feat: [#252] implement dynamic image detection for vulnerability scanning#426
Merged
josecelano merged 1 commit intomainfrom Apr 8, 2026
Merged
Conversation
Member
Author
|
ACK af3fc7b |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #252
Summary
Implements dynamic Docker image detection for the Trivy vulnerability scanning workflow. Instead of a hardcoded image list, the workflow now builds the deployer CLI, creates a minimal environment, and extracts the image list from the
showcommand JSON output — ensuring the scan matrix automatically updates whenever an image constant changes.Changes
Domain Model
DockerImagevalue object (src/shared/docker_image.rs) withrepository,tag, andfull_reference()methoddocker_image()static methods with constants toTrackerConfig,MysqlServiceConfig,PrometheusConfig, andGrafanaConfigdocker_image()delegation inDatabaseConfig(returnsSomefor MySQL,Nonefor SQLite)Infrastructure / Template
image: Stringfield to all four service context structs (TrackerServiceContext,MysqlServiceContext,PrometheusServiceContext,GrafanaServiceContext)templates/docker-compose/docker-compose.yml.terato use{{ tracker.image }},{{ mysql.image }},{{ prometheus.image }},{{ grafana.image }}instead of hardcoded stringsShow Command
DockerImagesInfoDTO (extracted to its own moduleshow/info/docker_images.rs)docker_images: DockerImagesInfofield toEnvironmentInfo(always populated, not optional)docker_imagesfrom domain config constantsdocker_imagesis now present in all statesGitHub Actions Workflow
extract-imagesjob: builds CLI → creates minimal env → runsshow ci-images→ pipes JSON tojqto produce image arrayscan-third-party-imagesto use${{ fromJson(needs.extract-images.outputs.images) }}matrix (fully dynamic)upload-sarif-resultssrc/**to workflow trigger paths so image constant changes trigger re-scansVerification
All commands tested locally:
./target/release/torrust-tracker-deployer --working-dir /tmp/ci-workspace create environment --env-file /tmp/ci-images-env.json ./target/release/torrust-tracker-deployer --working-dir /tmp/ci-workspace show ci-images # jq output: ["torrust/tracker:develop","mysql:8.4","prom/prometheus:v3.5.0","grafana/grafana:12.3.1","caddy:2.10"]Pre-commit checks: ✅ 425/425 tests pass, all linters pass.