This repository has been archived by the owner on Apr 7, 2022. It is now read-only.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is necessary for vulnix as it operates on the
.drv
files. They cannot be generated by nix on the target machine as only build outputs are copied over and no nix expressions are available.I considered running the vulnix scan as part of the bitte build to avoid this PR. This introduces infinite recursion if we want to include vulnix itself in the scan. I considered it not worth the effort to try since vulnix itself could be a vulnerability that we would not want to ignore by essentially scanning another configuration than the one we actually deploy.
If we would like to try other options in the future to avoid the need for copying store derivations to the target we can always roll back this change.