Add SAST container profile

- seclab-shell-sast image extends base with semgrep, pyan3, universal-ctags,
  GNU global, cscope, graphviz, ripgrep, fd, tree
- Toolbox YAML with server_prompt documenting Python and C call graph workflows
- Demo taskflow: tree, fd, semgrep, ctags, pyan3, gtags then summarise findings
- Runner generates a demo Python file with a shell=True anti-pattern if workspace
  is empty, so semgrep has something to find out of the box
- build_container_images.sh and run_container_shell_demo.sh updated for sast target
- test_toolbox_yaml_valid_sast added (16/16 passing)

Author: anticomputer

scripts/build_container_images.sh

@@ -30,6 +30,11 @@ build_network() {
     docker build -t seclab-shell-network-analysis:latest "${CONTAINERS_DIR}/network_analysis/"
 }
 
+build_sast() {
+    echo "Building seclab-shell-sast..."
+    docker build -t seclab-shell-sast:latest "${CONTAINERS_DIR}/sast/"
+}
+
 target="${1:-all}"
 
 case "$target" in
@@ -44,14 +49,19 @@ case "$target" in
         build_base
         build_network
         ;;
+    sast)
+        build_base
+        build_sast
+        ;;
     all)
         build_base
         build_malware
         build_network
+        build_sast
         ;;
     *)
         echo "Unknown target: $target" >&2
-        echo "Usage: $0 [base|malware|network|all]" >&2
+        echo "Usage: $0 [base|malware|network|sast|all]" >&2
         exit 1
         ;;
 esac

scripts/run_container_shell_demo.sh

@@ -9,6 +9,7 @@
 #   ./scripts/run_container_shell_demo.sh base    [workspace_dir]
 #   ./scripts/run_container_shell_demo.sh malware [workspace_dir] [target_filename]
 #   ./scripts/run_container_shell_demo.sh network [workspace_dir] [capture_filename]
+#   ./scripts/run_container_shell_demo.sh sast    [workspace_dir] [target]
 #
 # If workspace_dir is omitted a temporary directory is used.
 # Requires AI_API_TOKEN to be set in the environment.
@@ -27,7 +28,7 @@ fi
 
 demo="${1:-}"
 if [ -z "$demo" ]; then
-    echo "Usage: $0 <base|malware|network> [workspace_dir] [target]" >&2
+    echo "Usage: $0 <base|malware|network|sast> [workspace_dir] [target]" >&2
     exit 1
 fi
 
@@ -72,8 +73,54 @@ case "$demo" in
             -t seclab_taskflows.taskflows.container_shell.demo_network_analysis \
             -g capture="$capture"
         ;;
+    sast)
+        target="${3:-.}"
+        if [ ! -d "$workspace" ] && [ ! -f "${workspace}/${target}" ]; then
+            echo "No source found at ${workspace}/${target}" >&2
+            echo "Provide a source directory or file in workspace_dir." >&2
+            exit 1
+        fi
+        if [ "$target" = "." ] && [ -z "$(ls -A "$workspace" 2>/dev/null)" ]; then
+            echo "Generating demo Python source in ${workspace}"
+            cat > "${workspace}/demo.py" <<'PYEOF'
+import os
+import subprocess
+
+
+def read_config(path):
+    with open(path) as f:
+        return f.read()
+
+
+def run_command(cmd):
+    # intentional anti-pattern for demo purposes
+    return subprocess.run(cmd, shell=True, capture_output=True, text=True)
+
+
+def process_input(user_input):
+    result = run_command(f"echo {user_input}")
+    return result.stdout
+
+
+def main():
+    config = read_config("/etc/demo.conf") if os.path.exists("/etc/demo.conf") else ""
+    output = process_input("hello world")
+    print(config, output)
+
+
+if __name__ == "__main__":
+    main()
+PYEOF
+            target="demo.py"
+        fi
+        CONTAINER_WORKSPACE="$workspace" \
+        LOG_DIR="${__root}/logs" \
+        python -m seclab_taskflow_agent \
+            -t seclab_taskflows.taskflows.container_shell.demo_sast \
+            -g target="$target"
+        ;;
     *)
-        echo "Unknown demo: $demo. Choose base, malware, or network." >&2
+        echo "Unknown demo: $demo. Choose base, malware, network, or sast." >&2
         exit 1
         ;;
 esac

