adding support for execution in docker

[Mzack9999]

Proposed changes

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Summary by CodeRabbit

• New Features
  • Docker sandbox support for code execution — run code in isolated container environments with configurable working directory and image.
• Tests
  • Added two virtual-environment test cases (shell and Python) to expand code execution coverage; these tests run only on Linux and are disabled on other platforms.

[coderabbitai]

Walkthrough

Docker sandbox support was added to the code execution protocol via a new Sandbox type and Request.Sandbox. Integration tests for virtual environments were added (Linux-only), and several indirect dependencies were bumped (notably OpenTelemetry and golang.org/x/time).

Changes

Cohort / File(s)	Summary
Code Protocol Sandbox Support pkg/protocols/code/code.go	Added exported Sandbox type (WorkingDir, Image); added Sandbox *Sandbox to Request; added useSandbox() helper and routing so execution uses EvalWithVirtualEnv when sandbox is present.
Integration Tests cmd/integration-test/code.go	Added two new test cases: sh-virtual.yaml and py-virtual.yaml, both gated with Linux-only DisableOn conditions.
Dependency Updates go.mod	Bumped github.com/projectdiscovery/gozero version, added github.com/cenkalti/backoff/v5 (indirect), upgraded OpenTelemetry packages to v1.38.0, and updated golang.org/x/time to v0.14.0.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Request
    participant useSandbox
    participant Eval
    participant EvalWithVirtualEnv

    Client->>Request: Submit execution request
    Request->>useSandbox: Is sandbox configured?
    alt sandbox configured
        useSandbox-->>Request: yes
        Request->>EvalWithVirtualEnv: Execute using Docker sandbox (WorkingDir, Image)
        EvalWithVirtualEnv-->>Request: Execution result
    else no sandbox
        useSandbox-->>Request: no
        Request->>Eval: Execute normally
        Eval-->>Request: Execution result
    end
    Request-->>Client: Return result

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Pay attention to: pkg/protocols/code/code.go (sandbox integration, branching to EvalWithVirtualEnv, YAML/JSON tags), cmd/integration-test/code.go (test gating and correctness), and go.mod (verify dependency bumps don't introduce ABI/behavioral issues).

Poem

🐇 In Docker's den my sandbox grows,

I tuck code in neat repose.
Linux gates swing open wide,
Tests hop in, then run inside.
A rabbit's joy — snug code to hide. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'adding support for execution in docker' directly describes the main change—introducing Docker sandbox support for code execution.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat-gozero-virtual

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c4a63ec and aecef0a.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (4 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Lint

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Mzack9999]

@coderabbitai create an issue for this PR: it depends on projectdiscovery/gozero#25 and introduces execution of nuclei code templates into a virtualized docker enviroment

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Create a GitHub issue for PR #6549

gh issue create \
  --repo projectdiscovery/nuclei \
  --title "Docker Sandbox Support for Code Execution" \
  --body "This issue tracks the implementation of Docker sandbox support for executing nuclei code templates in a virtualized Docker environment.

## Dependencies
This feature depends on: https://github.com/projectdiscovery/gozero/pull/25

## Description
This feature introduces the ability to execute nuclei code templates within isolated Docker containers, providing enhanced security and consistency through containerized environments with configurable working directories and images.

## Related Pull Request
- PR: https://github.com/projectdiscovery/nuclei/pull/6549

## Requested by
@Mzack9999

---
_This issue was created from [this comment](https://github.com/projectdiscovery/nuclei/pull/6549#discussion_r1)._" \
  --assignee Mzack9999

Length of output: 54

---

@Mzack9999: I've created issue #6582 for this PR. The issue includes:

• The dependency on Adding support for Docker Virtual Engine gozero#25
• Description of the Docker sandbox support for executing nuclei code templates
• A backlink to this PR
• Assignment to you

You can view the issue here: #6582

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/protocols/code/code.go (1)

49-52: LGTM! Consider adding field validation.

The Sandbox struct is well-defined with appropriate YAML/JSON tags. However, consider adding validation in the future to ensure WorkingDir (if provided) is an absolute path and Image is a valid Docker image reference.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d2ae352 and c4a63ec.

⛔ Files ignored due to path filters (3)

• go.sum is excluded by !**/*.sum
• integration_tests/protocols/code/py-virtual.yaml is excluded by !**/*.yaml
• integration_tests/protocols/code/sh-virtual.yaml is excluded by !**/*.yaml

📒 Files selected for processing (3)

• cmd/integration-test/code.go (1 hunks)
• go.mod (4 hunks)
• pkg/protocols/code/code.go (5 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.go: Format Go code using go fmt
Run static analysis with go vet

Files:

• cmd/integration-test/code.go
• pkg/protocols/code/code.go

pkg/protocols/**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

Each protocol implementation must provide a Request interface with methods Compile(), ExecuteWithResults(), Match(), and Extract()

Files:

• pkg/protocols/code/code.go

🧬 Code graph analysis (2)

cmd/integration-test/code.go (1)

pkg/testutils/integration.go (1)

• TestCase (247-250)

pkg/protocols/code/code.go (1)

pkg/protocols/protocols.go (1)

• Request (308-333)

🔇 Additional comments (4)

pkg/protocols/code/code.go (2)

479-481: LGTM! Sandbox detection logic is clear.

The useSandbox() helper correctly checks both that Sandbox is not nil and that Image is non-empty, which is the minimum requirement for Docker execution.

---

255-265: Sandbox configuration lacks pre-flight validation before passing to gozero.

The useSandbox() method (line 480) validates only that Sandbox is non-nil and Image is non-empty. The WorkingDir field and Image format are never validated before construction of DockerConfiguration at lines 260–263. While error handling exists downstream (line 271), the absence of local validation means invalid paths or malformed Docker image references will only surface as runtime errors from gozero.

Add validation for:

• Image: Verify it matches valid Docker image reference format
• WorkingDir: Validate path constraints (absolute path, accessible, etc.)

Alternatively, document that gozero performs these validations and handles invalid configurations gracefully.

cmd/integration-test/code.go (1)

27-28: LGTM! Linux-gated virtual environment tests added.

The new test cases for sandbox-based code execution are appropriately gated to Linux-only environments, which is correct for Docker-based virtualization. The test cases reuse the existing codeSnippet implementation, maintaining consistency with the test suite structure.

go.mod (1)

101-101: No security advisories found for the updated dependencies.

The verification check against GitHub's security advisory database confirms that none of the updated dependencies (gozero, OpenTelemetry suite, golang.org/x/time, and backoff/v5) have known security vulnerabilities in their current versions.