Use trivy rootfs scan for both local and remote

[partkyle]

This adds support for both the local package and remote registry scanner to use trivy rootfs to scan the entire filesystem of a container.

The local version will extract a zarf package and use the images/index.json file to find the available containers, extract each layer into a directory, and then perform trivy rootfs

The remote version will write the remote image to a local directory using github.com/google/go-containerregistry/pkg/v1/layout, and then modify it to behave exactly the same as the local package so we can use the same process for scanning the remote images.

We also now only scan for 1 platform: amd64. Previously the results of amd64 and arm64 were concatenated together, giving double results in most cases.

This resolves the following issues:

• Implement full image scanning for both local and remote #149
• remote scanner does not separate different architectures #152
• remote image scanner should read from the original registry for all image layers #153

There is an adr attached for more implementation details.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
gomod/oras.land/oras-go/v2	2.5.0	🟢 7.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 9 4 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits

Scanned Manifest Files

go.mod

• oras.land/oras-go/v2@2.5.0
• github.com/docker/distribution@2.8.3+incompatible
• github.com/vbatts/tar-split@0.11.5

[codecov]

Codecov Report

Attention: Patch coverage is 67.27749% with 125 lines in your changes missing coverage. Please review.

Project coverage is 63.78%. Comparing base (f9af02c) to head (79ef5a7).
Report is 1 commits behind head on main.

Files	Patch %	Lines
pkg/scan/rootfs.go	62.90%	28 Missing and 18 partials ⚠️
pkg/scan/remote_scanner.go	68.59%	28 Missing and 10 partials ⚠️
pkg/scan/sbom.go	59.45%	15 Missing and 15 partials ⚠️
pkg/scan/local_scan.go	56.00%	10 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #168      +/-   ##
==========================================
+ Coverage   63.66%   63.78%   +0.12%     
==========================================
  Files          23       26       +3     
  Lines        1387     1541     +154     
==========================================
+ Hits          883      983     +100     
- Misses        316      356      +40     
- Partials      188      202      +14     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[naveensrinivasan]

Thank you!