A Python package for code analysis and sandbox.
This library can be used to create pipelines that filter code generated by GenAI code models, and for guarding the execution of generated code.
python -m venv .venv
source .venv/bin/activateNote: Depending on your system, you may need to run as sudo .venv/bin/guardx init.
Podman: GuardX uses the docker python package to communicate with containers. Hence, if you are using Podman, you will need to set the env variable DOCKER_HOST to point to the unix socket used by Podman. See docs/container.rst.
podman machine inspect --format '{{.ConnectionInfo.PodmanSocket.Path}}'
export DOCKER_HOST=unix://<your_podman_socket_location>pip install guardx
git+https (using a github personal access token):
pip install git+https://github.com/ibm/guardx.git@{branch/tag}git+ssh:
pip install git+ssh://git@github.com/ibm/guardx.git@${branch/tag}The library container images must be built before importing and using the library.
guardx initpython example.py --file example_gen_code.pygit clone git@github.com:ibm/guardx.git
cd guardx
make initNote: This installs Poetry. Make sure to configure your PATH to access poetry.
To install the dev dependencies (editable mode):
make install/devNote: To add additional dependencies, use poetry add "package". For help, poetry add -h.
make containers/docker
OR
make containers/podmanNote: Fresh build takes 5-10 minutes. Make sure to update the GuardX config file in resources/config.yaml to match built image name and tag.
Test modules are created under the tests directory.
To run all tests, use the following command:
make testNote: To enable logging, set log_cli = true in tests/pytest.ini.
Before checking in any code for the project, please lint the code. This can be done using:
make lintWe are currently using detect-secrets in our precommit hooks. Refer to this repo for configuration instructions
cd docs
make htmlHere is an example of how to use this library in your code.
from guardx import Guardx
from guardx.analysis import AnalysisType
python_code = """<your code here>"""
g = Guardx(config_path="./resources/config.yaml")
# To analyze code
result = g.analyze(python_code, {AnalysisType.DETECT_SECRET, AnalysisType.UNSAFE_CODE})
print(result)
# To execute code in sandbox with a default security policy
result = g.execute(python_code).get_docker_result()
print(result)
# To execute code with global variables passed into the sandbox
globals_dict = {"x": 10, "y": 20}
result = g.execute(python_code, globals=globals_dict).get_docker_result()
print(result)You can pass global variables into the sandbox execution environment using the globals parameter. This is useful for:
- Providing prior execution state
- Passing configuration or context data
- Simulating stateful execution across multiple code snippets
# Example: Using globals for stateful execution
code1 = "counter = 1"
result1 = g.execute(code1)
# Continue with prior state
code2 = "counter += 1; print(counter)"
result2 = g.execute(code2, globals={"counter": 1})
# Example: Passing complex data structures
code = "result = sum(numbers) * multiplier"
globals_dict = {
"numbers": [1, 2, 3, 4, 5],
"multiplier": 2
}
result = g.execute(code, globals=globals_dict)
# Example: Passing configuration
code = "result = data['value'] * config['multiplier']"
globals_dict = {
"data": {"value": 100},
"config": {"multiplier": 2.5, "threshold": 10}
}
result = g.execute(code, globals=globals_dict)Important Notes:
- Global variables must be JSON-serializable (strings, numbers, lists, dicts, booleans, None)
- Do NOT include
__builtins__- it is automatically provided by the executor - Non-serializable objects (functions, classes, modules, file handles) will be automatically filtered out with a warning
- Only the serializable values will be passed to the sandbox