Skip to content

feat(docker): Add Python DSL advanced features #421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
shivasurya merged 1 commit into from
Dec 10, 2025
Merged

feat(docker): Add Python DSL advanced features #421

shivasurya merged 1 commit into from
Dec 10, 2025

Conversation

@shivasurya
Copy link
Owner

@shivasurya shivasurya commented Dec 9, 2025
edited
Loading

Summary

Adds advanced DSL features for writing complex multi-condition container security rules.

Changes

Logic Combinators:

  • all_of() - AND logic (all conditions must match)
  • any_of() - OR logic (any condition can match)
  • none_of() - NOT logic (no conditions should match)

Sequence Validation:

  • instruction_after() - Ensure instruction ordering
  • instruction_before() - Validate instruction placement

Multi-Stage Build Support:

  • stage() - Query specific build stages
  • final_stage_has() - Check final stage properties

Programmatic Access:

  • custom_check() - Custom validation functions
  • DockerfileAccess - Wrapper for Dockerfile graph queries
  • ComposeAccess - Wrapper for docker-compose graph queries

Example Usage

from rules import dockerfile_rule, all_of, instruction, missing, instruction_after

@dockerfile_rule(id="DOCKER-003", severity="HIGH")
def insecure_base_and_no_user():
    return all_of(
        instruction(type="FROM", image_tag="latest"),
        missing(instruction="USER")
    )

@dockerfile_rule(id="DOCKER-004", severity="MEDIUM")
def cmd_before_user():
    return instruction_after(instruction="CMD", after="USER")

@dockerfile_rule(id="DOCKER-005", severity="CRITICAL")
def custom_multi_stage_check():
    def check(dockerfile):
        if not dockerfile.is_multi_stage():
            return False
        final = dockerfile.get_final_stage()
        return final.is_running_as_root()
    return custom_check(check, "Multi-stage runs as root")

Testing

  • 44 new tests with 97-100% coverage
  • All logic combinators tested with nesting
  • Sequence matchers tested with strings and matchers
  • Mock graph objects for programmatic access testing

Stack

This was referenced Dec 9, 2025
Merged
Merged
Merged
Merged
@shivasurya Graphite App
Copy link
Owner Author

shivasurya commented Dec 9, 2025
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@shivasurya shivasurya mentioned this pull request Dec 9, 2025
Merged
@shivasurya shivasurya self-assigned this Dec 9, 2025
@shivasurya shivasurya added enhancement New feature or request python labels Dec 9, 2025
@shivasurya shivasurya marked this pull request as ready for review December 9, 2025 03:59
@safedep
Copy link

safedep bot commented Dec 9, 2025
edited
Loading

SafeDep Report Summary

Green Malicious Packages Badge Green Vulnerable Packages Badge Green Risky License Badge

No dependency changes detected. Nothing to scan.

This report is generated by SafeDep Github App

This was referenced Dec 9, 2025
Merged
Merged
Merged
@shivasurya Graphite App
Copy link
Owner Author

shivasurya commented Dec 10, 2025
edited
Loading

Merge activity

  • Dec 10, 6:17 AM UTC: A user started a stack merge that includes this pull request via Graphite.
  • Dec 10, 6:26 AM UTC: Graphite rebased this pull request as part of a merge.
  • Dec 10, 6:27 AM UTC: @shivasurya merged this pull request with Graphite.

@shivasurya shivasurya changed the base branch from docker/05-python-dsl-core to graphite-base/421 December 10, 2025 06:24
@shivasurya shivasurya changed the base branch from graphite-base/421 to main December 10, 2025 06:25
@shivasurya
feat(docker): Add Python DSL advanced features
fe3302e 
Adds advanced DSL features for complex container rules:
- all_of(), any_of(), none_of() logic combinators
- instruction_after(), instruction_before() sequence validation
- stage(), final_stage_has() for multi-stage builds
- custom_check() for programmatic validation
- DockerfileAccess and ComposeAccess wrapper classes

All components have 97-100% test coverage (44 new tests).

Files added:
- python-dsl/rules/container_combinators.py
- python-dsl/rules/container_programmatic.py
- python-dsl/tests/test_container_combinators.py
- python-dsl/tests/test_container_programmatic.py

Files modified:
- python-dsl/rules/__init__.py (added new exports)

Part of: Dockerfile & Docker Compose Support
Depends on: PR #5 (Python DSL Core)
Next PR: #7 Integration & Rule Library
@shivasurya shivasurya force-pushed the docker/06-python-dsl-advanced branch from cc1aef0 to fe3302e Compare December 10, 2025 06:26
@shivasurya shivasurya merged commit d2e4811 into main Dec 10, 2025
1 check passed
@shivasurya shivasurya deleted the docker/06-python-dsl-advanced branch December 10, 2025 06:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@shivasurya shivasurya

Labels

enhancement New feature or request python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shivasurya