Skip to content

Replace path traversal hack with $REGISTRY_PATH and $REGISTRY_MODULE_PATH env vars#287

Merged
fproulx-boostsecurity merged 2 commits intomainfrom
use-registry-path-env-vars
Jan 26, 2026
Merged

Replace path traversal hack with $REGISTRY_PATH and $REGISTRY_MODULE_PATH env vars#287
fproulx-boostsecurity merged 2 commits intomainfrom
use-registry-path-env-vars

Conversation

@fproulx-boostsecurity
Copy link
Collaborator

@fproulx-boostsecurity fproulx-boostsecurity commented Jan 23, 2026
edited
Loading

Summary

  • Replaces the $SETUP_PATH/../../registry/ path traversal hack with the new $REGISTRY_PATH and $REGISTRY_MODULE_PATH env vars introduced in boostsecurityio/boostsec-scanner-cli#285
  • Uses $REGISTRY_MODULE_PATH for same-module file references (gitleaks, gosec, trivy-fs, osv-scanner, npm-audit, bundler-audit)
  • Uses $REGISTRY_PATH for cross-module file references (gitleaks-full→gitleaks, trivy-sbom→trivy-fs, boost-sca→trivy-fs)
  • Removed the osv-scanner test fixture from trivy-sbom/tests.yaml as it was causing tests to be unreliable (Trivy is unable to handle such a complex codebase, resulting in a goroutine stack overflow — there is no known fix in Trivy for this)

Modules updated

  • gitleaks - boost.toml copy
  • gitleaks-full - boost.toml copy (from gitleaks module)
  • trivy-fs - prescan_checks.sh copy + filelist.txt reference
  • trivy-sbom - prescan_checks.sh copy (from trivy-fs)
  • boost-sca - prescan_checks.sh copy (from trivy-fs)
  • gosec - prescan_checks.sh copy
  • osv-scanner - prescan_checks.sh copy + filelist.txt reference
  • npm-audit - prescan_checks.sh copy
  • bundler-audit - prescan_checks.sh copy

Test plan

  • Tested gitleaks scan locally — boost.toml copied correctly via $REGISTRY_MODULE_PATH
  • Tested trivy-fs scan locally — prescan_checks.sh works with $REGISTRY_PATH filelist reference
  • Tested gosec prescan check locally — correctly detects missing Go files via $REGISTRY_MODULE_PATH
  • E2E tests on CI for all affected modules

🤖 Generated with Claude Code

fproulx-boostsecurity and others added 2 commits January 23, 2026 12:44
@fproulx-boostsecurity @claude
Replace $SETUP_PATH/../../registry path hack with $REGISTRY_PATH and …
0ec98be 
…$REGISTRY_MODULE_PATH env vars

Uses the new env vars from boostsec-scanner-cli#285:
- $REGISTRY_MODULE_PATH for same-module file references
- $REGISTRY_PATH for cross-module file references

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@fproulx-boostsecurity @claude
Remove flaky osv-scanner test from trivy-sbom
b4a2b9c 
Trivy crashes (exit code 2, goroutine dump) when scanning google/osv-scanner.
This is a trivy runtime issue unrelated to the registry path changes.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@fproulx-boostsecurity fproulx-boostsecurity merged commit 2fbdb02 into main Jan 26, 2026
12 checks passed
@fproulx-boostsecurity fproulx-boostsecurity deleted the use-registry-path-env-vars branch January 26, 2026 15:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@scott-boost scott-boost scott-boost approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fproulx-boostsecurity @scott-boost