From ba6009a45bf4bf98ef36a7482a49d373b69c727b Mon Sep 17 00:00:00 2001
From: rmoff <robin@moffatt.me>
Date: Tue, 7 Apr 2026 17:26:42 +0100
Subject: [PATCH] Add rootfs scan type support

The rootfs scan type has identical sandboxing requirements to fs/config
(read-only bind mount of the scan target, noexec tmpfs at /tmp) but
scans individual binaries and archives (e.g. JAR files) rather than
package manifests. This is essential for detecting CVEs in shaded or
fat JARs that don't appear in lock files.

Without rootfs support, users scanning unpacked Java distributions
(e.g. Kafka Connect connectors) get zero findings because fs mode
only looks for package manager manifests (pom.xml, go.sum, etc.).
---
 entrypoint.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/entrypoint.sh b/entrypoint.sh
index 51005a1..4c7ec84 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -74,7 +74,7 @@ case "$scanType" in
     fi
     docker_args+=(--tmpfs "/tmp:rw,noexec")
     ;;
-  fs | config)
+  fs | rootfs | config)
     if [ -n "$scanRef" ]; then
       localPath="$(realpath "$scanRef")"
       if [ -f "$localPath" ]; then