fix(callgraph,dsl): Add thread-safety, improve logging, and fix progress messages (#451)

* fix(dsl): Add early filtering for empty container rule directories

Prevent system hang when loading container rules from directories without
@dockerfile_rule or @compose_rule decorators. Exit early with clear error
message instead of attempting Python execution.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix(dsl,callgraph): Add early filtering for rules and progress logging

1. Add early filtering for code analysis rules in LoadRules()
   - Skip executing Python files without @rule decorator
   - Prevents hanging when normal app.py files are used as rules
   - Add hasCodeAnalysisRuleDecorators() to check for @rule or codepathfinder imports

2. Add progress logging to BuildCallGraph()
   - Add progress messages for 4 passes through all Python files
   - Extracting return types, variable assignments, class attributes, call sites
   - Prevents appearance of hanging with large repos (20k+ files)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* feat(dsl): Add verbose logging for loaded rules with ID and pathname

- Add Logger interface to dsl package to avoid import cycle with output package
- Update LoadRules() and LoadContainerRules() to accept logger parameter
- Log each loaded rule with ID and file path in debug mode
- Log container rules (Dockerfile and docker-compose) separately
- Update all callers in cmd/scan.go and cmd/ci.go to pass logger
- Update all tests to pass nil logger

Fixes: Shows loaded rules when --debug flag is used
Example output:
  [00:00.030] Loaded docker-compose rule: COMPOSE-SEC-008 from rules/docker-compose/dangerous_capabilities.py
  [00:00.362] Loaded code analysis rule: CUSTOM-001 from /tmp/test-rules/test_eval.py

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix(callgraph): Make taint summary progress message consistent

- Remove 'Pass 5:' prefix from taint summary generation message
- Align with other progress messages style (present continuous without pass numbers)

Before: 'Pass 5: Generating taint summaries...'
After:  'Generating taint summaries...'

Matches the style of:
- 'Extracting return types from X modules (parallel)...'
- 'Extracting variable assignments (parallel)...'
- 'Extracting class attributes (parallel)...'
- 'Resolving call sites (parallel)...'

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix(callgraph): Add thread-safety to TypeInferenceEngine for parallel processing

Fixes race condition: 'fatal error: concurrent map read and map write' during
variable assignment extraction phase.

Root cause: Multiple goroutines accessing TypeInferenceEngine.Scopes and
TypeInferenceEngine.ReturnTypes maps concurrently without synchronization.

Changes:
- Add sync.RWMutex fields (scopeMutex, typeMutex) to TypeInferenceEngine struct
- Protect GetScope() and AddScope() with scopeMutex
- Add GetReturnType() method with typeMutex protection
- Protect AddReturnTypesToEngine() with typeMutex
- Update all direct map accesses to use thread-safe methods:
  - chaining.go: 6 occurrences
  - attribute.go: 1 occurrence

Thread-safety pattern:
- Use RLock/RUnlock for read operations (GetScope, GetReturnType)
- Use Lock/Unlock for write operations (AddScope, AddReturnTypesToEngine)

This allows parallel extraction passes to safely share the TypeInferenceEngine.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix(dsl): Show loaded rules list with --verbose flag instead of --debug

Changes:
- Update Logger interface to include IsVerbose() and Statistic() methods
- Change rule loading logging from IsDebug() + Debug() to IsVerbose() + Statistic()
- This makes rule list visible with --verbose flag (more user-friendly)
- Remove duplicate logging in LoadContainerRules (already logged in loadContainerRulesFromFile)

Output example with --verbose:
  Loading container rules...
    - Loaded docker-compose rule COMPOSE-SEC-008 from rules/docker-compose/dangerous_capabilities.py
    - Loaded docker-compose rule COMPOSE-SEC-001 from rules/docker-compose/privileged_service.py
  Loading rules from /tmp/test-rules...
    - Loaded rule CUSTOM-001 from /tmp/test-rules/test_eval.py
  Loaded 1 rules

Before: Only visible with --debug flag
After: Visible with --verbose flag

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix(dsl): Add nolint comment for intentional error ignore in hasAnyContainerRulesInPath

- Suppress nilerr linter warning for filepath.Walk error handling
- We intentionally ignore errors during walk and return false
- This is safe because we're just checking if any container rules exist

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* chore: Bump version to 1.1.5

* fix(tests): Update test filenames to avoid module registry filtering

The module registry now filters out test files (test_*.py) which is correct
for production use. Updated test files to use non-test filenames:

- test_frameworks.py → frameworks.py
- test_os.py → file_ops.py
- test_pathlib.py → dir_utils.py
- test_json.py → json_handler.py
- test_sys.py → cli_args.py
- test_comprehensive.py → comprehensive_stdlib.py
- test_alias.py → alias_module.py
- test_from.py → from_imports.py
- test_multi.py → multi_module.py
- test_baseline.py → baseline.py
- test.py → app.py, process.py, handler.py

This fixes TestFrameworkResolution, TestStdlibRegressionSuite,
TestStdlibEdgeCases, and TestStdlibNoRegression tests.

