feat: add Dockerfile analysis for build command detection

Changes:

-Function find_dockerfile_from_job: handles finding Dockerfile inside workflow in 2 cases of workflow jobs: -run and -uses.

-Simple DockerNode class, so far it stores mainly the dockerfile path retrieved from workflow

-Parsing Dockerfile using dockerfile-parse and RUN instruction commands using bashparser.py

-Parsing and storing build commands found in Dockerfiles

Signed-off-by: Achraf Maghous <achraf.maghous@oracle.com>

Author: achrafmag

.github/pull_request_template.md

@@ -1,12 +1,18 @@
-## Checklist
-<!-- Go over following points. check them with an `x` if they do apply, (they turn into clickable checkboxes once the PR is submitted, so no need to do everything at once)
+## Summary
+<!-- Briefly summarize the purpose and scope of this PR. -->
+
+## Description of changes
+<!-- Provide a detailed explanation of the changes made in this PR, why they were needed, and how they address the issue(s). -->
 
--->
+## Related issues
+<!-- List any related issue(s) this PR addresses, e.g., `Closes #123`, `Fixes #456`. -->
+
+## Checklist
+<!-- Go over following points. check them with an `x` if they do apply, (they turn into clickable checkboxes once the PR is submitted, so no need to do everything at once) -->
 
 - [ ] I have reviewed the [contribution guide](../CONTRIBUTING.md).
 - [ ] My PR title and commits follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) convention.
 - [ ] My commits include the "Signed-off-by" line.
 - [ ] I have signed my commits following the instructions provided by [GitHub](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits). Note that we run [GitHub's commit verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) tool to check the commit signatures. A green `verified` label should appear next to **all** of your commits on GitHub.
 - [ ] I have updated the relevant documentation, if applicable.
 - [ ] I have tested my changes and verified they work as expected.
-- [ ] I have referenced the issue(s) this pull request solves.

.github/workflows/_build.yaml

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 # This is a trusted builder implemented as a reusable workflow that can be called by other
@@ -129,7 +129,7 @@ jobs:
     # Currently reusable workflows do not support setting strategy property from the caller workflow.
     - name: Upload the package artifact for debugging and release
       if: matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON
-      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: artifact-${{ matrix.os }}-python-${{ matrix.python }}
         path: dist

.github/workflows/_build_docker.yaml

@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 # This is a reuseable workflow to build and test the Docker image. Note that this workflow does not
@@ -53,6 +53,10 @@ jobs:
         echo "Hash of package should be $ARTIFACT_HASH."
         echo "$ARTIFACT_HASH" | base64 --decode | sha256sum --strict --check --status || exit 1
 
+    # Login so the docker build has access to the internal dependencies image
+    - name: Log in to GitHub Container Registry
+      run: docker login ghcr.io --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }}
+
     # Build the Docker image without pushing it.
     - name: Build the Docker image
       env:

.github/workflows/build_semgrep_wheel.yaml

@@ -0,0 +1,56 @@
+# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+# This is a manually-triggered workflow to build the minimal macaron dependencies image that stores the built-from-source
+# Semgrep wheel file. Note that this workflow DOES push the built image.
+
+name: Build Semgrep Wheel Artifact
+
+on: workflow_dispatch
+
+permissions:
+  contents: read
+
+jobs:
+  build-semgrep-wheel:
+    name: Build Semgrep wheel
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write # to push the docker image
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+    # To update the semgrep version, please apply the following changes:
+    #   change the version tag in the 'name' description
+    #   change the 'ref' field to use the commit hash of that tag
+    - name: Check out Semgrep v1.113.0 repository
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      with:
+        repository: semgrep/semgrep.git
+        ref: 4729a05d24bf9cee8face447e8a6d418037d61d8 # v1.113.0
+        fetch-depth: 1 # only need most recent commits to this tag
+        submodules: recursive # semgrep uses many of their own ocaml submodules, which are required to build
+
+    - name: Build wheel through docker
+      # we build to the 'semgrep-wheel' target as we don't need the performance testing, and want to extract the wheel
+      run: |
+        docker build --target semgrep-wheel -t semgrep .
+        docker create --name temp semgrep
+        mkdir -p wheels/
+        docker cp temp:/semgrep/cli/dist/. wheels/
+        docker container rm temp
+
+    - name: Log in to GitHub Container Registry
+      run: docker login ghcr.io --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }}
+
+    # The manylinux image will be a static binary built using musl, suitable for Oracle linux
+    - name: Build and push semgrep wheel image
+      run: |
+        cd wheels
+        WHEEL=$(find . -type f -name 'semgrep-*manylinux*.whl')
+        echo "FROM scratch
+        COPY ${WHEEL} /" >> Dockerfile.semgrep
+        docker build -t ghcr.io/oracle/macaron-deps:latest -f Dockerfile.semgrep .
+        docker push ghcr.io/oracle/macaron-deps:latest

