feat(docker): Add comprehensive instruction converters for all 18 Dockerfile instructions #418
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Owner
Author
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #418 +/- ##
==========================================
+ Coverage 80.70% 81.10% +0.39%
==========================================
Files 80 81 +1
Lines 7931 8172 +241
==========================================
+ Hits 6401 6628 +227
- Misses 1278 1287 +9
- Partials 252 257 +5 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
SafeDep Report Summary
No dependency changes detected. Nothing to scan. This report is generated by SafeDep Github App |
shivasurya
added a commit
that referenced
this pull request
Dec 9, 2025
Implements comprehensive docker-compose.yml parsing support: **YAML Parser Infrastructure:** - YAMLGraph and YAMLNode structures for generic YAML parsing - Support for scalar, mapping, and sequence node types - ParseYAML() and ParseYAMLString() entry points - Helper methods: Query(), HasChild(), GetChild(), ListValues(), StringValue() **ComposeGraph Wrapper:** - Service, volume, and network indexing for fast lookups - Version detection and metadata tracking - Thin wrapper over YAMLGraph with compose-specific methods **Security Query Methods:** - GetPrivilegedServices() - Detects privileged: true containers - ServicesWithDockerSocket() - Finds Docker socket mounts (/var/run/docker.sock) - ServiceHasSecurityOpt() - Checks security_opt values (e.g., seccomp:unconfined) - ServiceHasCapability() - Validates cap_add/cap_drop settings - ServicesWithHostNetwork() - Identifies network_mode: host usage - ServicesWithoutReadOnly() - Finds writable containers - ServiceExposesPort() - Port mapping validation - ServiceHasEnvVar() - Environment variable checks (array and map formats) **Test Coverage:** - 20 comprehensive test cases covering all query methods - Edge case handling (empty compose, missing sections, both env formats) - 100% coverage on all new code Files added: - sast-engine/graph/parser_yaml.go (YAML infrastructure) - sast-engine/graph/parser_compose.go (ComposeGraph wrapper) - sast-engine/graph/parser_compose_test.go (comprehensive tests) Part of: Dockerfile & Docker Compose Support Stacked on: docker/03-instruction-converters (#418) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
This was referenced Dec 9, 2025
Owner
Author
Merge activity
|
shivasurya
changed the base branch from
docker/02-tree-sitter-integration
to
graphite-base/418
…kerfile instructions Implement specialized converter functions for all Dockerfile instruction types: - FROM: Extract image, tag, digest, and stage alias - RUN/CMD/ENTRYPOINT: Parse shell and exec forms - COPY/ADD: Extract source paths, destination, and flags (--from, --chown) - ENV/ARG: Parse environment variables and build arguments - USER: Parse user:group format - EXPOSE: Extract ports and protocols - WORKDIR: Track working directory and path type - VOLUME/SHELL: Parse JSON arrays and paths - HEALTHCHECK: Extract all health check options and command - LABEL: Parse key-value label pairs - ONBUILD/STOPSIGNAL/MAINTAINER: Extract instruction details Key implementation details: - Raw text parsing for robust handling of tree-sitter variations - Helper functions for parameter/path/JSON array extraction - 100% test coverage with comprehensive test suite - All converters now return void instead of error Part of PR #3: Instruction Converters Stacked on: docker/02-tree-sitter-integration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
shivasurya
force-pushed
the
docker/03-instruction-converters
branch
from
984c166 to
02ddb67
Compare
shivasurya
added a commit
that referenced
this pull request
Dec 10, 2025
Implements comprehensive docker-compose.yml parsing support: **YAML Parser Infrastructure:** - YAMLGraph and YAMLNode structures for generic YAML parsing - Support for scalar, mapping, and sequence node types - ParseYAML() and ParseYAMLString() entry points - Helper methods: Query(), HasChild(), GetChild(), ListValues(), StringValue() **ComposeGraph Wrapper:** - Service, volume, and network indexing for fast lookups - Version detection and metadata tracking - Thin wrapper over YAMLGraph with compose-specific methods **Security Query Methods:** - GetPrivilegedServices() - Detects privileged: true containers - ServicesWithDockerSocket() - Finds Docker socket mounts (/var/run/docker.sock) - ServiceHasSecurityOpt() - Checks security_opt values (e.g., seccomp:unconfined) - ServiceHasCapability() - Validates cap_add/cap_drop settings - ServicesWithHostNetwork() - Identifies network_mode: host usage - ServicesWithoutReadOnly() - Finds writable containers - ServiceExposesPort() - Port mapping validation - ServiceHasEnvVar() - Environment variable checks (array and map formats) **Test Coverage:** - 20 comprehensive test cases covering all query methods - Edge case handling (empty compose, missing sections, both env formats) - 100% coverage on all new code Files added: - sast-engine/graph/parser_yaml.go (YAML infrastructure) - sast-engine/graph/parser_compose.go (ComposeGraph wrapper) - sast-engine/graph/parser_compose_test.go (comprehensive tests) Part of: Dockerfile & Docker Compose Support Stacked on: docker/03-instruction-converters (#418) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
shivasurya
added a commit
that referenced
this pull request
Dec 10, 2025
## Summary Adds docker-compose.yml parsing support with security-focused query methods for detecting misconfigurations. **Stacked on:** docker/03-instruction-converters (#418) ## Changes - YAML parser infrastructure (YAMLGraph, YAMLNode) - ComposeGraph wrapper with service/volume/network indexing - Security query methods: GetPrivilegedServices, ServicesWithDockerSocket, ServiceHasSecurityOpt, ServiceHasCapability, etc. - 20 comprehensive test cases with 100% coverage - Support for both array and map environment variable formats ## Checklist - [x] Tests passing (`gradle testGo`) - [x] Lint passing (`gradle lintGo`)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Implements specialized converter functions for all 18 Dockerfile instruction types with comprehensive test coverage.
Stacked on: docker/02-tree-sitter-integration (#417)
Changes
Checklist
gradle testGo)gradle lintGo)