* feat(scan,ci): Add --skip-tests flag to control test file filtering

Add --skip-tests flag (default: true) to scan and ci commands to give users
control over whether test files should be excluded from analysis.

Changes:
- Add skipTests parameter to BuildModuleRegistry(rootPath, skipTests)
- Update shouldSkipFile() to respect skipTests parameter
- Add --skip-tests flag to scan command (default true)
- Add --skip-tests flag to ci command (default true)
- Update all test/integration callers to pass skipTests parameter
- Add debug logging when test files are being skipped

Usage:
  # Default behavior: skip test files
  pathfinder scan --rules rules/ --project .

  # Include test files in analysis
  pathfinder scan --rules rules/ --project . --skip-tests=false

  # CI mode with test file analysis
  pathfinder ci --rules rules/ --project . --output sarif --skip-tests=false

Rationale:
- Production scanning should skip tests by default (cleaner results)
- Development/testing may need to analyze test files
- User control via flag provides flexibility
- Tests use --skip-tests=false to validate registry behavior

* test(python): Improve test coverage to 98.25% and fix formatting

Add comprehensive tests for cli and decorators modules to exceed 95% coverage requirement.

**Test Coverage:**
- cli/__init__.py: 35% → 99% (added 24 tests)
  - get_binary_path() - all 3 priority levels (bundled, PATH, download)
  - _is_musl() - musl libc detection for Alpine Linux
  - _download_binary() - tar.gz and zip archive handling
  - main() - entry point execution with argument passing

- decorators.py: 75% → 90% (added 6 tests)
  - _enable_auto_execute() - atexit registration
  - _register_rule() - rule registry management
  - Auto-execution in __main__ context
  - JSON output format validation

**Overall Results:**
- 300 total tests passing (was 280)
- 98.25% total coverage (exceeds 95% requirement)
- All black formatting checks passing

**Files Changed:**
- python-dsl/tests/test_cli.py: Added TestIsMusl, TestGetBinaryPath, TestDownloadBinary, TestMain
- python-dsl/tests/test_decorators.py: Added TestAutoExecution class
- python-dsl/codepathfinder/cli/__init__.py: Black formatting
- python-dsl/compile_container_rules.py: Black formatting
- python-dsl/rules/container_*.py: Black formatting (6 files)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix(python): Remove unused imports from test files

Fix ruff linting errors by removing unused imports:
- test_cli.py: Removed subprocess, os, tempfile, Path, call
- test_decorators.py: Removed sys, atexit, MagicMock, _auto_execute_enabled

All 35 tests still pass. Linting now passes:
- lintPython: ✓ All checks passed
- lintGo: ✓ 0 issues

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* chore: Add test coverage files to .gitignore

Add coverage artifacts to gitignore:
- .coverage (Python coverage)
- coverage.out (Go coverage)
- htmlcov/ (HTML coverage reports)
- *.coverage (any coverage files)

These are temporary test artifacts and should not be tracked in version control.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* test(registry): Add comprehensive tests for shouldSkipFile and skipTests parameter

Add tests to improve module registry coverage from 23.52% to 92%+ for new code:

**New Tests:**
- TestShouldSkipFile: Tests file filtering logic with skipTests parameter
  - Validates test_ prefix filtering
  - Validates _test suffix filtering
  - Validates conftest.py, setup.py, __main__.py filtering
  - Tests skipTests=false includes all files

- TestBuildModuleRegistry_SkipTestsParameter: Integration test for skipTests
  - Creates 2 regular files + 4 test files
  - Verifies skipTests=true excludes test files (2 modules)
  - Verifies skipTests=false includes all files (6 modules)

- TestBuildModuleRegistry_SkipTestDirectories: Tests directory filtering
  - Verifies tests/, test/, fixtures/, mocks/ directories are skipped
  - Files within these directories are not indexed

**Coverage Impact:**
- shouldSkipFile(): 0% → 100%
- BuildModuleRegistry(): 85% → 92%
- module.go overall: 23.52% patch → 90.6% package

