断言

目的：检测未验证有意义行为的断言

待检测模式：

// JavaScript/TypeScript:
expect(true).toBe(true)
expect(result).toBeDefined()
expect(response).toBeTruthy()
expect(error).toBeFalsy()  // 错误被吞没！

// Python:
assert True
assert result is not None
assert response  # 模糊的断言

# JavaScript/TypeScript:
grep -rn -E "(expect\(true\)|expect\(false\)|\.toBeTruthy\(\)|\.toBeFalsy\(\)|\.toBeDefined\(\))" tests/ spec/

# Python:
grep -rn -E "(assert True|assert False|assert [a-zA-Z_]+ is not None)" tests/

高：对布尔字面量进行断言（expect(true).toBe(true)）
中：没有具体值检查的模糊断言
中：使用 toBeDefined() 但未验证实际值

通过标准：所有断言都验证特定的预期值或行为

检查 3：错误吞没

目的：检测在没有断言的情况下抑制错误的 try/catch 块

待检测模式：

// JavaScript/TypeScript:
try {
  // ... 测试代码 ...
} catch (error) {
  // 没有对错误进行断言 - 被吞没了！
}

// 没有验证的宽泛捕获：
try {
  await riskyOperation()
} catch (e) {
  console.log(e)  // 记录了但没有断言
}

# Python:
try:
    # ... 测试代码 ...
except Exception:
    pass  # 错误被吞没！

# 没有断言的宽泛异常捕获：
try:
    risky_operation()
except Exception as e:
    print(e)  # 记录了但没有断言

需要手动审查：此模式需要阅读测试代码上下文

测试中的 try/catch 块
验证每个 catch 块是否对错误有断言（或明确期望没有错误）
验证 catch 是否过于宽泛（catch (Exception) 是可疑的）

严重：空的 catch 块或仅包含日志记录的 catch
高：宽泛的异常捕获但没有具体的错误断言
中：未验证错误消息/类型的 catch 块

通过标准：所有 try/catch 块要么：

断言预期的错误类型/消息
记录为何忽略错误（附理由说明）
使用特定的异常类型（而非宽泛的 Exception 捕获）

检查 4：注释掉的 HTTP 调用

目的：检测被模拟/常量替换但未说明理由的 HTTP 调用

待检测模式：

// JavaScript/TypeScript:
// const response = await fetch('/api/endpoint')
const response = { status: 200, data: mockData }

// await api.createUser(userData)
// 注释掉了实际的 API 调用

# 查找注释掉的 HTTP 调用：
grep -rn -E "// .*(fetch\(|axios\.|http\.|api\.)" tests/ spec/

高：HTTP 调用被注释掉并替换为模拟，没有解释
中：模拟替换了真实调用，但未验证实际的 API 集成

通过标准：所有模拟的 HTTP 调用要么：

有集成测试来验证真实的 API 调用
记录为何使用模拟而非真实调用
使用适当的模拟库（而非内联常量）

检查 5：Mesa-Optimization 模式

目的：检测为使测试通过而被削弱的测试（而非修复代码）

需要手动审查：比较 PR 差异中的测试变更

待检测模式：

在测试修改中移除了断言
移除了边界情况测试
更改预期值以匹配有错误的输出（而非修复错误）
验证逻辑被削弱（例如，正则表达式变得不那么严格）

在 PR 差异中检查：

- expect(result.users).toHaveLength(5)
+ expect(result.users).toHaveLength(3)  // 为什么更改？是错误还是功能？

- expect(response.status).toBe(200)
+ // 状态检查被移除 - 为什么？

- expect(() => validateInput('')).toThrow('Input required')
+ expect(() => validateInput('')).not.toThrow()  // 验证被移除了？

严重：断言被移除但没有解释
严重：预期值被更改以匹配有错误的行为
高：边界情况测试被移除
中：验证被削弱但没有明确的理由

通过标准：所有测试弱化变更都需有：

Linear 问题记录需求变更
PR 评论解释断言/验证更改的原因
确认代码行为（而非测试）已更新以匹配新需求

检查 6：安全脚本警告被抑制

目的：检测通过忽略模式绕过的安全验证

待检测模式：

// eslint-disable security/detect-non-literal-fs-filename
// eslint-disable-next-line security/detect-unsafe-regex
// prettier-ignore

