shivasurya · shivasurya · Dec 9, 2025 · Dec 9, 2025 · Dec 9, 2025 · Dec 9, 2025
diff --git a/python-dsl/compiled_rules.json b/python-dsl/compiled_rules.json
diff --git a/sast-engine/cmd/ci.go b/sast-engine/cmd/ci.go
@@ -20,6 +20,10 @@ var ciCmd = &cobra.Command{
 
 Outputs results in SARIF, JSON, or CSV format for consumption by CI tools.
 
+Automatically scans:
+  - Source code (.py, .java, etc.) for dataflow vulnerabilities
+  - Container files (Dockerfile, docker-compose.yml) for security issues
+
 Examples:
   # Generate SARIF report with single rules file
   pathfinder ci --rules rules/owasp_top10.py --project . --output sarif > results.sarif
@@ -73,9 +77,10 @@ Examples:
 		logger.Progress("Building code graph from %s...", projectPath)
 		codeGraph := graph.Initialize(projectPath)
 		if len(codeGraph.Nodes) == 0 {
-			return fmt.Errorf("no source files found in project")
+			logger.Warning("No source files found in project")
+		} else {
+			logger.Statistic("Code graph built: %d nodes", len(codeGraph.Nodes))
 		}
-		logger.Statistic("Code graph built: %d nodes", len(codeGraph.Nodes))
 
 		// Build module registry
 		logger.Progress("Building module registry...")
@@ -135,6 +140,14 @@ Examples:
 			}
 		}
 
+		// Automatically scan container files (Dockerfile, docker-compose.yml)
+		// This is transparent - happens automatically if container files exist and rules are available
+		projectRoot := findProjectRoot(projectPath)
+		containerFindings := TryContainerScan(projectRoot, projectPath, logger)
+		if containerFindings != nil && len(containerFindings) > 0 {
+			allEnriched = append(allEnriched, containerFindings...)
+		}
+
 		logger.Statistic("Scan complete. Found %d vulnerabilities", len(allEnriched))
 		logger.Progress("Generating %s output...", outputFormat)