src/seclab_taskflows/containers/sast/Dockerfile

@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: GitHub, Inc.
+# SPDX-License-Identifier: MIT
+
+FROM seclab-shell-base:latest
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    universal-ctags global cscope ripgrep fd-find graphviz tree \
+    && ln -s /usr/bin/fdfind /usr/local/bin/fd \
+    && rm -rf /var/lib/apt/lists/*
+RUN pip3 install --no-cache-dir --break-system-packages semgrep pyan3

src/seclab_taskflows/taskflows/container_shell/README.md

@@ -4,7 +4,7 @@ Runs arbitrary CLI commands inside an isolated Docker container. One container
 per MCP server process — started on the first `shell_exec` call, stopped on
 exit. An optional host directory is mounted at `/workspace` inside the container.
 
-Three container profiles are provided. Each has its own Dockerfile, toolbox
+Four container profiles are provided. Each has its own Dockerfile, toolbox
 YAML, and demo taskflow.
 
 ## Profiles
@@ -21,6 +21,10 @@ yara, exiftool, checksec, capstone, pwntools, volatility3.
 Packet capture analysis and network recon. Extends base with nmap, tcpdump,
 tshark, netcat, dig, jq, httpie.
 
+**sast** (`seclab-shell-sast:latest`)
+Static analysis and code exploration. Extends base with semgrep, pyan3,
+universal-ctags, GNU global, cscope, graphviz, ripgrep, fd, tree.
+
 ## Building the images
 
 Run from the repository root:
@@ -35,6 +39,7 @@ To build a single profile (the base image is always built first when needed):
 ./scripts/build_container_images.sh base
 ./scripts/build_container_images.sh malware
 ./scripts/build_container_images.sh network
+./scripts/build_container_images.sh sast
 ```
 
 Images only need to be rebuilt when a Dockerfile changes.
@@ -79,6 +84,22 @@ CONTAINER_WORKSPACE=/tmp/captures python -m seclab_taskflow_agent \
     -g capture=sample.pcap
 ```
 
+**SAST demo** — static analysis and call graph extraction for a source repo:
+
+```
+CONTAINER_WORKSPACE=/path/to/src python -m seclab_taskflow_agent \
+    -t seclab_taskflows.taskflows.container_shell.demo_sast
+```
+
+If no source is present the runner script generates a demo Python file with a
+shell-injection anti-pattern so semgrep has something to find:
+
+```
+./scripts/run_container_shell_demo.sh sast
+```
+
+Override the analysis target with `-g target=<path>` (relative to /workspace).
+
 ## Using container_shell in your own taskflows
 
 Reference the appropriate toolbox and set `CONTAINER_WORKSPACE` in `env`:

src/seclab_taskflows/taskflows/container_shell/demo_sast.yaml

@@ -0,0 +1,54 @@
+# SPDX-FileCopyrightText: GitHub, Inc.
+# SPDX-License-Identifier: MIT
+
+# Demo: SAST container shell.
+# Analyses source code in CONTAINER_WORKSPACE using semgrep, ctags, and pyan3.
+# Example:
+#   CONTAINER_WORKSPACE=/path/to/src python -m seclab_taskflow_agent \
+#     -t seclab_taskflows.taskflows.container_shell.demo_sast \
+#     -g target=mymodule.py
+
+seclab-taskflow-agent:
+  filetype: taskflow
+  version: "1.0"
+
+globals:
+  target: "."
+
+taskflow:
+  - task:
+      must_complete: true
+      headless: true
+      agents:
+        - seclab_taskflow_agent.personalities.assistant
+      toolboxes:
+        - seclab_taskflows.toolboxes.container_shell_sast
+      env:
+        CONTAINER_WORKSPACE: "{{ env('CONTAINER_WORKSPACE') }}"
+      user_prompt: |
+        Perform static analysis on the source code at /workspace/{{ globals.target }}.
+
+        1. Directory overview:
+           `tree /workspace/{{ globals.target }} 2>/dev/null | head -40`
+
+        2. Locate source files:
+           `fd -e py -e c -e h /workspace/{{ globals.target }} | head -30`
+
+        3. Security scan with semgrep (report findings only, suppress progress):
+           `semgrep scan --config=auto --quiet /workspace/{{ globals.target }} 2>/dev/null`
+           If semgrep requires network access and it is unavailable, note that and skip.
+
+        4. Symbol index with ctags:
+           `ctags -R --fields=+ne -f /tmp/tags /workspace/{{ globals.target }} && grep -v "^!" /tmp/tags | head -40`
+
+        5. Call graph (Python only — skip if no .py files):
+           `pyan3 $(fd -e py /workspace/{{ globals.target }} | tr '\n' ' ') --dot --no-defines 2>/dev/null | head -60`
+
+        6. Cross-reference entry points with GNU global:
+           `cd /workspace/{{ globals.target }} && gtags --compact -v 2>/dev/null && global -x main 2>/dev/null || echo "gtags: no entry point found"`
+
+        Based on the above, summarize:
+        - Security findings from semgrep (severity, rule, file, line)
+        - Key functions/classes and their call relationships
+        - Identified entry points and reachable sensitive operations
+        - Areas recommended for deeper review

