From 0ec98bef854ed9ce69a6ae041db6ab49c6012e2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Proulx?= <francois@boostsecurity.io>
Date: Fri, 23 Jan 2026 12:44:44 -0500
Subject: [PATCH 1/2] Replace $SETUP_PATH/../../registry path hack with
 $REGISTRY_PATH and $REGISTRY_MODULE_PATH env vars

Uses the new env vars from boostsec-scanner-cli#285:
- $REGISTRY_MODULE_PATH for same-module file references
- $REGISTRY_PATH for cross-module file references

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 scanners/boostsecurityio/boost-sca/module.yaml         | 2 +-
 scanners/boostsecurityio/bundler-audit/module.yaml     | 2 +-
 scanners/boostsecurityio/gitleaks-full/module.yaml     | 2 +-
 scanners/boostsecurityio/gitleaks/module.yaml          | 2 +-
 scanners/boostsecurityio/gosec/module.yaml             | 2 +-
 scanners/boostsecurityio/npm-audit/module.yaml         | 2 +-
 scanners/boostsecurityio/osv-scanner/module.yaml       | 2 +-
 scanners/boostsecurityio/osv-scanner/prescan_checks.sh | 2 +-
 scanners/boostsecurityio/trivy-fs/module.yaml          | 2 +-
 scanners/boostsecurityio/trivy-fs/prescan_checks.sh    | 2 +-
 scanners/boostsecurityio/trivy-sbom/module.yaml        | 2 +-
 11 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/scanners/boostsecurityio/boost-sca/module.yaml b/scanners/boostsecurityio/boost-sca/module.yaml
index 5327bf34..4ec5c5dd 100644
--- a/scanners/boostsecurityio/boost-sca/module.yaml
+++ b/scanners/boostsecurityio/boost-sca/module.yaml
@@ -55,7 +55,7 @@ setup:
   - name: Utility scripts
     run: |
       mkdir -p $SETUP_PATH/pre-scan-checks/
-      cp $SETUP_PATH/../../registry/scanners/boostsecurityio/trivy-fs/prescan_checks.sh $SETUP_PATH/pre-scan-checks/trivy
+      cp $REGISTRY_PATH/scanners/boostsecurityio/trivy-fs/prescan_checks.sh $SETUP_PATH/pre-scan-checks/trivy
   - name: download trivy
     environment:
       VERSION: 0.67.2
diff --git a/scanners/boostsecurityio/bundler-audit/module.yaml b/scanners/boostsecurityio/bundler-audit/module.yaml
index bddf700d..dcbaca85 100644
--- a/scanners/boostsecurityio/bundler-audit/module.yaml
+++ b/scanners/boostsecurityio/bundler-audit/module.yaml
@@ -11,7 +11,7 @@ setup:
   - name: Utility scripts
     run: |
       mkdir -p $SETUP_PATH/pre-scan-checks/
-      cp $SETUP_PATH/../../registry/scanners/boostsecurityio/bundler-audit/prescan_checks.sh $SETUP_PATH/pre-scan-checks/bundler
+      cp $REGISTRY_MODULE_PATH/prescan_checks.sh $SETUP_PATH/pre-scan-checks/bundler
 
 config:
   support_diff_scan: true
diff --git a/scanners/boostsecurityio/gitleaks-full/module.yaml b/scanners/boostsecurityio/gitleaks-full/module.yaml
index 5002f5c4..04bf4a01 100644
--- a/scanners/boostsecurityio/gitleaks-full/module.yaml
+++ b/scanners/boostsecurityio/gitleaks-full/module.yaml
@@ -53,7 +53,7 @@ setup:
     chmod +x gitleaks
 - name: Copy Boost Gitleaks Rules
   run: |
-      cp $SETUP_PATH/../../registry/scanners/boostsecurityio/gitleaks/boost.toml $SETUP_PATH/
+      cp $REGISTRY_PATH/scanners/boostsecurityio/gitleaks/boost.toml $SETUP_PATH/
 
