From b838753d10a727f34c8538cf651b18055e591ca6 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 24 Mar 2026 23:43:10 +0000
Subject: [PATCH 1/2] Initial plan


From e50cef5fc543560484016e8edd0755420872b404 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 24 Mar 2026 23:46:50 +0000
Subject: [PATCH 2/2] feat: add socket.dev-sfw-free feature

Co-authored-by: sebst <592313+sebst@users.noreply.github.com>
Agent-Logs-Url: https://github.com/devcontainer-community/devcontainer-features/sessions/ac4d7db1-1ff6-4e24-b669-04ce443d59fe
---
 README.md                                     |   1 +
 src/socket.dev-sfw-free/NOTES.md              |  17 +++
 .../devcontainer-feature.json                 |  17 +++
 src/socket.dev-sfw-free/install.sh            | 138 ++++++++++++++++++
 test/socket.dev-sfw-free/test.sh              |  18 +++
 5 files changed, 191 insertions(+)
 create mode 100644 src/socket.dev-sfw-free/NOTES.md
 create mode 100644 src/socket.dev-sfw-free/devcontainer-feature.json
 create mode 100755 src/socket.dev-sfw-free/install.sh
 create mode 100755 test/socket.dev-sfw-free/test.sh

diff --git a/README.md b/README.md
index 4223334..21258d7 100644
--- a/README.md
+++ b/README.md
@@ -62,6 +62,7 @@
 | [ripgrep](https://github.com/devcontainer-community/devcontainer-features/tree/main/src/ripgrep) | `rg` — fast grep alternative (ripgrep) | gh release | 1.0.0 |
 | [schpet-linear-cli](https://github.com/devcontainer-community/devcontainer-features/tree/main/src/schpet-linear-cli) | `linear` — CLI to access linear.com issue tracker | gh release | 1.0.0 |
 | [smallstep.com](https://github.com/devcontainer-community/devcontainer-features/tree/main/src/smallstep.com) | `step` — zero-trust security toolkit and CA | gh release | 1.0.1 |
+| [socket.dev/sfw-free](https://github.com/devcontainer-community/devcontainer-features/tree/main/src/socket.dev-sfw-free) | `sfw` — network security proxy that blocks malicious dependencies | gh release | 1.0.0 |
 | [sshd](https://github.com/devcontainer-community/devcontainer-features/tree/main/src/sshd) | `sshd` — OpenSSH server running inside the container | apt | 1.0.0 |
 | [starship.rs](https://github.com/devcontainer-community/devcontainer-features/tree/main/src/starship.rs) | `starship` — minimal, fast cross-shell prompt | gh release | 1.0.1 |
 | [steveyegge/beads](https://github.com/devcontainer-community/devcontainer-features/tree/main/src/steveyegge-beads) | `bd` — distributed graph issue tracker for AI agents | gh release | 1.0.0 |
diff --git a/src/socket.dev-sfw-free/NOTES.md b/src/socket.dev-sfw-free/NOTES.md
new file mode 100644
index 0000000..677ea0e
--- /dev/null
+++ b/src/socket.dev-sfw-free/NOTES.md
@@ -0,0 +1,17 @@
+# socket.dev/sfw-free
+
+## Project
+
+- [sfw-free](https://github.com/SocketDev/sfw-free)
+
+## Description
+
+A lightweight tool that protects developer machines in real time, blocking malicious dependencies before they reach your system. No API key or configuration required. Prefix any supported package manager command with `sfw` to filter network traffic automatically.
+
+## Installation Method
+
+Downloaded as a pre-compiled binary from the [GitHub releases page](https://github.com/SocketDev/sfw-free/releases) and placed in `/usr/local/bin`.
+
+## Other Notes
+
+_No additional notes._
diff --git a/src/socket.dev-sfw-free/devcontainer-feature.json b/src/socket.dev-sfw-free/devcontainer-feature.json
new file mode 100644
index 0000000..3f58343
--- /dev/null
+++ b/src/socket.dev-sfw-free/devcontainer-feature.json
@@ -0,0 +1,17 @@
+{
+    "name": "socket.dev/sfw-free",
+    "id": "socket.dev-sfw-free",
+    "version": "1.0.0",
+    "description": "Install \"sfw\" binary",
+    "documentationURL": "https://github.com/devcontainer-community/devcontainer-features/tree/main/src/socket.dev-sfw-free",
+    "options": {
+        "version": {
+            "type": "string",
+            "default": "latest",
+            "proposals": [
+                "latest"
+            ],
+            "description": "Version of \"sfw\" to install."
+        }
+    }
+}
diff --git a/src/socket.dev-sfw-free/install.sh b/src/socket.dev-sfw-free/install.sh
new file mode 100755
index 0000000..98395a5
--- /dev/null
+++ b/src/socket.dev-sfw-free/install.sh
@@ -0,0 +1,138 @@
+#!/bin/bash
+set -o errexit
+set -o pipefail
+set -o noclobber
+set -o nounset
+set -o allexport
+readonly githubRepository='SocketDev/sfw-free'
+readonly binaryName='sfw'
+readonly versionArgument='--version'
+readonly binaryTargetFolder='/usr/local/bin'
+readonly name="${githubRepository##*/}"
+apt_get_update() {
+    if [ "$(find /var/lib/apt/lists/* | wc -l)" = "0" ]; then
+        echo "Running apt-get update..."
+        apt-get update -y
+    fi
+}
+apt_get_checkinstall() {
+    if ! dpkg -s "$@" >/dev/null 2>&1; then
+        apt_get_update
