Add integration tests for new docker builds

lelia · lelia · commit 1e7e451e59ff · 2026-03-12T12:48:23.000-04:00
Signed-off-by: lelia &lt;lelia@socket.dev&gt;
diff --git a/scripts/integration-test-docker.sh b/scripts/integration-test-docker.sh
@@ -0,0 +1,105 @@
+#!/usr/bin/env bash
+# End-to-end integration tests for the socket-basics Docker image.
+#
+# Verifies the full scan pipeline runs correctly without external credentials:
+#   1. socket-basics CLI starts and responds to --help
+#   2. opengrep can scan Python code using the bundled rules (no API key needed)
+#   3. socket-basics runs a scan on a small fixture without crashing
+#
+# Usage:
+#   ./scripts/integration-test-docker.sh [--image-tag TAG]
+#   ./scripts/integration-test-docker.sh --image-tag socket-basics:1.1.3
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+IMAGE_TAG="${IMAGE_TAG:-socket-basics:smoke-test}"
+FIXTURE_DIR="$REPO_ROOT/tests/fixtures/integration"
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --image-tag)
+      [[ $# -lt 2 ]] && { echo "Error: --image-tag requires a value"; exit 1; }
+      IMAGE_TAG="$2"; shift 2
+      ;;
+    *) echo "Error: unknown option: $1"; exit 1 ;;
+  esac
+done
+
+if ! command -v docker >/dev/null 2>&1; then
+  echo "ERROR: Docker CLI is not installed or not in PATH."
+  exit 1
+fi
+
+pass() { echo "  PASS: $*"; }
+fail() { echo "  FAIL: $*"; exit 1; }
+
+echo "==> Integration test: $IMAGE_TAG"
+
+# ── Test 1: CLI starts and responds to --help ─────────────────────────────────
+echo "--> socket-basics --help"
+if docker run --rm --entrypoint /bin/sh "$IMAGE_TAG" -c "socket-basics -h" > /dev/null 2>&1; then
+  pass "socket-basics -h exits 0"
+else
+  fail "socket-basics -h exited non-zero"
+fi
+
+# ── Test 2: opengrep scans with bundled rules (no API key needed) ─────────────
+# Runs opengrep against the socket_basics Python source using the baked-in
+# rules. Validates: binary works, rules directory is intact, JSON output is
+# valid. opengrep exits 0 (no findings) or 1 (findings found) — both are OK.
+# Exit code 2+ signals a real error.
+echo "--> opengrep scan with bundled rules on internal source"
+opengrep_exit=0
+opengrep_output=$(
+  docker run --rm --entrypoint /bin/sh "$IMAGE_TAG" -c \
+    "opengrep scan \
+       --config /socket-basics/socket_basics/rules/ \
+       --json \
+       /socket-basics/socket_basics/ 2>/dev/null" \
+) || opengrep_exit=$?
+
+if [[ $opengrep_exit -ge 2 ]]; then
+  fail "opengrep exited with error code $opengrep_exit"
+fi
+
+if [[ -z "$opengrep_output" ]]; then
+  fail "opengrep produced no output"
+fi
+
+if echo "$opengrep_output" | python3 -c "import sys, json; json.load(sys.stdin)" > /dev/null 2>&1; then
+  pass "opengrep produced valid JSON output (exit $opengrep_exit)"
+else
+  # Some opengrep versions may emit non-JSON on stdout in certain modes; treat
+  # non-empty output without a parse error as a soft pass.
+  pass "opengrep ran and produced output (non-JSON format, exit $opengrep_exit)"
+fi
+
+# ── Test 3: socket-basics scan on fixture (no API key) ────────────────────────
+# Runs a real scan on a small clean Python fixture. We don't assert specific
+# findings — only that the process runs and does not crash. A non-zero exit is
+# acceptable (may indicate findings or missing API key for enterprise features).
+echo "--> socket-basics scan on fixture: $FIXTURE_DIR"
+scan_output=$(
+  docker run --rm \
+    -v "${FIXTURE_DIR}:/workspace:ro" \
+    --entrypoint /bin/sh \
+    "$IMAGE_TAG" \
+    -c "socket-basics --workspace /workspace --python --console-tabular-enabled 2>&1" \
+) || true  # accept non-zero exit
+
+if [[ -z "$scan_output" ]]; then
+  fail "socket-basics produced no output on fixture scan"
+fi
+
+# Detect hard crashes: Go panic, segfault, unhandled Python traceback
+if echo "$scan_output" | grep -qiE "^(panic:|fatal error:)|segmentation fault|Traceback \(most recent call last\)$"; then
+  echo "  Scan output:"
+  echo "$scan_output" | head -30
+  fail "socket-basics crashed during scan"
+fi
+
+pass "socket-basics ran on fixture without crashing"
+
+echo "==> Integration test passed"
diff --git a/tests/fixtures/integration/python/sample.py b/tests/fixtures/integration/python/sample.py
@@ -0,0 +1,22 @@
+"""Minimal clean Python fixture for socket-basics integration tests.
+
+This file is intentionally free of vulnerabilities so that a socket-basics
+scan exits 0 (no findings). Its only purpose is to give the scanner a real
+Python file to process, confirming the full parse → rule-match → report
+pipeline completes without errors.
+"""
+
+
+def greet(name: str) -> str:
+    """Return a formatted greeting string."""
+    return f"Hello, {name}!"
+
+
+def add(a: int, b: int) -> int:
+    """Return the sum of two integers."""
+    return a + b
+
+
+if __name__ == "__main__":
+    print(greet("World"))
+    print(add(1, 2))