src/seclab_taskflows/toolboxes/container_shell_sast.yaml

@@ -0,0 +1,45 @@
+# SPDX-FileCopyrightText: GitHub, Inc.
+# SPDX-License-Identifier: MIT
+
+seclab-taskflow-agent:
+  filetype: toolbox
+  version: "1.0"
+
+server_params:
+  kind: stdio
+  command: python
+  args: ["-m", "seclab_taskflows.mcp_servers.container_shell"]
+  env:
+    CONTAINER_IMAGE: "seclab-shell-sast:latest"
+    CONTAINER_WORKSPACE: "{{ env('CONTAINER_WORKSPACE', required=False) }}"
+    CONTAINER_TIMEOUT: "{{ env('CONTAINER_TIMEOUT', '60') }}"
+    LOG_DIR: "{{ env('LOG_DIR') }}"
+
+confirm:
+  - shell_exec
+
+server_prompt: |
+  ## Container Shell (SAST)
+  You have access to an isolated Docker container for static analysis and code exploration.
+  Source code is available at /workspace. All tools run inside the container.
+
+  Available tools:
+  - semgrep       — SAST scanner; run with `semgrep scan --config=auto /workspace`
+  - pyan3         — Python static call graph generator (dot output for graphviz)
+  - ctags         — Multi-language tag/symbol index (`ctags -R .`)
+  - global (gtags/global) — Source code cross-reference: `gtags` to index, `global -r <sym>` to find callers
+  - cscope        — C/C++ cross-reference browser (`cscope -R -b` to build, `cscope -R -L -2 <sym>` for callers)
+  - graphviz (dot) — Render dot graphs: `dot -Tpng callgraph.dot -o callgraph.png`
+  - ripgrep (rg)  — Fast regex search: `rg <pattern> /workspace`
+  - fd            — Fast file finder: `fd -e py /workspace`
+  - tree          — Directory structure: `tree /workspace`
+  - grep, sed, awk, find — Standard code exploration
+
+  Typical call graph workflow (Python):
+  1. `fd -e py /workspace | head -30` — find Python files
+  2. `pyan3 $(fd -e py /workspace | tr '\n' ' ') --dot --no-defines > /tmp/cg.dot`
+  3. `dot -Tsvg /tmp/cg.dot -o /tmp/cg.svg && cat /tmp/cg.svg | head -100`
+
+  Typical call graph workflow (C):
+  1. `cd /workspace && ctags -R --fields=+ne .`
+  2. `cd /workspace && cscope -R -b && cscope -R -L -2 <function>`

tests/test_container_shell.py

@@ -194,3 +194,9 @@ def test_toolbox_yaml_valid_network(self):
         result = tools.get_toolbox("seclab_taskflows.toolboxes.container_shell_network_analysis")
         assert result is not None
         assert result["seclab-taskflow-agent"]["filetype"] == "toolbox"
+
+    def test_toolbox_yaml_valid_sast(self):
+        tools = AvailableTools()
+        result = tools.get_toolbox("seclab_taskflows.toolboxes.container_shell_sast")
+        assert result is not None
+        assert result["seclab-taskflow-agent"]["filetype"] == "toolbox"