trivyscan-activities

import "munchbox/temporal-workers/trivyscan/activities"

Index

type Activities

Activities holds shared dependencies for trivy scan activities. Register an instance with the Temporal worker to expose all exported methods as activity implementations.

type Activities struct {
    // contains filtered or unexported fields
}

func New

func New(cfg Config) (*Activities, error)

New creates an Activities instance with a pooled database connection.

func (*Activities) Close

func (a *Activities) Close() error

Close shuts down the database connection pool.

func (*Activities) GetRunningImages

func (a *Activities) GetRunningImages(ctx context.Context) ([]string, error)

GetRunningImages queries Nomad for all unique Docker images across running allocations. Creates a client span to Nomad for service graph visibility.

func (*Activities) SaveScanResult

func (a *Activities) SaveScanResult(ctx context.Context, result ScanResult) error

SaveScanResult stores a single scan result and its vulnerabilities in PostgreSQL. Saves individually rather than in batches to stay under Temporal’s 2MB activity input payload limit.

func (*Activities) ScanImage

func (a *Activities) ScanImage(ctx context.Context, image string) (ScanResult, error)

ScanImage runs Trivy against a single container image using server mode. Transient errors (connection refused, timeouts) are returned as errors so Temporal retries them. Permanent failures (image not found, manifest unknown) are returned as non-retryable with the error status recorded in the result.

type Config

Config holds environment-driven settings for trivy scan activities.

type Config struct {
    TrivyServerAddr string
    DBHost          string
    DBPort          string
    DBUser          string
    DBPassword      string
    DBName          string
    DBSSLMode       string
    DBSSLRootCert   string
}

func (Config) Validate

func (c Config) Validate() error

Validate checks that required fields are present.

type ScanConfig

ScanConfig holds workflow-level configuration passed as input so values are deterministic across replays.

type ScanConfig struct {
    // Concurrency bounds how many images scan in parallel so the burst
    // doesn't overwhelm the Trivy server. Default 10.
    Concurrency int `json:"concurrency"`
}

func (*ScanConfig) ApplyDefaults

func (c *ScanConfig) ApplyDefaults()

ApplyDefaults fills any unset field with its fleet-wide default.

type ScanResult

ScanResult holds vulnerability scan results for one image.

type ScanResult struct {
    Image           string          `json:"image"`
    Status          string          `json:"status"`
    Error           string          `json:"error,omitempty"`
    CriticalCount   int             `json:"critical_count"`
    HighCount       int             `json:"high_count"`
    MediumCount     int             `json:"medium_count"`
    LowCount        int             `json:"low_count"`
    Vulnerabilities []Vulnerability `json:"vulnerabilities"`
    ScannedAt       time.Time       `json:"scanned_at"`
}

type Vulnerability

Vulnerability holds details about a single CVE.

type Vulnerability struct {
    VulnID           string `json:"vuln_id"`
    Severity         string `json:"severity"`
    PkgName          string `json:"pkg_name"`
    InstalledVersion string `json:"installed_version"`
    FixedVersion     string `json:"fixed_version"`
    Title            string `json:"title"`
    Description      string `json:"description"`
}

Generated by gomarkdoc