Addresses Codecov report: 87 lines missing → ~70 lines remaining

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* chore: Remove result.json and update .gitignore for output files

Remove tracked result.json file (37KB test output) and update .gitignore to prevent output files from being tracked:

**Changes:**
- Removed sast-engine/result.json (test output artifact)
- Updated .gitignore to ignore result.json and scan.json under "output files" section
- Consolidated scan.json entry (was duplicated)

These files are generated during testing/scanning and should not be version controlled.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* chore: Update .gitignore to exclude output files

Add result.json and reorganize .gitignore output files section:

**Changes:**
- Add result.json to gitignore (test output artifact)
- Consolidate output files under dedicated section
- Remove duplicate scan.json entry

Output files like result.json and scan.json are generated during testing/scanning and should not be version controlled.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

---------

Co-authored-by: Claude Sonnet 4.5 <[email protected]>

Author: shivasurya

.gitignore

@@ -34,4 +34,13 @@ docs/public/rules/*.json
 node_modules
 __pycache__/
 compiled_rules.json
+
+# test coverage
+*.coverage
+.coverage
+coverage.out
+htmlcov/
+
+# output files
+result.json
 scan.json

package.json

@@ -1,6 +1,6 @@
 {
     "name": "codepathfinder",
-    "version": "1.1.3",
+    "version": "1.1.5",
     "description": "DEPRECATED - Use 'pip install codepathfinder' instead. See https://codepathfinder.dev/install",
     "deprecated": "This package is deprecated. Please use 'pip install codepathfinder' for the complete installation including both CLI and Python DSL.",
     "goBinary": {

python-dsl/codepathfinder/__init__.py

@@ -22,7 +22,7 @@
         ... )
 """
 
-__version__ = "1.1.3"
+__version__ = "1.1.5"
 
 from .matchers import calls, variable
 from .decorators import rule

python-dsl/codepathfinder/cli/__init__.py

@@ -3,6 +3,7 @@
 This module provides the entry point for the `pathfinder` command.
 It locates and executes the bundled Go binary, passing through all arguments.
 """
+
 import os
 import sys
 import subprocess
@@ -49,6 +50,7 @@ def get_binary_path() -> Path:
 
     # 2. Check PATH (development mode or manual install)
     import shutil
+
     path_binary = shutil.which("pathfinder")
     if path_binary:
         return Path(path_binary)
@@ -60,13 +62,13 @@ def get_binary_path() -> Path:
 def _is_musl() -> bool:
     """Detect if running on musl libc (Alpine Linux, etc.)."""
     try:
-        result = subprocess.run(['ldd', '--version'], capture_output=True, text=True)
-        return 'musl' in result.stderr.lower() or 'musl' in result.stdout.lower()
+        result = subprocess.run(["ldd", "--version"], capture_output=True, text=True)
+        return "musl" in result.stderr.lower() or "musl" in result.stdout.lower()
     except Exception:
         try:
-            with open('/etc/os-release') as f:
+            with open("/etc/os-release") as f:
                 content = f.read().lower()
-                return 'alpine' in content
+                return "alpine" in content
         except Exception:
             return False
 
@@ -155,7 +157,9 @@ def _download_binary(bin_dir: Path, binary_name: str) -> Path:
             if archive_ext == ".tar.gz":
                 with tarfile.open(tmp.name, "r:gz") as tar:
                     for member in tar.getmembers():
-                        if member.name == "pathfinder" or member.name.endswith("/pathfinder"):
+                        if member.name == "pathfinder" or member.name.endswith(
+                            "/pathfinder"
+                        ):
                             member.name = binary_name
                             tar.extract(member, bin_dir)
                             break

python-dsl/compile_container_rules.py

@@ -58,6 +58,7 @@ def discover_and_import_rules(rules_dir: Path, rule_type: str):
         except Exception as e:
             print(f"  ✗ Failed to import {rule_file.name}: {e}")
             import traceback
+
             traceback.print_exc()
 
     return imported_count

python-dsl/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "codepathfinder"
-version = "1.1.3"
+version = "1.1.5"
 description = "Python DSL for code-pathfinder security patterns"
 readme = "README.md"
 requires-python = ">=3.8"

python-dsl/rules/container_combinators.py

@@ -10,29 +10,26 @@
 @dataclass
 class CombinatorMatcher:
     """Represents a logic combinator (AND, OR, NOT)."""
+
     combinator_type: str  # "all_of", "any_of", "none_of"
-    conditions: List[Union[Matcher, 'CombinatorMatcher', Dict, Callable]]
+    conditions: List[Union[Matcher, "CombinatorMatcher", Dict, Callable]]
 