# 查找与安全相关的 linter 禁用：
grep -rn -E "(eslint-disable.*security|nosec|# noqa.*security)" tests/ src/

高：安全 linter 被禁用但没有理由说明
中：宽泛的禁用（整个文件）而非针对特定行

通过标准：所有安全 linter 禁用都需有：

注释说明为何安全规则不适用
验证实际安全风险不存在
最小范围（针对特定行，而非整个文件）

步骤 3：按严重性分类发现的问题

按严重性组织所有检测到的反模式：

严重（阻止合并）：

在已提交的测试中使用 .only()（所有其他测试被忽略）
测试中的空 catch 块
断言被移除但没有解释

高（批准前需要修复）：

禁用的测试没有问题引用
对布尔字面量进行断言
宽泛的异常捕获但没有断言
安全 linter 被禁用但没有理由说明

中（请求修复，但可以带警告批准）：

禁用的测试带有 TODO 但没有时间线
模糊的断言（toBeDefined, toBeTruthy）
HTTP 调用被模拟但没有集成测试覆盖

信息（改进建议）：

测试中的次要风格不一致
提高测试清晰度的机会

步骤 4：报告发现的问题

如果发现反模式，生成报告：

**测试质量审计结果**

⚠️ **发现问题** - 检测到测试质量问题

### 严重问题（合并前必须修复）

1. **使用 .only() 禁用的测试** (tests/user.test.ts:45):
   - 模式：`it.only("creates user", ...)`
   - 问题：套件中的所有其他测试被忽略
   - 修复：移除 `.only()` 或解释为何只应运行此测试

2. **空 Catch 块** (tests/api.test.ts:89):
   - 模式：`catch (error) { /* empty */ }`
   - 问题：错误被吞没而没有断言
   - 修复：断言预期的错误或移除 try/catch

### 高优先级问题（建议修复）

3. **没有理由说明的禁用测试** (tests/auth.test.ts:120):
   - 模式：`it.skip("validates token expiry", ...)`
   - 问题：没有 Linear 问题或跳过理由说明
   - 修复：添加问题引用或重新启用测试

4. **琐碎断言** (tests/validation.test.ts:67):
   - 模式：`expect(true).toBe(true)`
   - 问题：断言未验证实际行为
   - 修复：断言特定的验证结果

### 中优先级问题（警告）

5. **模糊断言** (tests/response.test.ts:34):
   - 模式：`expect(response).toBeDefined()`
   - 问题：未验证响应内容
   - 修复：断言特定的响应字段（状态、数据等）

**建议**：[阻止 | 请求修复 | 带警告批准]

如果审计通过，确认质量：

**测试质量审计结果**

✅ **通过** - 未发现测试质量问题

所有检查通过：
- [x] 没有无理由说明的禁用测试
- [x] 所有断言都验证了特定行为
- [x] 错误处理包含断言
- [x] 没有 HTTP 调用被内联模拟替换
- [x] 未检测到测试弱化
- [x] 安全 linter 规则被正确应用

**建议**：批准合并

常见反模式示例

❌ 错误：没有理由说明的禁用测试

// 错误示例：
it.skip("validates email format", () => {
  // 测试被禁用，没有解释原因
})

✅ 正确：带有问题引用的禁用测试

// 正确示例：
// LAW-456: Re-enable when email validation RFC compliance added
it.skip("validates email format per RFC 5322", () => {
  // 测试被禁用，有明确的跟踪问题引用
})

❌ 错误：琐碎断言

// 错误示例：
it("creates user", async () => {
  const result = await createUser(userData)
  expect(result).toBeDefined()  // 模糊 - 结果具体是什么？
})

✅ 正确：具体断言

// 正确示例：
it("creates user", async () => {
  const result = await createUser(userData)
  expect(result.id).toBeDefined()
  expect(result.email).toBe(userData.email)
  expect(result.status).toBe("active")
})

❌ 错误：错误吞没

// 错误示例：
it("handles invalid input", async () => {
  try {
    await processInput(null)
  } catch (error) {
    console.log(error)  // 记录了但没有断言
  }
})

✅ 正确：错误断言

// 正确示例：
it("handles invalid input", async () => {
  await expect(processInput(null)).rejects.toThrow("Input cannot be null")
})

