22361640215

Committed 24 Feb 2026 05:09PM UTC coverage: 92.342% (-0.6%) from 92.935%

Build # 22361640215

Build Type

Pull #23133

github

Committed by

web-flow

Commit Message

Merge fd48a7577 into 4d038bd74

Pull Request Pull Request #23133: Add buildctl engine

Coverage Stats

194 of 282 new or added lines in 10 files covered. (68.79%)

452 existing lines in 24 files now uncovered.

89670 of 97106 relevant lines covered (92.34%)

4.01 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

87.18

/src/python/pants/backend/docker/lint/trivy/rules.py

# Copyright 2024 Pants project contributors (see CONTRIBUTORS.md).
# Licensed under the Apache License, Version 2.0 (see LICENSE).
from dataclasses import dataclass
from typing import Any, cast

from pants.backend.docker.package_types import BuiltDockerImage
from pants.backend.docker.target_types import DockerImageSourceField, DockerImageTarget
from pants.backend.tools.trivy.rules import RunTrivyRequest, run_trivy
from pants.backend.tools.trivy.subsystem import SkipTrivyField, Trivy
from pants.core.goals.lint import LintResult, LintTargetsRequest
from pants.core.goals.package import (
    EnvironmentAwarePackageRequest,
    PackageFieldSet,
    environment_aware_package,
)
from pants.core.util_rules.partitions import PartitionerType
from pants.engine.addresses import Addresses
from pants.engine.internals.graph import find_valid_field_sets, resolve_targets
from pants.engine.internals.native_engine import EMPTY_DIGEST
from pants.engine.rules import collect_rules, implicitly, rule
from pants.engine.target import FieldSet, FieldSetsPerTargetRequest, Target
from pants.util.logging import LogLevel


@dataclass(frozen=True)
class TrivyDockerFieldSet(FieldSet):
    required_fields = (DockerImageSourceField,)

    source: DockerImageSourceField

    @classmethod
    def opt_out(cls, tgt: Target) -> bool:
        return tgt.get(SkipTrivyField).value


class TrivyDockerRequest(LintTargetsRequest):
    field_set_type = TrivyDockerFieldSet
    tool_subsystem = Trivy  # type: ignore[assignment]
    partitioner_type = PartitionerType.DEFAULT_ONE_PARTITION_PER_INPUT


def command_args():
    return (
        # workaround for Trivy DB being overloaded on pulls
        "--db-repository",
        "ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db",
        # quiet progress output, which just clutters logs
        "--no-progress",
    )


@rule(desc="Lint Docker image with Trivy", level=LogLevel.DEBUG)
async def run_trivy_docker(
    request: TrivyDockerRequest.Batch[TrivyDockerFieldSet, Any],
) -> LintResult:
    addrs = tuple(e.address for e in request.elements)
    tgts = await resolve_targets(**implicitly(Addresses(addrs)))

    field_sets_per_tgt = await find_valid_field_sets(
        FieldSetsPerTargetRequest(PackageFieldSet, tgts), **implicitly()
    )
    [field_set] = field_sets_per_tgt.field_sets

    package = await environment_aware_package(EnvironmentAwarePackageRequest(field_set))
    built_image: BuiltDockerImage = cast(BuiltDockerImage, package.artifacts[0])
    r = await run_trivy(
        RunTrivyRequest(
            command="image",
            command_args=command_args(),
            scanners=(),
            target=built_image.image_id,
            input_digest=EMPTY_DIGEST,
            description=f"Run Trivy on docker image {','.join(built_image.tags)}",
        ),
        **implicitly(),
    )

    return LintResult.create(request, r)


def rules():
    return (
        *collect_rules(),
        *TrivyDockerRequest.rules(),
        DockerImageTarget.register_plugin_field(SkipTrivyField),
    )

