Replace hadolint with Trivy (#734)

* Replace hadolint with Trivy * Fix wrong commit
kachick · Mar 23, 2024 · 293f10a · 293f10a
1 parent 2a43f89
commit 293f10a
Show file tree

Hide file tree

Showing 9 changed files with 15 additions and 63 deletions.
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -45,7 +45,6 @@ COPY ["./.devcontainer/setup_direnv.bash", "./"]
 RUN ./setup_direnv.bash
 
 # Clean up to avoid confusion
-# hadolint ignore=DL3059
 RUN rm ./flake.nix ./setup_direnv.bash
 
 # `ENTRYPOINT` and `CMD` will be ignored in .devcontainer. Use postCreateCommand instead

diff --git a/.devcontainer/README.md b/.devcontainer/README.md
@@ -5,8 +5,6 @@ Just get from Nix shell as follows.
 ```console
 > which dprint
 /nix/store/2rmr7ybmnr5xdcy6sw1073p0j5ljgw0n-dprint-0.37.1/bin/dprint
-> which hadolint
-/nix/store/3gl6j30ak4n692vfs5l1rsqf07pdr429-hadolint-2.12.0/bin/hadolint
 ```
 
 I want to realize better integration, but I don't know it.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -20,7 +20,6 @@
       "settings": {
         "editor.defaultFormatter": "dprint.dprint",
         "editor.formatOnSave": true,
-        "hadolint.hadolintPath": "/nix/store/3gl6j30ak4n692vfs5l1rsqf07pdr429-hadolint-2.12.0/bin/hadolint",
         "dprint.path": "/nix/store/2rmr7ybmnr5xdcy6sw1073p0j5ljgw0n-dprint-0.37.1/bin/dprint",
         "[nix]": {
           "editor.defaultFormatter": "jnoortheen.nix-ide"
@@ -33,7 +32,6 @@
         "dprint.dprint",
         "jnoortheen.nix-ide",
         "tamasfe.even-better-toml",
-        "exiasr.hadolint",
         "ms-azuretools.vscode-docker"
       ]
     }

diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,3 @@
+AVD-DS-0017
+
+AVD-DS-0026
diff --git a/.vscode/extensions.json b/.vscode/extensions.json
@@ -6,7 +6,6 @@
     "tekumara.typos-vscode",
     "jnoortheen.nix-ide",
     "tamasfe.even-better-toml",
-    "exiasr.hadolint",
     "ms-azuretools.vscode-docker"
   ]
 }
diff --git a/Makefile.toml b/Makefile.toml
@@ -24,7 +24,7 @@ script = [
   "deno lint",
   "typos . .github .vscode .devcontainer",
   "actionlint",
-  "hadolint .devcontainer/Dockerfile",
+  "trivy config --exit-code 1 .",
 ]
 
 [tasks.test]
@@ -86,7 +86,7 @@ script = [
   # Returns NON 0, why...? :<
   # "nixpkgs-fmt --version",
   "actionlint --version",
-  "hadolint --version",
+  "trivy --version",
   "typos --version",
 ]
 

diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -5,19 +5,17 @@
     #   - https://discourse.nixos.org/t/differences-between-nix-channels/13998
     # How to update the revision
     #   - `nix flake update --commit-lock-file` # https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-flake-update.html
-    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
-    nixpkgs-stable.url = "github:NixOS/nixpkgs/release-23.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
     flake-utils.url = "github:numtide/flake-utils";
   };
 
-  outputs = { self, nixpkgs-unstable, nixpkgs-stable, flake-utils }:
+  outputs = { self, nixpkgs, flake-utils }:
     flake-utils.lib.eachDefaultSystem (system:
       let
-        unstable-pkgs = nixpkgs-unstable.legacyPackages.${system};
-        stable-pkgs = nixpkgs-stable.legacyPackages.${system};
+        pkgs = nixpkgs.legacyPackages.${system};
       in
       {
-        devShells.default = with unstable-pkgs;
+        devShells.default = with pkgs;
           mkShell {
             buildInputs = [
               # https://github.com/NixOS/nix/issues/730#issuecomment-162323824
@@ -35,9 +33,7 @@
               gh
               jq
 
-              # Avoided broken hadolint in latest
-              # https://github.com/NixOS/nixpkgs/pull/240387#issuecomment-1686601267
-              stable-pkgs.hadolint
+              trivy
             ];
           };
       });