❌ 错误：HTTP 调用被模拟替换

// 错误示例：
it("fetches user data", async () => {
  // const response = await fetch('/api/users/123')
  const response = { id: 123, name: "Test User" }  // 内联模拟
  expect(response.name).toBe("Test User")
})

✅ 正确：适当的模拟

// 正确示例：
it("fetches user data", async () => {
  // 在框架层面模拟，而非内联
  jest.spyOn(api, "getUser").mockResolvedValue({ id: 123, name: "Test User" })

  const response = await fetchUserData(123)
  expect(response.name).toBe("Test User")
  expect(api.getUser).toHaveBeenCalledWith(123)
})

grep：用于反模式检测的模式匹配
测试框架：Jest, Mocha, Pytest（用于理解测试语法）
AST 解析器（高级）：用于更复杂的模式检测

原始参考：test-quality-red-flags.md（已弃用 - 请改用此技能）
代理提示：
- QA 代理：docs/agents/qa/qa-agent.md（测试质量标准部分）
相关技能：
- /security-validate - 安全验证模式
- /test-standards - 全面的测试质量验证（如果可用）
相关参考文档：
- test-audit-protocol.md - 全面的测试审计流程

快速参考：测试审计命令

扫描禁用的测试：

# JavaScript/TypeScript:
grep -rn -E "\.(skip|only)\(" tests/ spec/ __tests__/

# Python:
grep -rn -E "(@unittest\.skip|@pytest\.mark\.skip|pytest\.skip\()" tests/

扫描琐碎断言：

# JavaScript/TypeScript:
grep -rn -E "(expect\(true\)|expect\(false\)|\.toBeTruthy\(\)|\.toBeFalsy\(\)|\.toBeDefined\(\))" tests/

# Python:
grep -rn -E "(assert True|assert False)" tests/

扫描注释掉的 HTTP 调用：

grep -rn -E "// .*(fetch\(|axios\.|http\.|api\.)" tests/

扫描安全 linter 抑制：

grep -rn -E "(eslint-disable.*security|nosec|# noqa.*security)" tests/ src/

v1.0 (2025-11-05)：从 test-quality-red-flags.md 转换为技能格式
- 从快速参考扩展为完整的审计工作流程
- 添加了扫描命令和严重性分类
- 包含了正确与错误模式的示例
- 创建了审计发现问题的决策矩阵

🇺🇸English

Test Quality Audit

When to Use

Use this skill when you need to:

Test review (QA Agent): Validate test quality during code review
Test audit (QA Agent): Systematic audit of test files for anti-patterns
Code review (Any Agent): Check for mesa-optimization or happy-path testing
Pre-merge validation (QA Agent): Ensure tests are meaningful before PR approval

Triggers :

During QA review when test files are modified
When code review shows test changes unrelated to feature
Before approving PR with test modifications
When tests are failing and you suspect quality issues
Systematic test audit for entire codebase or feature area

Red Flags to Watch For :

Tests weakened (fewer assertions, replaced checks, removed edge cases)
Assertions removed or weakened
Error handling bypassed
Tests disabled without explanation

Workflow

Step 1: Identify Test Files to Audit

For code review (PR-specific) :

Scan only test files modified in the PR
Focus on changes to existing tests (not new test creation)
Look for test weakening patterns in diff

For systematic audit (codebase-wide) :

Scan all test files in specified directories
Common test file patterns: *.test.js, *.spec.ts, *_test.py, test_*.py
Organize findings by severity

Step 2: Scan for Anti-Patterns

Run the following checks on test files:

Check 1: Disabled Tests

Purpose : Detect tests that are skipped or disabled in committed code

Patterns to detect :

// JavaScript/TypeScript:
describe.skip("...", ...)
it.skip("...", ...)
test.skip("...", ...)
it.only("...", ...)  // CRITICAL: Means other tests are ignored
test.only("...", ...)

