fix: re-evaluate submodules when inputs change #187
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Addresses the failing test from #186
Uses a forked defsec with changes as seen here
To summarize that diff:
There's a small performance hit from re-evaluating the modules but it's reasonably good at not re-evaling when nothing's changed, and I'm pretty confident in the approach. (The hit could probably be reduced by diffing current-submodule-inputs against merged-previous-inputs-and-outputs, instead of against previous-inputs.)
If/when the upstream bug is fixed, we would still likely be better served updating our dependency to point at https://github.com/aquasecurity/trivy/tree/main/pkg/iac instead of https://github.com/aquasecurity/defsec/tree/v0.93.1/pkg