1	# Copyright 2024 Pants project contributors (see CONTRIBUTORS.md).
2	# Licensed under the Apache License, Version 2.0 (see LICENSE).
3	from dataclasses import dataclass	1✔
4	from typing import Any, cast	1✔
5
6	from pants.backend.docker.package_types import BuiltDockerImage	1✔
7	from pants.backend.docker.target_types import DockerImageSourceField, DockerImageTarget	1✔
8	from pants.backend.tools.trivy.rules import RunTrivyRequest, run_trivy	1✔
9	from pants.backend.tools.trivy.subsystem import SkipTrivyField, Trivy	1✔
10	from pants.core.goals.lint import LintResult, LintTargetsRequest	1✔
11	from pants.core.goals.package import (	1✔
12	EnvironmentAwarePackageRequest,
13	PackageFieldSet,
14	environment_aware_package,
15	)
16	from pants.core.util_rules.partitions import PartitionerType	1✔
17	from pants.engine.addresses import Addresses	1✔
18	from pants.engine.internals.graph import find_valid_field_sets, resolve_targets	1✔
19	from pants.engine.internals.native_engine import EMPTY_DIGEST	1✔
20	from pants.engine.rules import collect_rules, implicitly, rule	1✔
21	from pants.engine.target import FieldSet, FieldSetsPerTargetRequest, Target	1✔
22	from pants.util.logging import LogLevel	1✔
23
24
25	@dataclass(frozen=True)	1✔
26	class TrivyDockerFieldSet(FieldSet):	1✔
27	required_fields = (DockerImageSourceField,)	1✔
28
29	source: DockerImageSourceField
30
31	@classmethod	1✔
32	def opt_out(cls, tgt: Target) -> bool:	1✔
33	return tgt.get(SkipTrivyField).value	×
34
35
36	class TrivyDockerRequest(LintTargetsRequest):	1✔
37	field_set_type = TrivyDockerFieldSet	1✔
38	tool_subsystem = Trivy # type: ignore[assignment]	1✔
39	partitioner_type = PartitionerType.DEFAULT_ONE_PARTITION_PER_INPUT	1✔
40
41
42	def command_args():	1✔
UNCOV 43	return (	×
44	# workaround for Trivy DB being overloaded on pulls
45	"--db-repository",
46	"ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db",
47	# quiet progress output, which just clutters logs
48	"--no-progress",
49	)
50
51
52	@rule(desc="Lint Docker image with Trivy", level=LogLevel.DEBUG)	1✔
53	async def run_trivy_docker(	1✔
54	request: TrivyDockerRequest.Batch[TrivyDockerFieldSet, Any],
55	) -> LintResult:
56	addrs = tuple(e.address for e in request.elements)	1✔
57	tgts = await resolve_targets(**implicitly(Addresses(addrs)))	1✔
58
59	field_sets_per_tgt = await find_valid_field_sets(	1✔
60	FieldSetsPerTargetRequest(PackageFieldSet, tgts), **implicitly()
61	)
62	[field_set] = field_sets_per_tgt.field_sets	1✔
63
64	package = await environment_aware_package(EnvironmentAwarePackageRequest(field_set))	1✔
UNCOV 65	built_image: BuiltDockerImage = cast(BuiltDockerImage, package.artifacts[0])	×
UNCOV 66	r = await run_trivy(	×
67	RunTrivyRequest(
68	command="image",
69	command_args=command_args(),
70	scanners=(),
71	target=built_image.image_id,
72	input_digest=EMPTY_DIGEST,
73	description=f"Run Trivy on docker image {','.join(built_image.tags)}",
74	),
75	**implicitly(),
76	)
77
UNCOV 78	return LintResult.create(request, r)	×
79
80
81	def rules():	1✔
82	return (	1✔
83	*collect_rules(),
84	*TrivyDockerRequest.rules(),
85	DockerImageTarget.register_plugin_field(SkipTrivyField),
86	)

pantsbuild / pants / 22361640215

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous