feat(rules): +5 rules — relative WORKDIR, chmod 777, missing HEALTHCHECK, apt -y, pip --no-cache-dir

Adds PR008–PR012 with 10 new tests (25/25 pass total). README rules table updated.

Author: MukundaKatta

README.md

@@ -62,6 +62,11 @@ hygiene on every change.
 | PR005 | low/med  | `ADD` used where `COPY` would do (and `ADD <url>` for fetches) |
 | PR006 | critical | Hard-coded password / API key / token in `ENV`/`ARG`/`RUN`   |
 | PR007 | medium   | `sudo` inside a `RUN` — the builder is already root          |
+| PR008 | low      | Relative `WORKDIR` — depends on previous WORKDIR             |
+| PR009 | high     | `chmod 777` / `chmod a+rwx` in a `RUN`                       |
+| PR010 | info     | Image declares `EXPOSE`/`CMD`/`ENTRYPOINT` but no `HEALTHCHECK` |
+| PR011 | medium   | `apt-get install` without `-y` will block the build          |
+| PR012 | low      | `pip install` without `--no-cache-dir` bloats the layer      |
 
 Every rule ships with a concrete fix in the `hint:` line.
 

src/prithvi/core.py

@@ -221,6 +221,81 @@ def _rule_privileged_sudo(instrs: List[Instruction]) -> Iterable[Finding]:
             )
 
 
+def _rule_relative_workdir(instrs: List[Instruction]) -> Iterable[Finding]:
+    for ins in instrs:
+        if ins.cmd != "WORKDIR":
+            continue
+        path = ins.args.strip().strip('"').strip("'")
+        if path and not path.startswith("/") and not path.startswith("$"):
+            yield Finding(
+                rule_id="PR008",
+                severity=Severity.LOW,
+                line=ins.line,
+                message=f"WORKDIR {path!r} is relative — depends on the previous WORKDIR",
+                hint="Use an absolute path so layer order can't change behaviour.",
+            )
+
+
+def _rule_chmod_777(instrs: List[Instruction]) -> Iterable[Finding]:
+    pat = re.compile(r"\bchmod\s+(?:-[Rr]\s+)?(?:0?777|a\+rwx)\b")
+    for ins in instrs:
+        if ins.cmd != "RUN":
+            continue
+        if pat.search(ins.args):
+            yield Finding(
+                rule_id="PR009",
+                severity=Severity.HIGH,
+                line=ins.line,
+                message="`chmod 777` (or `a+rwx`) gives world-write permission",
+                hint="Pick a tighter mode (e.g. 750 for dirs, 640 for files) and chown to the runtime user.",
+            )
+
+
+def _rule_missing_healthcheck(instrs: List[Instruction]) -> Iterable[Finding]:
+    if not any(i.cmd in ("EXPOSE", "CMD", "ENTRYPOINT") for i in instrs):
+        return
+    if any(i.cmd == "HEALTHCHECK" for i in instrs):
+        return
+    last = instrs[-1] if instrs else None
+    yield Finding(
+        rule_id="PR010",
+        severity=Severity.INFO,
+        line=last.line if last else 1,
+        message="Image declares EXPOSE/CMD/ENTRYPOINT but no HEALTHCHECK",
+        hint="Add `HEALTHCHECK CMD curl -fsS http://localhost:PORT/health || exit 1` so orchestrators can detect zombies.",
+    )
+
+
+def _rule_apt_get_install_no_y(instrs: List[Instruction]) -> Iterable[Finding]:
+    for ins in instrs:
+        if ins.cmd != "RUN":
+            continue
+        low = ins.args.lower()
+        if "apt-get install" in low and not re.search(r"-y\b|--yes\b|--assume-yes\b", low):
+            yield Finding(
+                rule_id="PR011",
+                severity=Severity.MEDIUM,
+                line=ins.line,
+                message="apt-get install without -y will block the build on the prompt",
+                hint="Add `-y` (or `--yes`) so non-interactive builds don't hang.",
+            )
+
+
+def _rule_pip_no_cache(instrs: List[Instruction]) -> Iterable[Finding]:
+    for ins in instrs:
+        if ins.cmd != "RUN":
+            continue
+        low = ins.args.lower()
+        if re.search(r"\bpip(?:3)?\s+install\b", low) and "--no-cache-dir" not in low:
+            yield Finding(
+                rule_id="PR012",
+                severity=Severity.LOW,
+                line=ins.line,
+                message="pip install without --no-cache-dir bloats the layer",
+                hint="Add `--no-cache-dir` so the wheel cache doesn't ship inside the image.",
+            )
+
+
 RULES: Tuple[RuleFn, ...] = (
     _rule_no_latest_tag,
     _rule_runs_as_root,
@@ -229,6 +304,11 @@ def _rule_privileged_sudo(instrs: List[Instruction]) -> Iterable[Finding]:
     _rule_add_instead_of_copy,
     _rule_hardcoded_secret,
     _rule_privileged_sudo,
+    _rule_relative_workdir,
+    _rule_chmod_777,
+    _rule_missing_healthcheck,
+    _rule_apt_get_install_no_y,
+    _rule_pip_no_cache,
 )
 