+        DEBIAN_FRONTEND=noninteractive apt-get -y install --no-install-recommends --no-install-suggests --option 'Debug::pkgProblemResolver=true' --option 'Debug::pkgAcquire::Worker=1' "$@"
+    fi
+}
+apt_get_cleanup() {
+    apt-get clean
+    rm -rf /var/lib/apt/lists/*
+}
+check_curl_installed() {
+    declare -a requiredAptPackagesMissing=()
+    if ! [ -r '/etc/ssl/certs/ca-certificates.crt' ]; then
+        requiredAptPackagesMissing+=('ca-certificates')
+    fi
+    if ! command -v curl >/dev/null 2>&1; then
+        requiredAptPackagesMissing+=('curl')
+    fi
+    declare -i requiredAptPackagesMissingCount=${#requiredAptPackagesMissing[@]}
+    if [ $requiredAptPackagesMissingCount -gt 0 ]; then
+        apt_get_update
+        apt_get_checkinstall "${requiredAptPackagesMissing[@]}"
+        apt_get_cleanup
+    fi
+}
+curl_check_url() {
+    local url=$1
+    local status_code
+    status_code=$(curl -s -o /dev/null -w '%{http_code}' "$url")
+    if [ "$status_code" -ne 200 ] && [ "$status_code" -ne 302 ]; then
+        echo "Failed to download '$url'. Status code: $status_code."
+        return 1
+    fi
+}
+curl_download_binary() {
+    local url=$1
+    local target_path=$2
+    curl \
+        --silent \
+        --location \
+        --output "$target_path" \
+        --connect-timeout 5 \
+        "$url"
+}
+debian_get_arch() {
+    echo "$(dpkg --print-architecture)"
+}
+debian_get_target_arch() {
+    case $(debian_get_arch) in
+    amd64) echo 'x86_64' ;;
+    arm64) echo 'arm64' ;;
+    *)
+        printf >&2 '=== [ERROR] Unsupported architecture: "%s"!\n' "$(debian_get_arch)"
+        exit 1
+        ;;
+    esac
+}
+echo_banner() {
+    local text="$1"
+    echo -e "\e[1m\e[97m\e[41m$text\e[0m"
+}
+github_list_releases() {
+    if [ -z "$1" ]; then
+        echo "Usage: list_github_releases <owner/repo>"
+        return 1
+    fi
+    local repo="$1"
+    local url="https://api.github.com/repos/$repo/releases"
+    curl -s "$url" | grep -Po '"tag_name": "\K.*?(?=")' | grep -E '^v?[0-9]+\.[0-9]+\.[0-9]+$' | sed 's/^v//'
+}
+github_get_latest_release() {
+    if [ -z "$1" ]; then
+        echo "Usage: get_latest_github_release <owner/repo>"
+        return 1
+    fi
+    github_list_releases "$1" | head -n 1
+}
+github_get_tag_for_version() {
+    if [ -z "$1" ] || [ -z "$2" ]; then
+        echo "Usage: github_get_tag_for_version <owner/repo> <version>"
+        return 1
+    fi
+    local repo="$1"
+    local _version="$2"
+    local url="https://api.github.com/repos/$repo/releases"
+    local escaped_version
+    escaped_version="$(printf '%s' "$_version" | sed 's/\./\\./g')"
+    curl -s "$url" | grep -Po '"tag_name": "\K.*?(?=")' | grep -E "^v?${escaped_version}$" | head -n 1
+}
+utils_check_version() {
+    local version=$1
+    if ! [[ "${version:-}" =~ ^(latest|[0-9]+\.[0-9]+\.[0-9]+)$ ]]; then
+        printf >&2 '=== [ERROR] Option "version" (value: "%s") is not "latest" or valid semantic version format "X.Y.Z" !\n' \
+            "$version"
+        exit 1
+    fi
+}
+install() {
+    utils_check_version "$VERSION"
+    check_curl_installed
+    readonly architecture="$(debian_get_target_arch)"
+    if [ "$VERSION" == 'latest' ] || [ -z "$VERSION" ]; then
+        VERSION=$(github_get_latest_release "$githubRepository")
+    fi
+    readonly version="${VERSION:?}"
+    readonly releaseTag="$(github_get_tag_for_version "$githubRepository" "$version")"
+    if [ -z "$releaseTag" ]; then
+        printf >&2 '=== [ERROR] Could not find release tag for version "%s" in "%s"!\n' "$version" "$githubRepository"
+        exit 1
+    fi
+    readonly downloadUrl="https://github.com/${githubRepository}/releases/download/${releaseTag}/sfw-free-linux-${architecture}"
+    curl_check_url "$downloadUrl"
+    readonly binaryTargetPath="${binaryTargetFolder}/${binaryName}"
+    curl_download_binary "$downloadUrl" "$binaryTargetPath"
+    chmod 755 "$binaryTargetPath"
+    apt_get_cleanup
+}
+echo_banner "devcontainer.community"
+echo "Installing $name..."
+install "$@"
+echo "(*) Done!"
diff --git a/test/socket.dev-sfw-free/test.sh b/test/socket.dev-sfw-free/test.sh
new file mode 100755
index 0000000..9426c57
--- /dev/null
+++ b/test/socket.dev-sfw-free/test.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+
+set -e
+
+# Optional: Import test library bundled with the devcontainer CLI
+# See https://github.com/devcontainers/cli/blob/HEAD/docs/features/test.md#dev-container-features-test-lib
+# Provides the 'check' and 'reportResults' commands.
+source dev-container-features-test-lib
+
+# Feature-specific tests
+# The 'check' command comes from the dev-container-features-test-lib. Syntax is...
+# check <LABEL> <cmd> [args...]
+check "execute command" bash -c "sfw --help"
+
+# Report results
+# If any of the checks above exited with a non-zero exit code, the test will fail.
+reportResults