scanning AppImage desktop application artifacts without executing them

[ciphernaut]

Description

Problem

AppImage is a Linux application distribution format that delivers an application
and bundled dependencies as a single executable artifact.

Trivy can already analyse an unpacked filesystem for OS packages, application
dependencies, binaries, licences and vulnerabilities. However, it cannot currently
scan the distributed .AppImage artifact directly.

For Type 2 AppImages, the normal extraction workflow involves invoking the AppImage
runtime with --appimage-extract. This is undesirable in security workflows because
the file being inspected may be untrusted.

A vulnerability scanner should not require executing the artifact under inspection
before it can analyse its contents.

Use case

I use Linux desktop applications distributed as AppImages, including development and
local-AI tooling. These artifacts may contain:

• bundled native libraries;
• Electron/Node dependencies;
• Python or other language packages;
• Go/Rust/native binaries;
• licence-relevant components;
• potentially vulnerable bundled components not visible to the host package manager.

I would like to be able to scan the exact downloaded or internally distributed
AppImage artifact in CI or before execution:

trivy appimage SomeApplication-x86_64.AppImage

### Target

Container Image

### Scanner

Vulnerability