// Python:
@unittest.skip("...")
@pytest.mark.skip
pytest.skip()
# TODO: fix this test

Scan command :

# JavaScript/TypeScript:
grep -rn -E "\.(skip|only)\(" tests/ spec/ __tests__/

# Python:
grep -rn -E "(@unittest\.skip|@pytest\.mark\.skip|pytest\.skip\(|# TODO.*test)" tests/

Severity :

CRITICAL : .only() in committed code (all other tests ignored)
HIGH : .skip() without issue reference or justification
MEDIUM : .skip() with TODO comment but no timeline

Pass Criteria : No disabled tests, OR all disabled tests have:

Linear issue reference (# LAW-123: Re-enable when feature X ships)
Clear justification for why test is disabled
Timeline for re-enabling

Check 2: Trivial Assertions

Purpose : Detect assertions that don't validate meaningful behavior

Patterns to detect :

// JavaScript/TypeScript:
expect(true).toBe(true)
expect(result).toBeDefined()
expect(response).toBeTruthy()
expect(error).toBeFalsy()  // Error swallowing!

// Python:
assert True
assert result is not None
assert response  # Vague assertion

Scan command :

# JavaScript/TypeScript:
grep -rn -E "(expect\(true\)|expect\(false\)|\.toBeTruthy\(\)|\.toBeFalsy\(\)|\.toBeDefined\(\))" tests/ spec/

# Python:
grep -rn -E "(assert True|assert False|assert [a-zA-Z_]+ is not None)" tests/

Severity :

HIGH : Assertion on boolean literals (expect(true).toBe(true))
MEDIUM : Vague assertions without specific value checks
MEDIUM : toBeDefined() without validating actual value

Pass Criteria : All assertions validate specific expected values or behaviors

Check 3: Error Swallowing

Purpose : Detect try/catch blocks that suppress errors without assertions

Patterns to detect :

// JavaScript/TypeScript:
try {
  // ... test code ...
} catch (error) {
  // No assertion on error - swallowed!
}

// Broad catch without validation:
try {
  await riskyOperation()
} catch (e) {
  console.log(e)  // Logged but not asserted
}



# Python:
try:
    # ... test code ...
except Exception:
    pass  # Error swallowed!

# Broad except without assertion:
try:
    risky_operation()
except Exception as e:
    print(e)  # Logged but not asserted

Manual Review Required : This pattern requires reading test code context

Check for :

Try/catch blocks in tests
Verify each catch block has assertion on error (or explicitly expects no error)
Verify catch is not overly broad (catch (Exception) is suspicious)

Severity :

CRITICAL : Empty catch block or catch with only logging
HIGH : Broad exception catch without specific error assertion
MEDIUM : Catch block that doesn't validate error message/type

Pass Criteria : All try/catch blocks either:

Assert on expected error type/message
Document why error is ignored (with justification)
Use specific exception types (not broad Exception catch)

Check 4: Commented-Out HTTP Calls

Purpose : Detect HTTP calls replaced with mocks/constants without rationale

Patterns to detect :

// JavaScript/TypeScript:
// const response = await fetch('/api/endpoint')
const response = { status: 200, data: mockData }

// await api.createUser(userData)
// Commented out actual API call

Scan command :

# Look for commented HTTP calls:
grep -rn -E "// .*(fetch\(|axios\.|http\.|api\.)" tests/ spec/

Severity :

HIGH : HTTP call commented out and replaced with mock, no explanation
MEDIUM : Mock replaces real call without validating actual API integration

Pass Criteria : All mocked HTTP calls either:

Have integration tests that validate real API calls
Document why mock is used instead of real call
Use proper mocking libraries (not inline constants)

Check 5: Mesa-Optimization Patterns

Purpose : Detect tests weakened to make them pass (instead of fixing code)

Manual Review Required : Compare test changes in PR diff

Patterns to detect :

Assertions removed in test modification
Edge case tests removed
Expected values changed to match buggy output (instead of fixing bug)
Validation logic weakened (e.g., regex made less strict)

Check in PR diff :

- expect(result.users).toHaveLength(5)
+ expect(result.users).toHaveLength(3)  // Why changed? Bug or feature?

- expect(response.status).toBe(200)
+ // Status check removed - why?

- expect(() => validateInput('')).toThrow('Input required')
+ expect(() => validateInput('')).not.toThrow()  // Validation removed?