     def to_dict(self) -> Dict[str, Any]:
         """Convert to JSON IR."""
         serialized_conditions = []
         for cond in self.conditions:
-            if hasattr(cond, 'to_dict'):
+            if hasattr(cond, "to_dict"):
                 serialized_conditions.append(cond.to_dict())
             elif isinstance(cond, dict):
                 serialized_conditions.append(cond)
             elif callable(cond):
-                serialized_conditions.append({
-                    "type": "custom_function",
-                    "has_callable": True
-                })
+                serialized_conditions.append(
+                    {"type": "custom_function", "has_callable": True}
+                )
             else:
                 serialized_conditions.append(cond)
 
-        return {
-            "type": self.combinator_type,
-            "conditions": serialized_conditions
-        }
+        return {"type": self.combinator_type, "conditions": serialized_conditions}
 
 
 def all_of(*conditions: Union[Matcher, Dict, Callable]) -> CombinatorMatcher:
@@ -47,10 +44,7 @@ def all_of(*conditions: Union[Matcher, Dict, Callable]) -> CombinatorMatcher:
             instruction(type="RUN", contains="sudo")
         )
     """
-    return CombinatorMatcher(
-        combinator_type="all_of",
-        conditions=list(conditions)
-    )
+    return CombinatorMatcher(combinator_type="all_of", conditions=list(conditions))
 
 
 def any_of(*conditions: Union[Matcher, Dict, Callable]) -> CombinatorMatcher:
@@ -65,10 +59,7 @@ def any_of(*conditions: Union[Matcher, Dict, Callable]) -> CombinatorMatcher:
             instruction(type="FROM", base_image="scratch")
         )
     """
-    return CombinatorMatcher(
-        combinator_type="any_of",
-        conditions=list(conditions)
-    )
+    return CombinatorMatcher(combinator_type="any_of", conditions=list(conditions))
 
 
 def none_of(*conditions: Union[Matcher, Dict, Callable]) -> CombinatorMatcher:
@@ -83,26 +74,25 @@ def none_of(*conditions: Union[Matcher, Dict, Callable]) -> CombinatorMatcher:
             instruction(type="USER", user_name_not="root")
         )
     """
-    return CombinatorMatcher(
-        combinator_type="none_of",
-        conditions=list(conditions)
-    )
+    return CombinatorMatcher(combinator_type="none_of", conditions=list(conditions))
 
 
 @dataclass
 class SequenceMatcher:
     """Represents instruction sequence validation."""
+
     sequence_type: str  # "after" or "before"
     instruction: Union[str, Matcher, Dict]
     reference: Union[str, Matcher, Dict]
     not_followed_by: bool = False
 
     def to_dict(self) -> Dict[str, Any]:
         """Convert to JSON IR."""
+
         def serialize_ref(ref):
             if isinstance(ref, str):
                 return {"instruction": ref}
-            elif hasattr(ref, 'to_dict'):
+            elif hasattr(ref, "to_dict"):
                 return ref.to_dict()
             elif isinstance(ref, dict):
                 return ref
@@ -112,14 +102,14 @@ def serialize_ref(ref):
             "type": f"instruction_{self.sequence_type}",
             "instruction": serialize_ref(self.instruction),
             "reference": serialize_ref(self.reference),
-            "not_followed_by": self.not_followed_by
+            "not_followed_by": self.not_followed_by,
         }
 
 
 def instruction_after(
     instruction: Union[str, Matcher],
     after: Union[str, Matcher],
-    not_followed_by: bool = False
+    not_followed_by: bool = False,
 ) -> SequenceMatcher:
     """
     Check that an instruction appears after another.
@@ -138,14 +128,14 @@ def instruction_after(
         sequence_type="after",
         instruction=instruction,
         reference=after,
-        not_followed_by=not_followed_by
+        not_followed_by=not_followed_by,
     )
 
 
 def instruction_before(
     instruction: Union[str, Matcher],
     before: Union[str, Matcher],
-    not_followed_by: bool = False
+    not_followed_by: bool = False,
 ) -> SequenceMatcher:
     """
     Check that an instruction appears before another.
@@ -157,21 +147,19 @@ def instruction_before(
         sequence_type="before",
         instruction=instruction,
         reference=before,
-        not_followed_by=not_followed_by
+        not_followed_by=not_followed_by,
     )
 
