Add kernel-level sandbox via nono-py for scan command

[christophetd]

Summary

• Adds kernel-level sandboxing (via nono-py) to the scan command as defense-in-depth against archive extraction vulnerabilities (path traversal, zip bombs) that led to CVE-2022-23530, CVE-2022-23531, CVE-2026-22870, CVE-2026-22871
• --sandbox is on by default; --no-sandbox to disable. Fail-safe: exits if nono can't set up the sandbox on the platform
• Local scans (directory or archive): full sandbox applied to the main process (network blocked, filesystem restricted to scanned path + temp dir) before extraction and analysis
• Remote scans: three-phase approach:
  1. Download + metadata analysis run unsandboxed (need network for package registry and DNS/email checks)
  2. Archive extraction runs in a sandboxed subprocess (python -m guarddog.sandbox) with network blocked and filesystem restricted
  3. Source code analysis (YARA/Semgrep) runs in the main process after a sandbox is applied (network blocked, filesystem restricted to extracted files)
• Handles nested .gem archive extraction in the subprocess
• Scope: scan command only; verify deferred to follow-up

New files

• guarddog/sandbox.py -- is_available(), apply_sandbox(), extract_sandboxed(), and subprocess entry point
• tests/core/test_sandbox.py -- 9 unit tests

How sandboxing works

Scan type	Extraction	Metadata analysis	Source code analysis	Network
Local dir	N/A	N/A	Main process (sandboxed)	Blocked
Local archive	Main process (sandboxed)	N/A	Main process (sandboxed)	Blocked
Remote package	Sandboxed subprocess	Unsandboxed	Main process (sandboxed)	Blocked after metadata

Demo 1: RCE in the unsandboxed code path

Simulates a vulnerability in the --no-sandbox code path:

diff --git a/guarddog/cli.py b/guarddog/cli.py
index a28b5e5..cb9d5ef 100644
--- a/guarddog/cli.py
+++ b/guarddog/cli.py
@@ -254,6 +254,7 @@ def _scan(
                 )
             else:
                 result |= scanner.scan_remote(identifier, version, rule_param)
+                import subprocess; subprocess.run(["touch", "/tmp/pwned"])
 
     except Exception as e:
         log.error(f"Error occurred while scanning target {identifier}: '{e}'\n")

$ git apply demo1.diff
$ uv run guarddog npm scan requests && cat /tmp/pwned
cat: /tmp/pwned: No such file or directory   # --no-sandbox path not reached

$ uv run guarddog npm scan requests --no-sandbox && cat /tmp/pwned
# no error -- file was created

Demo 2: RCE during source code analysis

Simulates a vulnerability in YARA analysis (e.g. a crafted file exploiting a parser bug):

diff --git a/guarddog/analyzer/analyzer.py b/guarddog/analyzer/analyzer.py
index 78a36a6..289e5e3 100644
--- a/guarddog/analyzer/analyzer.py
+++ b/guarddog/analyzer/analyzer.py
@@ -376,6 +376,7 @@ class Analyzer:
             dict[str]: map from each IOC rule and their corresponding output
         """
         log.debug(f"Running yara rules against directory '{path}'")
+        import subprocess; subprocess.run(["touch", "/tmp/pwned-during-analysis"])
 
         all_rules = self.yara_ruleset
         if rules is not None:

$ git apply demo2.diff
$ uv run guarddog pypi scan requests
$ ls /tmp/pwned-during-analysis
ls: /tmp/pwned-during-analysis: No such file or directory   # blocked by sandbox

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 513309fa58

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".