Add support for Tuist's .package.resolved SPM lockfile #10869
patriknordlen
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Description
Trivy's Swift analyzer matches lockfiles strictly by filename — only
Package.resolvedqualifies.In Tuist projects, the SPM lockfile is committed as
.package.resolved, so Trivy silently skips it and reports no Swift dependencies for those repos.Proposed fix
Recognize
.package.resolvedalongsidePackage.resolvedin the analyzer'sRequired()check. No parser changes are needed since the format is identical. Happy to send a PR.Target
Filesystem
Scanner
Vulnerability
Beta Was this translation helpful? Give feedback.
All reactions