 
 @dataclass
 class StageMatcher:
     """Matcher for multi-stage build stage queries."""
+
     stage_type: str
     params: Dict[str, Any] = field(default_factory=dict)
 
     def to_dict(self) -> Dict[str, Any]:
-        return {
-            "type": f"stage_{self.stage_type}",
-            **self.params
-        }
+        return {"type": f"stage_{self.stage_type}", **self.params}
 
 
 def stage(
@@ -213,7 +201,7 @@ def final_stage_has(
     if instruction is not None:
         if isinstance(instruction, str):
             params["instruction"] = instruction
-        elif hasattr(instruction, 'to_dict'):
+        elif hasattr(instruction, "to_dict"):
             params["instruction"] = instruction.to_dict()
     if missing_instruction is not None:
         params["missing_instruction"] = missing_instruction

python-dsl/rules/container_decorators.py

@@ -12,6 +12,7 @@
 @dataclass
 class RuleMetadata:
     """Metadata for a container security rule."""
+
     id: str
     name: str = ""
     severity: str = "MEDIUM"
@@ -24,6 +25,7 @@ class RuleMetadata:
 @dataclass
 class DockerfileRuleDefinition:
     """Complete definition of a Dockerfile rule."""
+
     metadata: RuleMetadata
     matcher: Dict[str, Any]
     rule_function: Callable
@@ -32,6 +34,7 @@ class DockerfileRuleDefinition:
 @dataclass
 class ComposeRuleDefinition:
     """Complete definition of a docker-compose rule."""
+
     metadata: RuleMetadata
     matcher: Dict[str, Any]
     rule_function: Callable
@@ -63,6 +66,7 @@ def _output_rules():
 
         # Compile rules to JSON IR format
         from . import container_ir
+
         compiled = container_ir.compile_all_rules()
 
         # Output to stdout for Go loader to capture
@@ -100,12 +104,13 @@ def dockerfile_rule(
         def container_runs_as_root():
             return missing(instruction="USER")
     """
+
     def decorator(func: Callable) -> Callable:
         # Get matcher from function
         matcher_result = func()
 
         # Convert to dict if it's a Matcher object
-        if hasattr(matcher_result, 'to_dict'):
+        if hasattr(matcher_result, "to_dict"):
             matcher_dict = matcher_result.to_dict()
         elif isinstance(matcher_result, dict):
             matcher_dict = matcher_result
@@ -115,7 +120,7 @@ def decorator(func: Callable) -> Callable:
         # Create rule definition
         metadata = RuleMetadata(
             id=id,
-            name=name or func.__name__.replace('_', ' ').title(),
+            name=name or func.__name__.replace("_", " ").title(),
             severity=severity,
             category=category,
             cwe=cwe,
@@ -154,10 +159,11 @@ def compose_rule(
         def privileged_service():
             return service_has(key="privileged", equals=True)
     """
+
     def decorator(func: Callable) -> Callable:
         matcher_result = func()
 
-        if hasattr(matcher_result, 'to_dict'):
+        if hasattr(matcher_result, "to_dict"):
             matcher_dict = matcher_result.to_dict()
         elif isinstance(matcher_result, dict):
             matcher_dict = matcher_result
@@ -166,7 +172,7 @@ def decorator(func: Callable) -> Callable:
 
         metadata = RuleMetadata(
             id=id,
-            name=name or func.__name__.replace('_', ' ').title(),
+            name=name or func.__name__.replace("_", " ").title(),
             severity=severity,
             category=category,
             cwe=cwe,

python-dsl/rules/container_ir.py

@@ -100,5 +100,5 @@ def write_ir_file(filepath: str, pretty: bool = True):
         pretty: If True, format with indentation.
     """
     json_str = compile_to_json(pretty=pretty)
-    with open(filepath, 'w') as f:
+    with open(filepath, "w") as f:
         f.write(json_str)

python-dsl/rules/container_matchers.py

@@ -9,19 +9,18 @@
 @dataclass
 class Matcher:
     """Base class for all matchers."""
+
     type: str
     params: Dict[str, Any] = field(default_factory=dict)
 
     def to_dict(self) -> Dict[str, Any]:
         """Convert matcher to dictionary for JSON IR."""
-        return {
-            "type": self.type,
-            **self.params
-        }
+        return {"type": self.type, **self.params}
 
 
 # --- Dockerfile Matchers ---
 
+
 def instruction(
     type: str,
     # FROM instruction
@@ -158,6 +157,7 @@ def missing(
 
 # --- docker-compose Matchers ---
 
+
 def service_has(
     key: str,
     equals: Optional[Any] = None,