Skip to content

Add rootfs scan type support#1

Merged
lhotari merged 1 commit into
lhotari:mainfrom
rmoff:add-rootfs-scan-type
Apr 14, 2026
Merged

Add rootfs scan type support#1
lhotari merged 1 commit into
lhotari:mainfrom
rmoff:add-rootfs-scan-type

Conversation

@rmoff
Copy link
Copy Markdown
Contributor

@rmoff rmoff commented Apr 7, 2026

Summary

  • Adds rootfs to the scan type case statement alongside fs and config
  • rootfs has identical sandboxing requirements (read-only bind mount, noexec tmpfs)

Why

The rootfs scan type is needed for scanning unpacked Java distributions (e.g. Kafka Connect connectors) where dependencies are shipped as individual JAR files rather than managed by a package manager.

Without rootfs, users get zero findings because fs mode only looks for package manager manifests (pom.xml, go.sum, etc.), not individual archives:

# trivy fs → "Number of language-specific files: 0"
# trivy rootfs → finds CVEs in individual JARs

This came up while adding Trivy scanning to Apache Iceberg's Kafka Connect CI, where we switched from aquasecurity/trivy-action to sandboxed-trivy-action following the Trivy supply chain compromise.

Test

Verified locally that rootfs produces identical Docker mount arguments to fs/config — the only difference is the subcommand passed to the trivy CLI inside the container.

@rmoff
Add rootfs scan type support
ba6009a 
The rootfs scan type has identical sandboxing requirements to fs/config
(read-only bind mount of the scan target, noexec tmpfs at /tmp) but
scans individual binaries and archives (e.g. JAR files) rather than
package manifests. This is essential for detecting CVEs in shaded or
fat JARs that don't appear in lock files.

Without rootfs support, users scanning unpacked Java distributions
(e.g. Kafka Connect connectors) get zero findings because fs mode
only looks for package manager manifests (pom.xml, go.sum, etc.).
@rmoff rmoff mentioned this pull request Apr 7, 2026
Merged
@rmoff
Copy link
Copy Markdown
Contributor Author

rmoff commented Apr 14, 2026

@lhotari could you take a look at this please? thanks :)

lhotari
lhotari approved these changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@lhotari lhotari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@lhotari lhotari merged commit f01374b into lhotari:main Apr 14, 2026
2 checks passed
@lhotari
Copy link
Copy Markdown
Owner

lhotari commented Apr 14, 2026

@rmoff Thanks for contributing. I created a PR to add this to ASF approved actions: apache/infrastructure-actions#711

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lhotari lhotari lhotari approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rmoff @lhotari