.github/workflows/codeql-analysis.yaml

@@ -52,7 +52,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+      uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
       with:
         languages: ${{ matrix.language }}
         config-file: .github/codeql/codeql-config.yaml
@@ -65,4 +65,4 @@ jobs:
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+      uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15

.github/workflows/scorecards-analysis.yaml

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2023, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 # Run Scorecard for this repository to further check and harden software and process.
@@ -49,13 +49,13 @@ jobs:
 
     # Upload the results as artifacts (optional).
     - name: Upload artifact
-      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: SARIF file
         path: results.sarif
 
     # Upload the results to GitHub's code scanning dashboard.
     - name: Upload to code-scanning
-      uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+      uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
       with:
         sarif_file: results.sarif

.gitignore

@@ -181,3 +181,4 @@ docs/_build
 bin/
 requirements.txt
 .macaron_env_file
+**/.DS_Store

.pre-commit-config.yaml

@@ -30,6 +30,7 @@ repos:
   - id: isort
     name: Sort import statements
     args: [--settings-path, pyproject.toml]
+    exclude: ^tests/malware_analyzer/pypi/resources/sourcecode_samples.*
 
 # Add Black code formatters.
 - repo: https://github.com/ambv/black
@@ -38,6 +39,7 @@ repos:
   - id: black
     name: Format code
     args: [--config, pyproject.toml]
+    exclude: ^tests/malware_analyzer/pypi/resources/sourcecode_samples.*
 - repo: https://github.com/asottile/blacken-docs
   rev: 1.19.1
   hooks:
@@ -65,6 +67,7 @@ repos:
     files: ^src/macaron/|^tests/
     types: [text, python]
     additional_dependencies: [flake8-bugbear==22.10.27, flake8-builtins==2.0.1, flake8-comprehensions==3.10.1, flake8-docstrings==1.6.0, flake8-mutable==1.2.0, flake8-noqa==1.4.0, flake8-pytest-style==1.6.0, flake8-rst-docstrings==0.3.0, pep8-naming==0.13.2]
+    exclude: ^tests/malware_analyzer/pypi/resources/sourcecode_samples.*
     args: [--config, .flake8]
 
 # Check GitHub Actions workflow files.
@@ -82,6 +85,7 @@ repos:
     entry: pylint
     language: python
     files: ^src/macaron/|^tests/
+    exclude: ^tests/malware_analyzer/pypi/resources/sourcecode_samples.*
     types: [text, python]
     args: [--rcfile, pyproject.toml]
 
@@ -94,6 +98,7 @@ repos:
     language: python
     files: ^src/macaron/|^tests/
     types: [text, python]
+    exclude: ^tests/malware_analyzer/pypi/resources/sourcecode_samples.*
     args: [--show-traceback, --config-file, pyproject.toml]
 
 # Check for potential security issues.
@@ -106,6 +111,7 @@ repos:
     files: ^src/macaron/|^tests/
     types: [text, python]
     additional_dependencies: ['bandit[toml]']
+    exclude: ^tests/malware_analyzer/pypi/resources/sourcecode_samples.*
 
 # Enable a whole bunch of useful helper hooks, too.
 # See https://pre-commit.com/hooks.html for more hooks.
@@ -197,6 +203,18 @@ repos:
     always_run: true
     pass_filenames: false
 
+# Checks that tests/malware_analyzer/pypi/resources/sourcecode_samples files do not have executable permissions
+# This is another measure to make sure the files can't be accidentally executed
+- repo: local
+  hooks:
+  - id: sourcecode-sample-permissions
+    name: Sourcecode sample executable permissions checker
+    entry: scripts/dev_scripts/samples_permissions_checker.sh
+    language: system
+    always_run: true
+    pass_filenames: false
+
+
 # A linter for Golang
 - repo: https://github.com/golangci/golangci-lint
   rev: v1.64.6

.semgrepignore

@@ -0,0 +1 @@
+# Items added to this file will be ignored by Semgrep.

CHANGELOG.md

@@ -1,3 +1,22 @@
+## v0.16.0 (2025-04-24)
+
+### Feat
+
+- detect vulnerable GitHub Actions (#1021)
+- check PyPI registry when deps.dev fails to find a source repository (#982)
+- add callgraph and build cmd detection for Jenkins (#977)
+
+### Fix
+
+- fix incorrect skip result evaluation causing false positives in PyPI malware reporting (#1031)
+- use 'isDefault' version from deps dev api (#1019)
+
+### Refactor
+
+- log the SLSA summary in verbose mode only (#1063)
+- log relative paths for file (#1032)
+- use problog for suspicious combinations (#997)
+
 ## v0.15.0 (2025-03-10)
 
 ### Feat