Implement others ways of installation

[jwillker]

The project has a high chance of gaining a lot of adoption.
To help with adoption, the project could provide other ways to install besides go install or download binaries. This facilitates to use of the osv-scanner in different machines, servers, CI/CD, etc.

My proposal is that the project could have the following:

• docker image
• brew package
• arch linux package
• alpine linux
• debian based (.deb)
• red hat based (.rpm)
• snap
• scoop

All this can be done using the goreleaser.
I can help with PRs if these features make sense!

[andrewpollock]

My initial thoughts on curl | bash are coloured by my past history with things like:

• https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/
• https://www.onsecurity.io/blog/careless-with-curl-dont-be/

and as such, given the space we're operating in, I'd prefer for OSV Scanner to have a very solid supply chain security story.

I totally agree with the spirit of this issue though. As a Debian Developer, I'd like to see it packaged for Debian :-)

[another-rex]

I am not very familiar with goreleaser so any help would be appreciated, +1 on being cautious with curl | bash though.

I think the first step is producing a docker image, which can also be used when making the CI/CD action.

[koenhendriks]

I did try to build a docker image from the current Dockerfile in the repo, but I don't seem to be able to run the osv-scanner with arguments.

When trying to scan a directory:
docker run --rm koenhendriks/osv-scanner -v ${PWD}:/app -r /app

returns:

osv-scanner version: dev
commit: n/a
built at: n/a

And when trying to run with --lockfile I get the same:
docker run --rm koenhendriks/osv-scanner -v ${PWD}:/app --lockfile=/app/composer.lock

returns:

osv-scanner version: dev
commit: n/a
built at: n/a

Running it from go locally works fine.

[jwillker]

I did try to build a docker image from the current Dockerfile in the repo, but I don't seem to be able to run the osv-scanner with arguments.

When trying to scan a directory: docker run --rm koenhendriks/osv-scanner -v ${PWD}:/app -r /app

returns:

osv-scanner version: dev
commit: n/a
built at: n/a

And when trying to run with --lockfile I get the same: docker run --rm koenhendriks/osv-scanner -v ${PWD}:/app --lockfile=/app/composer.lock

returns:

osv-scanner version: dev
commit: n/a
built at: n/a

Running it from go locally works fine.

@koenhendriks
The problem here is you are passing -v to the osv-scanner. I think you want to use docker -v to pass a volume, the order matter.

Maybe you should do: docker run --rm -v ${PWD}:/app koenhendriks/osv-scanner -r /app

[jwillker]

I am not very familiar with goreleaser so any help would be appreciated, +1 on being cautious with curl | bash though.

I think the first step is producing a docker image, which can also be used when making the CI/CD action.

@another-rex I just open a PR to implement a docker image publish feature using Goreleaser #63

Can you review and comment the open points please?

[jayvdb]

https://github.com/taiki-e/install-action now supports osv-scanner

[github-actions]

This issue has not had any activity for 60 days and will be automatically closed in two weeks