Add hardened forge to the local image#35
Merged
Conversation
The autoprove compilation path shells out to `forge remappings` during setup, and console-foundry runs `forge test` — but the image shipped no forge, so projects whose imports rely on forge-resolved remappings failed to compile (solc-direct can't reproduce the full remapping set). Build forge from Certora's public foundry fork (pinned by SHA) in a rust:1-bookworm stage and copy the binary into the final image. The fork's FFI / external-cheatcode guards are enabled by the entrypoint for foundry test-execution modes (console-foundry / tui-foundry); the autoprove path is left ungated so `forge remappings` is not blocked. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The guards (FOUNDRY_DISABLE_EXTERNAL_CHEATCODES / FOUNDRY_FFI) only affect `forge test`/script execution — `forge remappings` runs no cheatcodes or FFI, so the prior "autoprove path left ungated so remappings isn't blocked" reasoning was wrong. They're enabled for foundry test modes because that's where untrusted project tests execute; they're simply irrelevant to the autoprove path. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
jtoman
approved these changes
Jul 2, 2026
jtoman
left a comment
Contributor
There was a problem hiding this comment.
With the caveat I don't really know how docker files work, this plausibly looks like it builds our hardened foundry in the docker file.
| # NOTE: the --platform=linux/amd64 pin means this Rust build runs under QEMU | ||
| # emulation on Apple Silicon — the first build is slow (~30-60 min); cached after. | ||
| ARG FOUNDRY_REPO=https://github.com/Certora/foundry.git | ||
| ARG FOUNDRY_SHA=69cdf8ddc3d19ee85ab3b3c389376e0b07e1179b |
Contributor
There was a problem hiding this comment.
I'm confused about the semantics of declaring an argument with a value and then declaring it again later. If that's a known docker file idiom okay then
Contributor
Author
There was a problem hiding this comment.
apparently it's global/local scope thing. (FROM forming a scope)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The local image had no forge. Two paths need it:
forge remappingsto get a project's complete remapping set. Without forge, autosetup falls back to solc-direct with only the checked-inremappings.txt, which can be incomplete (e.g. lib submodules with no explicit remapping) — so real projects fail compilation-analysis withSource "…" not found.console-foundry/tui-foundryrunforge test.What
foundry-builderstage: buildsforgefrom Certora's public foundry fork (pinned byFOUNDRY_SHA) inrust:1-bookworm, then the final stageCOPYs the binary to/usr/local/bin/forgeand smoke-checksforge --version. Bookworm base ⇒ glibc matches thepython:3.12-slimruntime.FOUNDRY_DISABLE_EXTERNAL_CHEATCODES=true,FOUNDRY_FFI=false) for the foundry test modes (console-foundry/tui-foundry), where the project's ownforge testexecutes untrusted code that can use FFI / external cheatcodes. Those guards only affect test/script execution; the autoprove path invokes forge only forforge remappings(a static config query with no cheatcodes/FFI), so it neither needs nor is affected by them.Notes
--platform=linux/amd64), so the first build is slow (~30–60 min); cached after.FOUNDRY_SHAbumps trigger a cold rebuild (no cargo cache mount — kept simple intentionally).🤖 Generated with Claude Code