Severity :

CRITICAL : Assertions removed without explanation
CRITICAL : Expected values changed to match buggy behavior
HIGH : Edge case tests removed
MEDIUM : Validation weakened without clear rationale

Pass Criteria : All test weakening changes are justified with:

Linear issue documenting requirement change
PR comment explaining why assertion/validation changed
Confirmation that code behavior (not test) was updated to match new requirement

Check 6: Security Script Warnings Suppressed

Purpose : Detect security validation bypassed via ignore patterns

Patterns to detect :

// eslint-disable security/detect-non-literal-fs-filename
// eslint-disable-next-line security/detect-unsafe-regex
// prettier-ignore

Scan command :

# Look for security-related linter disables:
grep -rn -E "(eslint-disable.*security|nosec|# noqa.*security)" tests/ src/

Severity :

HIGH : Security linter disabled without justification
MEDIUM : Broad disable (entire file) instead of line-specific

Pass Criteria : All security linter disables have:

Comment explaining why security rule doesn't apply
Verification that actual security risk doesn't exist
Minimal scope (line-specific, not file-wide)

Step 3: Categorize Findings by Severity

Organize all detected anti-patterns by severity:

CRITICAL (blocks merge) :

.only() in committed tests (all other tests ignored)
Empty catch blocks in tests
Assertions removed without explanation

HIGH (requires fix before approval) :

Disabled tests without issue reference
Assertions on boolean literals
Broad exception catches without assertions
Security linter disabled without justification

MEDIUM (request fix, but can approve with warning) :

Disabled tests with TODO but no timeline
Vague assertions (toBeDefined, toBeTruthy)
HTTP calls mocked without integration test coverage

INFO (feedback for improvement) :

Minor style inconsistencies in tests
Opportunities to improve test clarity

Step 4: Report Findings

If anti-patterns found , generate a report:

**Test Quality Audit Results**

⚠️ **ISSUES FOUND** - Test quality concerns detected

### Critical Issues (Must Fix Before Merge)

1. **Disabled Test with .only()** (tests/user.test.ts:45):
   - Pattern: `it.only("creates user", ...)`
   - Issue: All other tests in suite are ignored
   - Fix: Remove `.only()` or explain why only this test should run

2. **Empty Catch Block** (tests/api.test.ts:89):
   - Pattern: `catch (error) { /* empty */ }`
   - Issue: Errors swallowed without assertion
   - Fix: Assert on expected error or remove try/catch

### High Priority Issues (Fix Recommended)

3. **Disabled Test Without Justification** (tests/auth.test.ts:120):
   - Pattern: `it.skip("validates token expiry", ...)`
   - Issue: No Linear issue or explanation for skip
   - Fix: Add issue reference or re-enable test

4. **Trivial Assertion** (tests/validation.test.ts:67):
   - Pattern: `expect(true).toBe(true)`
   - Issue: Assertion doesn't validate actual behavior
   - Fix: Assert on specific validation result

### Medium Priority Issues (Warnings)

5. **Vague Assertion** (tests/response.test.ts:34):
   - Pattern: `expect(response).toBeDefined()`
   - Issue: Doesn't validate response contents
   - Fix: Assert on specific response fields (status, data, etc.)

**Recommendation**: [BLOCKED | REQUEST FIXES | APPROVED WITH WARNINGS]

If audit passes , confirm quality:

**Test Quality Audit Results**

✅ **PASSED** - No test quality issues found

All checks passed:
- [x] No disabled tests without justification
- [x] All assertions validate specific behaviors
- [x] Error handling includes assertions
- [x] No HTTP calls replaced with inline mocks
- [x] No test weakening detected
- [x] Security linter rules properly applied

**Recommendation**: APPROVED for merge

Reference

Common Anti-Patterns Examples

❌ Wrong: Disabled Test Without Justification

// Bad example:
it.skip("validates email format", () => {
  // Test disabled, no explanation why
})

✅ Correct: Disabled Test With Issue Reference

// Good example:
// LAW-456: Re-enable when email validation RFC compliance added
it.skip("validates email format per RFC 5322", () => {
  // Test disabled with clear reference to tracking issue
})

❌ Wrong: Trivial Assertion

// Bad example:
it("creates user", async () => {
  const result = await createUser(userData)
  expect(result).toBeDefined()  // Vague - what about result?
})

✅ Correct: Specific Assertion

// Good example:
it("creates user", async () => {
  const result = await createUser(userData)
  expect(result.id).toBeDefined()
  expect(result.email).toBe(userData.email)
  expect(result.status).toBe("active")
})

❌ Wrong: Error Swallowing

// Bad example:
it("handles invalid input", async () => {
  try {
    await processInput(null)
  } catch (error) {
    console.log(error)  // Logged but not asserted
  }
})