 steps:
   - scan:
diff --git a/scanners/boostsecurityio/gitleaks/module.yaml b/scanners/boostsecurityio/gitleaks/module.yaml
index e5154705..6b5b1089 100644
--- a/scanners/boostsecurityio/gitleaks/module.yaml
+++ b/scanners/boostsecurityio/gitleaks/module.yaml
@@ -52,7 +52,7 @@ setup:
     chmod +x gitleaks
 - name: Copy Boost Gitleaks Rules
   run: |
-      cp $SETUP_PATH/../../registry/scanners/boostsecurityio/gitleaks/boost.toml $SETUP_PATH/
+      cp $REGISTRY_MODULE_PATH/boost.toml $SETUP_PATH/
 
 steps:
   - scan:
diff --git a/scanners/boostsecurityio/gosec/module.yaml b/scanners/boostsecurityio/gosec/module.yaml
index 85310142..df49251d 100644
--- a/scanners/boostsecurityio/gosec/module.yaml
+++ b/scanners/boostsecurityio/gosec/module.yaml
@@ -16,7 +16,7 @@ setup:
   - name: Utility scripts
     run: |
       mkdir -p $SETUP_PATH/pre-scan-checks/
-      cp $SETUP_PATH/../../registry/scanners/boostsecurityio/gosec/prescan_checks.sh $SETUP_PATH/pre-scan-checks/gosec
+      cp $REGISTRY_MODULE_PATH/prescan_checks.sh $SETUP_PATH/pre-scan-checks/gosec
 
 steps:
   - run: $SETUP_PATH/pre-scan-checks/gosec
diff --git a/scanners/boostsecurityio/npm-audit/module.yaml b/scanners/boostsecurityio/npm-audit/module.yaml
index 6208b266..8f09874e 100644
--- a/scanners/boostsecurityio/npm-audit/module.yaml
+++ b/scanners/boostsecurityio/npm-audit/module.yaml
@@ -16,7 +16,7 @@ setup:
   - name: Utility scripts
     run: |
       mkdir -p $SETUP_PATH/pre-scan-checks/
-      cp $SETUP_PATH/../../registry/scanners/boostsecurityio/npm-audit/prescan_checks.sh $SETUP_PATH/pre-scan-checks/npm-audit
+      cp $REGISTRY_MODULE_PATH/prescan_checks.sh $SETUP_PATH/pre-scan-checks/npm-audit
 
 steps:
   - run: $SETUP_PATH/pre-scan-checks/npm-audit
diff --git a/scanners/boostsecurityio/osv-scanner/module.yaml b/scanners/boostsecurityio/osv-scanner/module.yaml
index 2a9e49e4..cf0f9051 100644
--- a/scanners/boostsecurityio/osv-scanner/module.yaml
+++ b/scanners/boostsecurityio/osv-scanner/module.yaml
@@ -56,7 +56,7 @@ setup:
   - name: Utility scripts
     run: |
       mkdir -p $SETUP_PATH/pre-scan-checks/
-      cp $SETUP_PATH/../../registry/scanners/boostsecurityio/osv-scanner/prescan_checks.sh $SETUP_PATH/pre-scan-checks/osv-scanner
+      cp $REGISTRY_MODULE_PATH/prescan_checks.sh $SETUP_PATH/pre-scan-checks/osv-scanner
 