 

tests/test_scanner.py

@@ -105,3 +105,69 @@ def test_findings_are_sorted_by_severity_then_line() -> None:
     # Critical/High must come before Medium/Low.
     severities = [f.severity for f in findings]
     assert severities == sorted(severities, key=lambda s: ["critical", "high", "medium", "low", "info"].index(s.value))
+
+
+# New rules: PR008–PR012
+# --------------------------------------------------------------------------
+
+
+def test_flags_relative_workdir() -> None:
+    findings = _scan("FROM alpine:3.19\nWORKDIR app\nUSER app")
+    assert any(f.rule_id == "PR008" for f in findings)
+
+
+def test_absolute_workdir_is_fine() -> None:
+    findings = _scan("FROM alpine:3.19\nWORKDIR /app\nUSER app")
+    assert not any(f.rule_id == "PR008" for f in findings)
+
+
+def test_flags_chmod_777() -> None:
+    findings = _scan('FROM alpine:3.19\nRUN chmod -R 777 /opt\nUSER app')
+    assert any(f.rule_id == "PR009" and f.severity == Severity.HIGH for f in findings)
+
+
+def test_flags_chmod_a_rwx() -> None:
+    findings = _scan('FROM alpine:3.19\nRUN chmod a+rwx /opt\nUSER app')
+    assert any(f.rule_id == "PR009" for f in findings)
+
+
+def test_missing_healthcheck_when_exposed() -> None:
+    src = "FROM alpine:3.19\nEXPOSE 8080\nCMD [\"./serve\"]\nUSER app"
+    findings = _scan(src)
+    assert any(f.rule_id == "PR010" for f in findings)
+
+
+def test_no_healthcheck_warning_when_present() -> None:
+    src = (
+        "FROM alpine:3.19\n"
+        "EXPOSE 8080\n"
+        'HEALTHCHECK CMD wget -qO- http://localhost:8080/health || exit 1\n'
+        "USER app\n"
+        "CMD [\"./serve\"]"
+    )
+    findings = _scan(src)
+    assert not any(f.rule_id == "PR010" for f in findings)
+
+
+def test_flags_apt_install_without_y() -> None:
+    src = "FROM debian:12\nRUN apt-get update && apt-get install curl && rm -rf /var/lib/apt/lists/*\nUSER app"
+    findings = _scan(src)
+    assert any(f.rule_id == "PR011" for f in findings)
+
+
+def test_apt_install_with_y_is_fine() -> None:
+    src = "FROM debian:12\nRUN apt-get install -y curl && rm -rf /var/lib/apt/lists/*\nUSER app"
+    findings = _scan(src)
+    assert not any(f.rule_id == "PR011" for f in findings)
+
+
+def test_flags_pip_install_without_no_cache_dir() -> None:
+    src = "FROM python:3.12\nRUN pip install requests\nUSER app"
+    findings = _scan(src)
+    assert any(f.rule_id == "PR012" for f in findings)
+
+
+def test_pip_install_with_no_cache_dir_is_fine() -> None:
+    src = "FROM python:3.12\nRUN pip install --no-cache-dir requests\nUSER app"
+    findings = _scan(src)
+    assert not any(f.rule_id == "PR012" for f in findings)