Skip to content

feat: add Docker network support for sandbox connections#612

Open
TheArtificialQ wants to merge 2 commits into
usestrix:mainfrom
TheArtificialQ:feature/docker-network
Open

feat: add Docker network support for sandbox connections#612
TheArtificialQ wants to merge 2 commits into
usestrix:mainfrom
TheArtificialQ:feature/docker-network

Conversation

@TheArtificialQ

Copy link
Copy Markdown

Adding --docker-network parameter.

Docker network to connect the container to. Accepts a network name such as my-network or a built-in mode such as host or bridge. Use this when the target is only reachable through a specific Docker network.

@greptile-apps

greptile-apps Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds a --docker-network CLI parameter that lets the Strix sandbox container join a specific Docker network, enabling scans against targets that are only reachable through a custom network or via host networking. The plumbing from CLI argument parsing through session_manager to docker_client is complete and the docker_client correctly handles host mode (removes port bindings, sets network_mode) and custom networks (post-create connect with container cleanup on failure).

  • session_manager.py is missing the host-network branch: resolve_exposed_port is unconditionally called on line 118, but in host-network mode there are no port bindings to resolve, so the call will fail or return incorrect data. The test test_create_or_reuse_uses_local_caido_url_for_host_network documents the expected fix (skip resolve_exposed_port and use 127.0.0.1:48080 directly) but the corresponding implementation was not added.
  • docker_client.py, backends.py, main.py, and the CLI/TUI wiring are all clean.

Confidence Score: 3/5

The --docker-network host path will fail in production: Caido bootstrap will attempt to resolve a Docker port mapping that does not exist for host-networked containers.

The core docker_client.py network injection is solid, but session_manager.py is missing the host-network special case that its own companion test documents. Running --docker-network host will hit an error or connect Caido to a stale/wrong endpoint, making that specific mode unusable. Everything else is correct.

strix/runtime/session_manager.py needs a host-network branch before resolve_exposed_port is called; tests/test_docker_network.py already documents exactly what that branch should do.

Important Files Changed

Filename Overview
strix/runtime/session_manager.py Passes docker_network through correctly, but the host-network branch for Caido endpoint resolution is missing — resolve_exposed_port is always called even when host networking is active and there are no port bindings.
strix/runtime/docker_client.py Network mode injection looks correct: host sets network_mode and removes port bindings, bridge is a no-op, custom networks are attached post-create with proper cleanup on failure.
strix/interface/main.py Adds --docker-network argument with _normalize_docker_network for input validation, normalizes built-in modes to lowercase, and persists/restores the value across resume.
tests/test_docker_network.py Good coverage of the Docker client and session_manager paths, but test_create_or_reuse_uses_local_caido_url_for_host_network will fail because the corresponding session_manager implementation was not added.
strix/runtime/backends.py Cleanly threads docker_network from session_manager to the Docker client via the strix_docker_network instance attribute.

Comments Outside Diff (1)

  1. strix/runtime/session_manager.py, line 118-119 (link)

    P1 Missing host-network branch for Caido endpoint resolution

    When docker_network="host", docker_client.py correctly removes the ports binding from create_kwargs, so the container has no mapped ports. But session_manager.py unconditionally calls resolve_exposed_port on line 118, which asks Docker for the host-side port mapping that doesn't exist in host-network mode — this will either raise or return garbage, breaking the Caido bootstrap for every scan that uses --docker-network host.

    The companion test test_create_or_reuse_uses_local_caido_url_for_host_network documents the expected fix (skip resolve_exposed_port and use 127.0.0.1:48080 directly), but that branch was never added to the implementation: the test asserts session.resolve_calls == [] and host_url == "http://127.0.0.1:48080", both of which will fail against the current code.

    Prompt To Fix With AI
    This is a comment left during a code review.
    Path: strix/runtime/session_manager.py
    Line: 118-119
    
    Comment:
    **Missing host-network branch for Caido endpoint resolution**
    
    When `docker_network="host"`, `docker_client.py` correctly removes the `ports` binding from `create_kwargs`, so the container has no mapped ports. But `session_manager.py` unconditionally calls `resolve_exposed_port` on line 118, which asks Docker for the host-side port mapping that doesn't exist in host-network mode — this will either raise or return garbage, breaking the Caido bootstrap for every scan that uses `--docker-network host`.
    
    The companion test `test_create_or_reuse_uses_local_caido_url_for_host_network` documents the expected fix (skip `resolve_exposed_port` and use `127.0.0.1:48080` directly), but that branch was never added to the implementation: the test asserts `session.resolve_calls == []` and `host_url == "http://127.0.0.1:48080"`, both of which will fail against the current code.
    
    How can I resolve this? If you propose a fix, please make it concise.
Prompt To Fix All With AI
Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
strix/runtime/session_manager.py:118-119
**Missing host-network branch for Caido endpoint resolution**

When `docker_network="host"`, `docker_client.py` correctly removes the `ports` binding from `create_kwargs`, so the container has no mapped ports. But `session_manager.py` unconditionally calls `resolve_exposed_port` on line 118, which asks Docker for the host-side port mapping that doesn't exist in host-network mode — this will either raise or return garbage, breaking the Caido bootstrap for every scan that uses `--docker-network host`.

The companion test `test_create_or_reuse_uses_local_caido_url_for_host_network` documents the expected fix (skip `resolve_exposed_port` and use `127.0.0.1:48080` directly), but that branch was never added to the implementation: the test asserts `session.resolve_calls == []` and `host_url == "http://127.0.0.1:48080"`, both of which will fail against the current code.

Reviews (1): Last reviewed commit: "feat: add Docker network support for san..." | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant