Skip to content

Add hardened forge to the local image#35

Merged
shellygr merged 4 commits into
masterfrom
shelly/local-image-forge
Jul 3, 2026
Merged

Add hardened forge to the local image#35
shellygr merged 4 commits into
masterfrom
shelly/local-image-forge

Conversation

@shellygr

@shellygr shellygr commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Why

The local image had no forge. Two paths need it:

  • The autoprove compilation setup shells out to forge remappings to get a project's complete remapping set. Without forge, autosetup falls back to solc-direct with only the checked-in remappings.txt, which can be incomplete (e.g. lib submodules with no explicit remapping) — so real projects fail compilation-analysis with Source "…" not found.
  • console-foundry / tui-foundry run forge test.

What

  • New foundry-builder stage: builds forge from Certora's public foundry fork (pinned by FOUNDRY_SHA) in rust:1-bookworm, then the final stage COPYs the binary to /usr/local/bin/forge and smoke-checks forge --version. Bookworm base ⇒ glibc matches the python:3.12-slim runtime.
  • The entrypoint enables the fork's hardening guards (FOUNDRY_DISABLE_EXTERNAL_CHEATCODES=true, FOUNDRY_FFI=false) for the foundry test modes (console-foundry/tui-foundry), where the project's own forge test executes untrusted code that can use FFI / external cheatcodes. Those guards only affect test/script execution; the autoprove path invokes forge only for forge remappings (a static config query with no cheatcodes/FFI), so it neither needs nor is affected by them.

Notes

  • The Rust build runs under QEMU on Apple Silicon (--platform=linux/amd64), so the first build is slow (~30–60 min); cached after. FOUNDRY_SHA bumps trigger a cold rebuild (no cargo cache mount — kept simple intentionally).

🤖 Generated with Claude Code

shellygr and others added 2 commits July 1, 2026 20:56
The autoprove compilation path shells out to `forge remappings` during
setup, and console-foundry runs `forge test` — but the image shipped no
forge, so projects whose imports rely on forge-resolved remappings failed
to compile (solc-direct can't reproduce the full remapping set).

Build forge from Certora's public foundry fork (pinned by SHA) in a
rust:1-bookworm stage and copy the binary into the final image. The fork's
FFI / external-cheatcode guards are enabled by the entrypoint for foundry
test-execution modes (console-foundry / tui-foundry); the autoprove path is
left ungated so `forge remappings` is not blocked.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The guards (FOUNDRY_DISABLE_EXTERNAL_CHEATCODES / FOUNDRY_FFI) only affect
`forge test`/script execution — `forge remappings` runs no cheatcodes or
FFI, so the prior "autoprove path left ungated so remappings isn't blocked"
reasoning was wrong. They're enabled for foundry test modes because that's
where untrusted project tests execute; they're simply irrelevant to the
autoprove path.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@shellygr shellygr requested a review from jtoman July 1, 2026 22:45

@jtoman jtoman left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With the caveat I don't really know how docker files work, this plausibly looks like it builds our hardened foundry in the docker file.

Comment thread scripts/Dockerfile
# NOTE: the --platform=linux/amd64 pin means this Rust build runs under QEMU
# emulation on Apple Silicon — the first build is slow (~30-60 min); cached after.
ARG FOUNDRY_REPO=https://github.com/Certora/foundry.git
ARG FOUNDRY_SHA=69cdf8ddc3d19ee85ab3b3c389376e0b07e1179b

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm confused about the semantics of declaring an argument with a value and then declaring it again later. If that's a known docker file idiom okay then

@shellygr shellygr Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

apparently it's global/local scope thing. (FROM forming a scope)

@shellygr shellygr merged commit d64df1e into master Jul 3, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants