DataDog
diff --git a/‎appsec/cmake/clang-format.cmake‎
Lines changed: 29 additions & 4 deletions b/‎appsec/cmake/clang-format.cmake‎
Lines changed: 29 additions & 4 deletions
diff --git a/‎appsec/cmake/clang-tidy.cmake‎
Lines changed: 49 additions & 16 deletions b/‎appsec/cmake/clang-tidy.cmake‎
Lines changed: 49 additions & 16 deletions
diff --git a/‎appsec/cmake/clang-tools/Dockerfile‎
Lines changed: 94 additions & 0 deletions b/‎appsec/cmake/clang-tools/Dockerfile‎
Lines changed: 94 additions & 0 deletions
diff --git a/‎appsec/cmake/clang-tools/README.md‎
Lines changed: 145 additions & 0 deletions b/‎appsec/cmake/clang-tools/README.md‎
Lines changed: 145 additions & 0 deletions
diff --git a/‎appsec/cmake/clang-tools/build_local.sh‎
Lines changed: 3 additions & 0 deletions b/‎appsec/cmake/clang-tools/build_local.sh‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎appsec/cmake/clang-tools/clang-format‎
Lines changed: 20 additions & 0 deletions b/‎appsec/cmake/clang-tools/clang-format‎
Lines changed: 20 additions & 0 deletions
@@ -1,7 +1,32 @@
-find_program(CLANG_FORMAT clang-format)
-if(CLANG_FORMAT STREQUAL CLANG_FORMAT-NOTFOUND)
-    message(STATUS "Cannot find clang-format, either set CLANG_FORMAT or make it discoverable")
-    return()
+set(_LLVM17_FORMAT /opt/homebrew/opt/llvm@17/bin/clang-format)
+if(EXISTS ${_LLVM17_FORMAT})
+    set(CLANG_FORMAT ${_LLVM17_FORMAT})
+    message(STATUS "Using Homebrew LLVM 17 clang-format: ${CLANG_FORMAT}")
+else()
+    find_program(_CF_VERSIONED clang-format-17)
+    if(NOT _CF_VERSIONED STREQUAL _CF_VERSIONED-NOTFOUND)
+        set(CLANG_FORMAT ${_CF_VERSIONED})
+    else()
+        find_program(_CF_UNVERSIONED clang-format)
+        if(NOT _CF_UNVERSIONED STREQUAL _CF_UNVERSIONED-NOTFOUND)
+            execute_process(
+                COMMAND ${_CF_UNVERSIONED} --version
+                OUTPUT_VARIABLE _CF_VERSION
+                OUTPUT_STRIP_TRAILING_WHITESPACE
+                ERROR_QUIET)
+            if(_CF_VERSION MATCHES " 17\\.")
+                set(CLANG_FORMAT ${_CF_UNVERSIONED})
+            endif()
+        endif()
+    endif()
+    if(NOT CLANG_FORMAT)
+        set(CLANG_FORMAT ${CMAKE_CURRENT_LIST_DIR}/clang-tools/clang-format)
+        if(NOT EXISTS ${CLANG_FORMAT})
+            message(STATUS "Cannot find clang-format version 17, either set CLANG_FORMAT or make it discoverable")
+            return()
+        endif()
+        message(STATUS "Using Docker-based clang-format wrapper: ${CLANG_FORMAT}")
+    endif()
 endif()
 
 set(FILE_LIST "")
 
@@ -1,7 +1,47 @@
-find_program(CLANG_TIDY run-clang-tidy)
-if(CLANG_TIDY STREQUAL CLANG_TIDY-NOTFOUND)
-    message(STATUS "Cannot find clang-tidy, either set CLANG_TIDY or make it discoverable")
-    return()
+# Prefer a locally installed LLVM 17 run-clang-tidy (e.g. via brew install llvm@17)
+# over the Docker-based wrapper, since native execution avoids SDK incompatibilities.
+set(_LLVM17_BIN /opt/homebrew/opt/llvm@17/bin)
+set(_LLVM17_TIDY ${_LLVM17_BIN}/run-clang-tidy)
+set(CLANG_TIDY_BINARY_OPT "")
+if(EXISTS ${_LLVM17_TIDY})
+    set(CLANG_TIDY ${_LLVM17_TIDY})
+    set(CLANG_TIDY_BINARY_OPT -clang-tidy-binary ${_LLVM17_BIN}/clang-tidy)
+    message(STATUS "Using Homebrew LLVM 17 run-clang-tidy: ${CLANG_TIDY}")
+else()
+    find_program(_RCT_VERSIONED run-clang-tidy-17)
+    if(NOT _RCT_VERSIONED STREQUAL _RCT_VERSIONED-NOTFOUND)
+        set(CLANG_TIDY ${_RCT_VERSIONED})
+        find_program(_CT_VERSIONED clang-tidy-17)
+        if(NOT _CT_VERSIONED STREQUAL _CT_VERSIONED-NOTFOUND)
+            set(CLANG_TIDY_BINARY_OPT -clang-tidy-binary ${_CT_VERSIONED})
+        endif()
+    else()
+        find_program(_RCT_UNVERSIONED run-clang-tidy)
+        if(NOT _RCT_UNVERSIONED STREQUAL _RCT_UNVERSIONED-NOTFOUND)
+            # Verify version via co-located clang-tidy
+            get_filename_component(_RCT_DIR ${_RCT_UNVERSIONED} DIRECTORY)
+            find_program(_CT_COLOCATED clang-tidy HINTS ${_RCT_DIR} NO_DEFAULT_PATH)
+            if(NOT _CT_COLOCATED STREQUAL _CT_COLOCATED-NOTFOUND)
+                execute_process(
+                    COMMAND ${_CT_COLOCATED} --version
+                    OUTPUT_VARIABLE _CT_VERSION
+                    OUTPUT_STRIP_TRAILING_WHITESPACE
+                    ERROR_QUIET)
+                if(_CT_VERSION MATCHES " 17\\.")
+                    set(CLANG_TIDY ${_RCT_UNVERSIONED})
+                    set(CLANG_TIDY_BINARY_OPT -clang-tidy-binary ${_CT_COLOCATED})
+                endif()
+            endif()
+        endif()
+    endif()
+    if(NOT CLANG_TIDY)
+        set(CLANG_TIDY ${CMAKE_CURRENT_LIST_DIR}/clang-tools/run-clang-tidy)
+        if(NOT EXISTS ${CLANG_TIDY})
+            message(STATUS "Cannot find clang-tidy version 17, either set CLANG_TIDY or make it discoverable")
+            return()
+        endif()
+        message(STATUS "Using Docker-based run-clang-tidy wrapper: ${CLANG_TIDY}")
+    endif()
 endif()
 
 set(FILE_LIST "")
@@ -20,27 +60,20 @@ if(DD_APPSEC_BUILD_EXTENSION)
     append_target_sources(extension)
 endif()
 
-execute_process (
-    COMMAND bash -c "${CLANG_TIDY} --help | grep -qs 'use-color'"
-    RESULT_VARIABLE USE_COLOR
-)
-
-set(COLOR_OPT "")
-if (USE_COLOR EQUAL 0)
-    set(COLOR_OPT -use-color)
-endif()
-
 set(TIDY_DEPS "")
 if(DD_APPSEC_BUILD_EXTENSION AND TARGET libxml2_build)
     list(APPEND TIDY_DEPS libxml2_build)
 endif()
+if(TARGET boost_build)
+    list(APPEND TIDY_DEPS boost_build)
+endif()
 
 add_custom_target(tidy
-    COMMAND ${CLANG_TIDY} ${COLOR_OPT} -p ${CMAKE_BINARY_DIR} ${FILE_LIST}
+    COMMAND ${CLANG_TIDY} ${CLANG_TIDY_BINARY_OPT} -use-color -p ${CMAKE_BINARY_DIR} ${FILE_LIST}
     WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
     DEPENDS ${TIDY_DEPS})
 
 add_custom_target(tidy_fix
-    COMMAND ${CLANG_TIDY} ${COLOR_OPT} -fix -p ${CMAKE_BINARY_DIR} ${FILE_LIST}
+    COMMAND ${CLANG_TIDY} ${CLANG_TIDY_BINARY_OPT} -use-color -fix -p ${CMAKE_BINARY_DIR} ${FILE_LIST}
     WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
     DEPENDS ${TIDY_DEPS})
@@ -0,0 +1,94 @@
+# Minimal Docker image with clang-format and clang-tidy built from LLVM source
+# Uses static linking for smallest possible image size
+# Based on Alpine Linux 3.21
+
+FROM alpine:3.21 AS builder
+
+RUN apk add --no-cache \
+    build-base \
+    cmake \
+    ninja \
+    python3 \
+    git \
+    linux-headers \
+    wget \
+    clang \
+    clang-dev
+
+# Download and extract LLVM source
+ARG LLVM_VERSION=17.0.6
+WORKDIR /src
+RUN wget -q https://github.com/llvm/llvm-project/releases/download/llvmorg-${LLVM_VERSION}/llvm-project-${LLVM_VERSION}.src.tar.xz && \
+    tar -xf llvm-project-${LLVM_VERSION}.src.tar.xz && \
+    mv llvm-project-${LLVM_VERSION}.src llvm-project && \
+    rm llvm-project-${LLVM_VERSION}.src.tar.xz
+
+# Configure LLVM build with minimal size optimizations
+WORKDIR /src/llvm-project/build
+RUN cmake -G Ninja ../llvm \
+    -DCMAKE_BUILD_TYPE=MinSizeRel \
+    -DCMAKE_INSTALL_PREFIX=/usr/local \
+    -DCMAKE_C_COMPILER=clang \
+    -DCMAKE_CXX_COMPILER=clang++ \
+    -DCMAKE_CXX_STANDARD=17 \
+    -DLLVM_ENABLE_PROJECTS="clang;clang-tools-extra" \
+    -DLLVM_TARGETS_TO_BUILD="" \
+    -DLLVM_INCLUDE_TESTS=OFF \
+    -DLLVM_INCLUDE_EXAMPLES=OFF \
+    -DLLVM_INCLUDE_BENCHMARKS=OFF \
+    -DLLVM_INCLUDE_DOCS=OFF \
+    -DLLVM_ENABLE_BINDINGS=OFF \
+    -DLLVM_ENABLE_OCAMLDOC=OFF \
+    -DLLVM_ENABLE_Z3_SOLVER=OFF \
+    -DLLVM_ENABLE_LIBXML2=OFF \
+    -DLLVM_ENABLE_ZLIB=OFF \
+    -DLLVM_ENABLE_ZSTD=OFF \
+    -DLLVM_ENABLE_TERMINFO=OFF \
+    -DLLVM_BUILD_STATIC=ON \
+    -DLLVM_LINK_LLVM_DYLIB=OFF \
+    -DLLVM_BUILD_LLVM_DYLIB=OFF \
+    -DBUILD_SHARED_LIBS=OFF \
+    -DLLVM_STATIC_LINK_CXX_STDLIB=ON \
+    -DCMAKE_EXE_LINKER_FLAGS="-static" \
+    -DCLANG_ENABLE_STATIC_ANALYZER=OFF \
+    -DCLANG_ENABLE_ARCMT=OFF \
+    -DCLANG_BUILD_EXAMPLES=OFF
+
+# Build only the required tools
+RUN ninja clang-format clang-tidy clang-apply-replacements
+
+# Install binaries
+RUN ninja install-clang-format install-clang-tidy install-clang-apply-replacements install-clang-resource-headers
+
+# Copy run-clang-tidy helper script
+RUN cp /src/llvm-project/clang-tools-extra/clang-tidy/tool/run-clang-tidy.py /usr/local/bin/run-clang-tidy && \
+    chmod +x /usr/local/bin/run-clang-tidy
+
+# Strip binaries to reduce size
+RUN strip /usr/local/bin/clang-format \
+    /usr/local/bin/clang-tidy \
+    /usr/local/bin/clang-apply-replacements
+
+# Final minimal runtime image
+FROM alpine:3.21
+
+# Install only Python runtime for run-clang-tidy script
+RUN apk add --no-cache python3
+
+# Copy static binaries from builder
+COPY --from=builder /usr/local/bin/clang-format /usr/local/bin/
+COPY --from=builder /usr/local/bin/clang-tidy /usr/local/bin/
+COPY --from=builder /usr/local/bin/clang-apply-replacements /usr/local/bin/
+COPY --from=builder /usr/local/bin/run-clang-tidy /usr/local/bin/
+
+# Copy clang resource headers so clang-tidy uses its own headers
+COPY --from=builder /usr/local/lib/clang/ /usr/local/lib/clang/
+
+# Verify installations
+RUN clang-format --version && \
+    clang-tidy --version && \
+    run-clang-tidy --help > /dev/null
+
+WORKDIR /workspace
+
+CMD ["/bin/sh"]
@@ -0,0 +1,145 @@
+# Clang Tools Docker Wrappers
+
+This directory contains transparent wrapper scripts for `clang-format`, `clang-tidy`, and `run-clang-tidy` that execute in Docker while providing seamless filesystem access.
+
+## Overview
+
+The wrapper scripts behave identically to native binaries but run in a minimal Alpine Linux container with LLVM 17.0.6 tools. This ensures consistent tooling across different development environments without requiring local installation.
+
+## Building the Docker Image
+
+```bash
+./build_local.sh
+```
+
+This builds the `datadog/dd-appsec-php-ci:clang-tools` image (~108MB) with statically-linked binaries.
+
+## Usage
+
+### Adding to PATH
+
+Add this directory to your PATH to use the wrappers system-wide:
+
+```bash
+export PATH="/path/to/dd-trace-php/appsec/cmake/clang-tools:$PATH"
+```
+
+### clang-format
+
+```bash
+# Format code from stdin
+echo "int main(){return 0;}" | ./clang-format
+
+# Format a file
+./clang-format myfile.cpp
+
+# Format in-place
+./clang-format -i myfile.cpp
+
+# Check formatting
+./clang-format --dry-run --Werror myfile.cpp
+```
+
+### clang-tidy
+
+```bash
+# Run clang-tidy on a file
+./clang-tidy myfile.cpp -- -Iinclude
+
+# With compilation database
+./clang-tidy -p build myfile.cpp
+```
+
+### run-clang-tidy
+
+```bash
+# Run on all files in compilation database
+./run-clang-tidy -p build
+
+# Apply fixes automatically
+./run-clang-tidy -p build -fix
+
+# Run on specific files matching regex
+./run-clang-tidy -p build '.*\.cpp$'
+```
+
+## How It Works
+
+### Filesystem Sharing
+
+- Mounts the **git repository root** at `/workspace` in the container
+- Preserves the current working directory relative to the git root
+- Automatically translates absolute paths to container paths
+- Runs with your user ID to maintain file ownership
+
+### Path Translation
+
+The wrappers intelligently handle paths:
+- **Relative paths**: Pass through unchanged
+- **Absolute paths within git repo**: Translated to `/workspace/...`
+- **Absolute paths outside git repo**: Converted to relative when possible
+- **Flags and options**: Pass through unchanged
+
+### stdin/stdout Support
+
+- Detects piped input and enables interactive mode (`-i` flag) when needed
+- Preserves stdin for formatting code from pipes
+- stdout and stderr pass through transparently
+
+## Example Workflows
+
+### IDE Integration
+
+Configure your IDE to use these wrappers as the clang-format/clang-tidy executables. They'll work transparently with features like "format on save" or inline diagnostics.
+
+### CI/CD
+
+```bash
+# Check all C++ files are formatted
+find . -name "*.cpp" -o -name "*.h" | xargs ./clang-format --dry-run --Werror
+
+# Run clang-tidy with fixes
+./run-clang-tidy -p build -fix -quiet
+```
+
+### Git Pre-commit Hook
+
+```bash
+#!/bin/bash
+# Format staged C++ files
+git diff --cached --name-only --diff-filter=ACM | \
+    grep -E '\.(cpp|h)$' | \
+    xargs ./clang-format -i
+```
+
+## Technical Details
+
+**Docker Image**: `datadog/dd-appsec-php-ci:clang-tools`
+- Base: Alpine Linux 3.21
+- LLVM Version: 17.0.6
+- Size: ~108MB (statically-linked binaries)
+- Tools: clang-format, clang-tidy, clang-apply-replacements, run-clang-tidy
+
+**User Mapping**: Runs as `-u $(id -u):$(id -g)` to preserve file ownership
+
+**Volume Mount**: `-v $GIT_ROOT:/workspace` for full repository access
+
+## Troubleshooting
+
+### "Docker image not found"
+
+Build the image first:
+```bash
+./build_local.sh
+```
+
+### "Permission denied"
+
+Ensure scripts are executable:
+```bash
+chmod +x clang-format clang-tidy run-clang-tidy
+```
+
+### Paths not resolving correctly
+
+The scripts automatically find the git repository root. If you're outside a git repo, they fall back to `$PWD`.
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker buildx build -t datadog/dd-appsec-php-ci:clang-tools .
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/common.sh"
+
+if [ -t 0 ]; then
+    docker run --rm \
+        -v "$GIT_ROOT:/workspace" \
+        -w "/workspace/$REL_WORK_DIR" \
+        -u "$(id -u):$(id -g)" \
+        "$DOCKER_IMAGE" \
+        clang-format ${ARGS[@]+"${ARGS[@]}"}
+else
+    docker run --rm -i \
+        -v "$GIT_ROOT:/workspace" \
+        -w "/workspace/$REL_WORK_DIR" \
+        -u "$(id -u):$(id -g)" \
+        "$DOCKER_IMAGE" \
+        clang-format ${ARGS[@]+"${ARGS[@]}"}
+fi
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+#!/bin/bash`
	`2`	`+`
	`3`	`+docker buildx build -t datadog/dd-appsec-php-ci:clang-tools .`