mpak-scanner: external tool dependencies (syft, grype, trufflehog) not bundled, no public Docker image #19
Description
Observed Locally
When running `mpak-scanner scan *.mcpb --json` locally, three controls error out:
```
SC-01: "syft not found. Install with: brew install syft"
SC-02: "grype not found. Install with: brew install grype"
CQ-01: "trufflehog not found. Install with: brew install trufflehog"
```
These are not Python dependencies — they are external binaries that `mpak-scanner` shells out to. They are not listed in `pyproject.toml` and must be installed separately by the user.
Why This Matters in CI/CD
GitHub Actions runners (ubuntu-latest) do not have `syft`, `grype`, or `trufflehog` pre-installed. This means SC-01, SC-02, and CQ-01 will always error in CI, keeping compliance at Level 0 regardless of actual bundle quality.
Two Solutions
Option 1: curl installs in CI (fragile)
Add install steps to the workflow before running the scanner:
```yaml
- name: Install scanner tools
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin - name: Run MTF scanner
run: pip install mpak-scanner && mpak-scanner scan *.mcpb --json > scan-results.json
```
Downsides: Pulls latest tool versions on every run (non-reproducible), slow, fragile if upstream install scripts change.
Option 2: Public Docker image (recommended)
The `apps/scanner/Dockerfile` already installs all three tools correctly. Publishing it as a public image would allow:
```yaml
- name: Run MTF scanner
run: |
docker run --rm -v ${{ github.workspace }}:/workspace
ghcr.io/nimblebraininc/mpak-scanner:0.2.4
scan /workspace/*.mcpb --json > scan-results.json
```
Benefits: Pinned version, reproducible, fast (cached), no manual dependency management, single step in CI.
Currently no public image exists on ghcr.io or Docker Hub under the `nimblebraininc` namespace.
Request
- Publish the scanner Docker image to `ghcr.io/nimblebraininc/mpak-scanner` with versioned tags
- Or document the recommended CI/CD integration pattern that handles external tool dependencies