Skip to content

Commit 73755dc

Browse files
committed
fix: stackablectl scanning
1 parent fcd3261 commit 73755dc

File tree

1 file changed

+15
-3
lines changed

1 file changed

+15
-3
lines changed

stack_scanner/main.py

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -192,25 +192,37 @@ def scan_binary(
192192
product_name: str,
193193
branch_name: str,
194194
) -> None:
195-
"""Scan a local binary file using Trivy and Grype in rootfs mode.
195+
"""Scan a local binary file using Trivy (filesystem) and Grype (sbom).
196196
197197
The file must reside under /tmp/stackable/ so it is accessible inside the
198198
scanner container (which mounts that directory to /tmp).
199+
200+
Trivy runs in filesystem mode against the binary and writes a CycloneDX
201+
report to /tmp/trivy.json. Grype then uses that report as SBOM input,
202+
since there is no Grype filesystem entrypoint.
199203
"""
204+
# Run Trivy in filesystem mode. RUN_DIRECTORY is required by the entrypoint
205+
# (it cd's there before running trivy) and also becomes the implicit WORKSPACE
206+
# when neither GITHUB_WORKSPACE nor CI_PROJECT_DIR is set, so the report ends
207+
# up at /tmp/trivy.json inside the container (= /tmp/stackable/trivy.json on host).
200208
trivy_env = _build_base_env(secobserve_api_token, product_name, branch_name)
201209
trivy_env["TARGET"] = f"/tmp/{file_name}"
210+
trivy_env["RUN_DIRECTORY"] = "/tmp"
202211

203-
cmd = _build_scanner_cmd("/entrypoints/entrypoint_trivy_rootfs.sh", trivy_env)
212+
cmd = _build_scanner_cmd("/entrypoints/entrypoint_trivy_filesystem.sh", trivy_env)
204213
print(" ".join(cmd))
205214
subprocess.run(cmd)
206215

216+
# Run Grype in sbom mode, using Trivy's CycloneDX output as input.
207217
grype_env = {
208218
**trivy_env,
219+
"TARGET": "/tmp/trivy.json",
209220
"FURTHER_PARAMETERS": "--by-cve",
210221
"GRYPE_DB_CACHE_DIR": "/tmp/grype_db_cache",
211222
"REPORT_NAME": "grype.json",
212223
}
213-
cmd = _build_scanner_cmd("/entrypoints/entrypoint_grype_rootfs.sh", grype_env)
224+
del grype_env["RUN_DIRECTORY"]
225+
cmd = _build_scanner_cmd("/entrypoints/entrypoint_grype_sbom.sh", grype_env)
214226
subprocess.run(cmd)
215227

216228

0 commit comments

Comments
 (0)