Skip to content

feat: enable image scanning with Trivy #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nicolas-goudry wants to merge 12 commits into
base: main
Choose a base branch
from
Open

feat: enable image scanning with Trivy #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
8e9d078
feat: enable image scanning with Trivy
nicolas-goudry Aug 4, 2025
ed47bc0
ci: add code scanning workflow
nicolas-goudry Aug 4, 2025
6b9a23d
refactor(scripts): improve trivy-scan
nicolas-goudry Aug 4, 2025
095c231
ci(code-scanning): upload multiple SARIF files
nicolas-goudry Aug 4, 2025
81fe6a5
ci(update-geolite): update commit message and PR title
nicolas-goudry Aug 4, 2025
94a770d
ci(code-scanning): fix invalid matrix fromJson
nicolas-goudry Aug 4, 2025
1e26441
ci(code-scanning): add missing outputs to trivy-scan job
nicolas-goudry Aug 4, 2025
588f784
ci(code-scanning): upload SARIF as artifacts for sharing between jobs
nicolas-goudry Aug 4, 2025
27fdfe3
ci(code-scanning): update artifact upload source path
nicolas-goudry Aug 4, 2025
53f2757
ci(code-scanning): set SARIF category from report filename
nicolas-goudry Aug 4, 2025
5bb309e
ci(code-scanning): do not use merged SARIF files for code scanning
nicolas-goudry Aug 4, 2025
6482b2e
refactor(scripts/trivy-scan): remove merge feature
nicolas-goudry Aug 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 70 additions & 0 deletions .github/workflows/code-scanning.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
name: Code scanning

on:
workflow_dispatch:
workflow_run:
workflows: [Release]
types: [completed]
pull_request:
types:
- opened
- synchronize
branches: [main]
paths:
- "lib/*.nix"
- "pkgs/*.nix"
- "scripts/trivy-scan/**/*"

jobs:
trivy-scan:
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' || github.event.pull_request.id }}
outputs:
sarif_files: ${{ steps.sarif_files.outputs.sarif_files }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Nix
uses: cachix/install-nix-action@v31
- name: Build SARIF file
run: nix run '.#trivy-scan'
- name: Get SARIF files
id: sarif_files
run: |
sarifs=(.trivy/scan_results/*.sarif)
json_array=$(printf '%s\n' "${sarifs[@]}" | jq -R . | jq -sc .)
echo "sarif_files=$json_array" >> $GITHUB_OUTPUT
- name: Upload SARIF files
uses: actions/upload-artifact@v4
with:
name: sarif_files
include-hidden-files: true
path: .trivy/scan_results/*.sarif

upload-sarifs:
needs: trivy-scan
runs-on: ubuntu-latest
permissions:
security-events: write
strategy:
fail-fast: false
matrix:
sarif_file: ${{ fromJson(needs.trivy-scan.outputs.sarif_files) }}
steps:
- name: Download SARIF files
uses: actions/download-artifact@v4
with:
name: sarif_files
path: .trivy/scan_results
- name: Extract category from filename
id: category
run: |
filename=$(basename "${{ matrix.sarif_file }}")
category="${filename%.sarif}"
echo "category=$category" >> $GITHUB_OUTPUT
- name: "Upload sarif file: ${{ matrix.sarif_file }}"
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ matrix.sarif_file }}
category: ${{ steps.category.outputs.category }}
1 change: 0 additions & 1 deletion .github/workflows/housekeeping.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
name: Cleanup

on:
repository_dispatch:
workflow_dispatch:
schedule:
# Run every day
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@ name: Release

on:
push:
branches:
- main
branches: [main]
paths:
- .github/workflows/release.yml
- "**.nix"
- flake.lock
- "!scripts/**/*"

env:
REGISTRY: ghcr.io
Expand Down Expand Up @@ -38,7 +38,7 @@ jobs:
- id: get-images
run: |
nix flake show --json --quiet --quiet \
| jq -r '.packages["x86_64-linux"] | delpaths([["default"],["geolite2"]]) | keys | "images=" + (. | tostring)' \
| jq -r '.packages["x86_64-linux"] | delpaths([["default"],["geolite2"],["trivy-scan"]]) | keys | "images=" + (. | tostring)' \
>> $GITHUB_OUTPUT

build-and-push:
Expand Down
5 changes: 2 additions & 3 deletions .github/workflows/update-geolite.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
name: Update GeoLite

on:
repository_dispatch:
workflow_dispatch:
schedule:
# Run every day
Expand Down Expand Up @@ -34,8 +33,8 @@ jobs:
uses: peter-evans/create-pull-request@v7
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: "refactor(pkgs/geolite2): update database"
title: "refactor(pkgs/geolite2): update database"
commit-message: "refactor(pkgs): update geolite2"
title: "refactor(pkgs): update geolite2"
body: |
Automated update of GeoLite2 database.

Expand Down
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
.direnv
result*
.trivy
4 changes: 2 additions & 2 deletions default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,8 @@
let
xlib = import ./lib { inherit nix2container pkgs xpkgs; };
in
xlib.mkAllImages
pkgs.lib.mapAttrs (_: value: value.image) xlib.mkAllImages
// xpkgs
// {
default = xlib.mkImage { };
default = (xlib.mkImage { }).image;
}
4 changes: 2 additions & 2 deletions flake.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

72 changes: 47 additions & 25 deletions flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/25.05";

nix2container = {
n2c = {
url = "github:nlewo/nix2container";
inputs.nixpkgs.follows = "nixpkgs";
};
Expand All @@ -19,7 +19,7 @@
{
self,
nixpkgs,
nix2container,
n2c,
treefmt-nix,
...
}:
Expand All @@ -34,47 +34,69 @@
f:
nixpkgs.lib.genAttrs systems (
system:
f (
import nixpkgs {
f rec {
pkgs = import nixpkgs {
inherit system;

config.allowUnfreePredicate =
pkg:
builtins.elem (nixpkgs.lib.getName pkg) [
"geolite2"
];
}
)
};

xpkgs = pkgs.lib.packagesFromDirectoryRecursive {
inherit (pkgs) callPackage;

directory = ./pkgs;
};

nix2container = n2c.packages.${pkgs.system};
}
);
treefmtEval = eachSystem (pkgs: treefmt-nix.lib.evalModule pkgs ./treefmt.nix);
treefmtEval = eachSystem ({ pkgs, ... }: treefmt-nix.lib.evalModule pkgs ./treefmt.nix);
in
{
# nix flake check
checks = eachSystem (pkgs: {
formatting = treefmtEval.${pkgs.system}.config.build.check self;
});
checks = eachSystem (
{ pkgs, ... }:
{
formatting = treefmtEval.${pkgs.system}.config.build.check self;
}
);

# nix fmt
formatter = eachSystem (pkgs: treefmtEval.${pkgs.system}.config.build.wrapper);
formatter = eachSystem ({ pkgs, ... }: treefmtEval.${pkgs.system}.config.build.wrapper);

# Development environment with tools available in PATH
devShells = eachSystem (pkgs: {
default = pkgs.callPackage ./shell.nix { };
});
devShells = eachSystem (
{
pkgs,
xpkgs,
nix2container,
...
}:
{
default = pkgs.callPackage ./shell.nix {
inherit xpkgs nix2container;
};
}
);

packages = eachSystem (
pkgs:
let
xpkgs = pkgs.lib.packagesFromDirectoryRecursive {
inherit (pkgs) callPackage;

directory = ./pkgs;
};
in
import ./default.nix {
{
pkgs,
xpkgs,
nix2container,
...
}:
(import ./default.nix {
inherit pkgs xpkgs;
inherit (nix2container.packages.${pkgs.system}) nix2container;
}
inherit (nix2container) nix2container;
})
// (import ./scripts {
inherit pkgs xpkgs nix2container;
})
);
};
}
61 changes: 32 additions & 29 deletions lib/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,44 +87,47 @@ rec {
}
);

in
nix2container.buildImage {
name = "goaccess";

# Generate tag based on version and enabled features
tag = lib.concatStrings [
goaccess.version
(lib.optionalString withGeolite2 "-geolite2-${lib.replaceStrings [ "." ] [ "-" ] geolite2.version}")
(lib.optionalString (!withGeolite2 && withGeolocation) "-geoip")
(lib.optionalString (baseImage != "") "-${baseImage}")
];
in
{
inherit tag;

# Set the base image to build from (empty string means scratch/no base)
fromImage =
if (baseImage != "") then
image = nix2container.buildImage {
inherit tag;

name = "goaccess";

# Set the base image to build from
fromImage = lib.optionalString (baseImage != "") (
nix2container.pullImage (distros.${baseImage} or throwDistro)
else
baseImage;

# Build the root filesystem environment
copyToRoot = buildEnv {
name = "root";

# Packages to include in the container
paths =
[ goaccessBuild ]
# Include GeoLite2 database if requested
++ lib.optional withGeolite2 geolite2;

# Directories to symlink into the container root
pathsToLink = [
"/bin"
"/etc"
"/share"
];
);

# Build the root filesystem environment
copyToRoot = buildEnv {
name = "root";

# Packages to include in the container
paths =
[ goaccessBuild ]
# Include GeoLite2 database if requested
++ lib.optional withGeolite2 geolite2;

# Directories to symlink into the container root
pathsToLink = [
"/bin"
"/etc"
"/share"
];
};

# Default command to run when container starts
config.Entrypoint = [ "goaccess" ];
};

# Default command to run when container starts
config.Entrypoint = [ "goaccess" ];
};
}
14 changes: 14 additions & 0 deletions scripts/_template/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{ writeShellApplication, coreutils, ... }:

let
name = builtins.baseNameOf (builtins.toString ./.);
in
writeShellApplication {
inherit name;

text = builtins.readFile ./script.sh;

runtimeInputs = [
coreutils
];
}
30 changes: 30 additions & 0 deletions scripts/_template/script.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
#!/usr/bin/env bash

# set +e # Do not exit on error
set -e # Exit on error
set +u # Allow unset variables
# set -u # Exit on unset variable
# set +o pipefail # Disable pipefail
set -o pipefail # Enable pipefail

nc="\e[0m" # Unset styles
red="\e[31m" # Red foreground

error() {
>&2 echo -e " ${red}×${nc} ${*}"
}

# shellcheck disable=SC2120
die() {
if [ "${#}" -gt 0 ]; then
error "${*}"
fi

exit 1
}

main() {
echo "This is a template."
}

main "$@"
Loading