✅ Correct: Error Assertion

// Good example:
it("handles invalid input", async () => {
  await expect(processInput(null)).rejects.toThrow("Input cannot be null")
})

❌ Wrong: HTTP Call Replaced With Mock

// Bad example:
it("fetches user data", async () => {
  // const response = await fetch('/api/users/123')
  const response = { id: 123, name: "Test User" }  // Inline mock
  expect(response.name).toBe("Test User")
})

✅ Correct: Proper Mocking

// Good example:
it("fetches user data", async () => {
  // Mock at framework level, not inline
  jest.spyOn(api, "getUser").mockResolvedValue({ id: 123, name: "Test User" })

  const response = await fetchUserData(123)
  expect(response.name).toBe("Test User")
  expect(api.getUser).toHaveBeenCalledWith(123)
})

Related Tools

grep: Pattern matching for anti-pattern detection
Test frameworks: Jest, Mocha, Pytest (for understanding test syntax)
AST parsers (advanced): For more sophisticated pattern detection

Quick Reference: Test Audit Commands

Scan for disabled tests :

# JavaScript/TypeScript:
grep -rn -E "\.(skip|only)\(" tests/ spec/ __tests__/

# Python:
grep -rn -E "(@unittest\.skip|@pytest\.mark\.skip|pytest\.skip\()" tests/

Scan for trivial assertions :

# JavaScript/TypeScript:
grep -rn -E "(expect\(true\)|expect\(false\)|\.toBeTruthy\(\)|\.toBeFalsy\(\)|\.toBeDefined\(\))" tests/

# Python:
grep -rn -E "(assert True|assert False)" tests/

Scan for commented HTTP calls :

grep -rn -E "// .*(fetch\(|axios\.|http\.|api\.)" tests/

Scan for security linter suppression :

grep -rn -E "(eslint-disable.*security|nosec|# noqa.*security)" tests/ src/

Version History

v1.0 (2025-11-05): Converted from test-quality-red-flags.md to skill format
- Expanded from quick reference to full audit workflow
- Added scan commands and severity classifications
- Included examples of correct vs. incorrect patterns
- Created decision matrix for audit findings

Weekly Installs

Repository

auldsyababua/in…workflow

GitHub Stars

First Seen

Jan 1, 1970

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

agent-browser 浏览器自动化工具 - Vercel Labs 命令行网页操作与测试

140,500 周安装

测试质量审计工具 - 自动化检测代码测试反模式与质量漏洞

🇨🇳中文介绍

测试质量审计

使用时机

工作流程

步骤 1：识别待审计的测试文件

相关 Skills

步骤 2：扫描反模式

检查 1：禁用的测试

检查 2：琐碎断言

检查 3：错误吞没

检查 4：注释掉的 HTTP 调用

检查 5：Mesa-Optimization 模式

检查 6：安全脚本警告被抑制

步骤 3：按严重性分类发现的问题

步骤 4：报告发现的问题

参考

常见反模式示例

❌ 错误：没有理由说明的禁用测试

✅ 正确：带有问题引用的禁用测试

❌ 错误：琐碎断言

✅ 正确：具体断言

❌ 错误：错误吞没

✅ 正确：错误断言

❌ 错误：HTTP 调用被模拟替换

✅ 正确：适当的模拟

相关工具

相关文档

快速参考：测试审计命令

版本历史

🇺🇸English

Test Quality Audit

When to Use

Workflow

Step 1: Identify Test Files to Audit

Step 2: Scan for Anti-Patterns

Check 1: Disabled Tests

Check 2: Trivial Assertions

Check 3: Error Swallowing

Check 4: Commented-Out HTTP Calls

Check 5: Mesa-Optimization Patterns

Check 6: Security Script Warnings Suppressed

Step 3: Categorize Findings by Severity

Step 4: Report Findings

Reference

Common Anti-Patterns Examples

❌ Wrong: Disabled Test Without Justification

✅ Correct: Disabled Test With Issue Reference

❌ Wrong: Trivial Assertion

✅ Correct: Specific Assertion

❌ Wrong: Error Swallowing

✅ Correct: Error Assertion

❌ Wrong: HTTP Call Replaced With Mock

✅ Correct: Proper Mocking

Related Tools

Related Documentation

Quick Reference: Test Audit Commands

Version History

最新 Skills