feat: Integrate Docker/Compose parsing into unified CodeGraph #424
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Follows Python DSL architecture pattern instead of bolt-on scanning:
1. **File Discovery** (graph/utils.go):
- Updated getFiles() to discover Dockerfile and docker-compose.yml files
- Pattern matching: "dockerfile*" and "*docker-compose.{yml,yaml}"
2. **Worker Pool Integration** (graph/initialize.go):
- Added Docker/Compose handling in 5-worker pool
- Routes files to parseDockerfile() and parseDockerCompose()
- No tree-sitter for these files, uses specialized parsers
3. **CodeGraph Node Creation** (graph/parser_docker.go):
- Dockerfile instructions → "dockerfile_instruction" nodes
- Compose services → "compose_service" nodes
- Unique IDs with line/column: "dockerfile:<file>:<type>:<line>:<col>"
- Arguments stored in MethodArgumentsValue for DSL queries
**Test Results**:
- ✅ Dockerfile parsed: 7 instruction nodes created
- ✅ docker-compose.yml parsed: 1 service node created
- ✅ Total: 8 nodes in unified CodeGraph
- ✅ Build successful, no compilation errors
**Architecture Benefits**:
- Single CodeGraph for all source files (Java/Python/Docker/Compose)
- Consistent worker pool pattern across all file types
- Unified query execution (DSL rules query same graph)
- Proper Node IDs prevent duplication
Closes #8 (Docker/Compose proper integration)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
shivasurya
added
enhancement
SafeDep Report Summary
No dependency changes detected. Nothing to scan. This report is generated by SafeDep Github App |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## docker/07-integration-rule-library #424 +/- ##
======================================================================
- Coverage 81.74% 79.60% -2.14%
======================================================================
Files 84 85 +1
Lines 8649 9076 +427
======================================================================
+ Hits 7070 7225 +155
- Misses 1310 1571 +261
- Partials 269 280 +11 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Added test suite for parser_docker.go with 90%+ coverage: **Test Coverage**: - ✅ parseDockerfile() - success and error cases - ✅ parseDockerCompose() - success and error cases - ✅ convertDockerInstructionToNode() - all instruction types - ✅ extractDockerInstructionArgs() - FROM, USER, EXPOSE, ENV - ✅ convertComposeServiceToNode() - service properties - ✅ extractComposeServiceProperties() - security properties - ✅ Helper functions - IsDockerNode, GetDockerInstructionType, etc. - ✅ Initialize() integration - both file types in worker pool **Linting Fixes**: - Rewrote if-else to switch in utils.go (gocritic) - Added period to comment (godot) - Removed unused parameters (unparam) **Test Results**: - 91.5% coverage for graph package ✅ - All tests passing ✅ - Linter clean ✅ - Build successful ✅ Stacked on: PR #8 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
shivasurya
changed the base branch from
main
to
docker/07-integration-rule-library
- Extract Docker/Compose file paths from CodeGraph after parsing - Load compiled container rules from python-dsl/compiled_rules.json - Execute ContainerRuleExecutor on DockerfileGraph and ComposeGraph - Convert RuleMatch results to EnrichedDetection format - Merge container findings with code analysis findings Tested with /tmp/docker-test-project: - Detected 7 security issues (4 Dockerfile + 3 Compose) - Container scan executes in <1ms after graph building - Unified output pipeline working Resolves the missing container rule execution piece identified in previous pipeline analysis.
…r findings
Two critical fixes for container scanning:
1. **Filter container matchers in Python DSL loader** (dsl/loader.go)
- Added cases for container matcher types to ExecuteRule switch
- Returns empty array for: missing_instruction, instruction,
service_has, service_missing, any_of, all_of, none_of
- Prevents 'unknown matcher type' errors since these are handled
by ContainerRuleExecutor
2. **Generate code snippets for container detections** (cmd/scan.go)
- Added generateCodeSnippet() to read file and extract context lines
- Added splitLines() helper for proper line parsing
- Normalize severity to lowercase for text formatter compatibility
- Findings now display with full code context
Tested with /tmp/docker-test-project:
- CRITICAL/HIGH findings show detailed output with code snippets
- MEDIUM/LOW findings show abbreviated single-line output
- 7 total findings correctly formatted and displayed
Example output:
[critical] COMPOSE-SEC-001: Service Running in Privileged Mode
CWE-250
docker-compose.yml:1
> 1 | version: '3.8'
2 | services:
3 | web:
Remove hardcoded compiled_rules.json dependency and implement proper
runtime compilation of container rules from the --rules path, matching
the architecture of code analysis rules.
Changes:
- Add LoadContainerRules() to RuleLoader for runtime compilation
- Generate Python script that dynamically imports and compiles rules
- Implement sandbox mode support with temp file creation for nsjail
- Handle mixed directories containing both code and container rules
- Suppress warnings for skipped container rule files
- Fix lint: nilerr violations, dupBranchBody, prealloc
Implementation:
- loadContainerRulesFromFile() generates Python script at runtime that:
* Uses importlib to dynamically import rule files from --rules path
* Calls container_ir.compile_all_rules() to aggregate decorator-registered rules
* Returns complete JSON IR: {"dockerfile": [...], "compose": [...]}
- Sandbox mode: writes script to temp file, executes with nsjail, cleans up
- Direct mode: executes script with python3 -c for development
Testing:
✅ All 7 findings detected (2 critical, 1 high, 1 medium, 3 low)
✅ Runtime compilation working for both single files and directories
✅ Sandbox mode properly implemented with temp file handling
✅ No hardcoded paths - production ready
✅ Lint passing with 0 issues
Resolves requirement: "its always the rule directory or file passed
to the command it generates IR in runtime"
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
… severities Three critical fixes for container scanning output: 1. Fix line numbers in all_of combinator rules - evaluateAllOf was hardcoding LineNumber: 1 - Now captures first match to preserve actual instruction line number - Example: apt-get rule now shows "Dockerfile:2" instead of "Dockerfile:1" 2. Fix rule count in summary - Was only counting code analysis rules (len(rules)) - Now counts unique rule IDs from all detections - Correctly shows "7 findings across 7 rules" instead of "across 0 rules" 3. Show code snippets for all severities - Was only showing detailed output for critical/high - Now shows code snippets for critical, high, medium, and low - Only info level gets abbreviated (single line) output Testing: ✅ Dockerfile:1 for FROM instruction (using :latest) ✅ Dockerfile:2 for RUN instruction (apt without --no-install-recommends) ✅ Correct rule counts (3 rules, 7 rules with compose) ✅ All severities show detailed findings with code context ✅ Lint passing (0 issues) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
Owner
Author
|
Closing duplicate PR. Work has been consolidated into PR #426 with proper runtime rule loading implementation. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Integrates Docker/Compose file parsing into the unified CodeGraph, following Python DSL architecture pattern instead of bolt-on scanning.
Changes
graph/utils.goto discover Dockerfile and docker-compose.yml filesgraph/initialize.goworker pool to handle Docker/Compose filesgraph/parser_docker.goto convert Docker/Compose to CodeGraph nodesArchitecture
Test Results
Test Coverage: 91.5% ✅
Quality Checks
Node Structure
dockerfile_instruction, ID with line/columncompose_service, ID with service nameMethodArgumentsValuefor DSL queriesStacked on: PR #422
Includes: PR #425 (merged)
🤖 Generated with Claude Code