 steps:
 - run: $SETUP_PATH/pre-scan-checks/osv-scanner
diff --git a/scanners/boostsecurityio/osv-scanner/prescan_checks.sh b/scanners/boostsecurityio/osv-scanner/prescan_checks.sh
index 4662b683..fb8f1597 100755
--- a/scanners/boostsecurityio/osv-scanner/prescan_checks.sh
+++ b/scanners/boostsecurityio/osv-scanner/prescan_checks.sh
@@ -5,7 +5,7 @@ while IFS= read -r line; do
     then
         exit 0
     fi
-done < $SETUP_PATH/../../registry/scanners/boostsecurityio/osv-scanner/filelist.txt
+done < $REGISTRY_MODULE_PATH/filelist.txt
 >&2 echo "Scan misconfiguration:"
 >&2 echo "  OSV-Scanner scan did not run because no supported files were detected"
 >&2 echo "  See documentation list of supported file types: https://google.github.io/osv-scanner/supported-languages-and-lockfiles/"
diff --git a/scanners/boostsecurityio/trivy-fs/module.yaml b/scanners/boostsecurityio/trivy-fs/module.yaml
index 27e50d1b..928ac16d 100644
--- a/scanners/boostsecurityio/trivy-fs/module.yaml
+++ b/scanners/boostsecurityio/trivy-fs/module.yaml
@@ -55,7 +55,7 @@ setup:
   - name: Utility scripts
     run: |
       mkdir -p $SETUP_PATH/pre-scan-checks/
-      cp $SETUP_PATH/../../registry/scanners/boostsecurityio/trivy-fs/prescan_checks.sh $SETUP_PATH/pre-scan-checks/trivy
+      cp $REGISTRY_MODULE_PATH/prescan_checks.sh $SETUP_PATH/pre-scan-checks/trivy
   - name: download trivy
     environment:
       VERSION: 0.67.2
diff --git a/scanners/boostsecurityio/trivy-fs/prescan_checks.sh b/scanners/boostsecurityio/trivy-fs/prescan_checks.sh
index 5ed49dfc..163bbaed 100755
--- a/scanners/boostsecurityio/trivy-fs/prescan_checks.sh
+++ b/scanners/boostsecurityio/trivy-fs/prescan_checks.sh
@@ -5,7 +5,7 @@ if [ "$(find . -name "$line" | wc -l)" != "0" ]
 then
     exit 0
 fi
-done < $SETUP_PATH/../../registry/scanners/boostsecurityio/trivy-fs/filelist.txt
+done < $REGISTRY_PATH/scanners/boostsecurityio/trivy-fs/filelist.txt
 >&2 echo "Scan misconfiguration:"
 >&2 echo "  Trivy scan did not run because no supported files were detected"
 >&2 echo "  See documentation list of supported file types: https://trivy.dev/v0.61/docs/coverage/language/"
diff --git a/scanners/boostsecurityio/trivy-sbom/module.yaml b/scanners/boostsecurityio/trivy-sbom/module.yaml
index 5abf2727..35cb2476 100644
--- a/scanners/boostsecurityio/trivy-sbom/module.yaml
+++ b/scanners/boostsecurityio/trivy-sbom/module.yaml
@@ -53,7 +53,7 @@ setup:
   - name: Utility scripts
     run: |
       mkdir -p $SETUP_PATH/pre-scan-checks/
-      cp $SETUP_PATH/../../registry/scanners/boostsecurityio/trivy-fs/prescan_checks.sh $SETUP_PATH/pre-scan-checks/trivy
+      cp $REGISTRY_PATH/scanners/boostsecurityio/trivy-fs/prescan_checks.sh $SETUP_PATH/pre-scan-checks/trivy
   - name: download trivy
     environment:
       VERSION: 0.67.2

From b4a2b9c9b68cd68739e47d627cd52eda95215ba0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Proulx?= <francois@boostsecurity.io>
Date: Fri, 23 Jan 2026 13:34:44 -0500
Subject: [PATCH 2/2] Remove flaky osv-scanner test from trivy-sbom

Trivy crashes (exit code 2, goroutine dump) when scanning google/osv-scanner.
This is a trivy runtime issue unrelated to the registry path changes.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 scanners/boostsecurityio/trivy-sbom/tests.yaml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/scanners/boostsecurityio/trivy-sbom/tests.yaml b/scanners/boostsecurityio/trivy-sbom/tests.yaml
index 83700678..b25e2255 100644
--- a/scanners/boostsecurityio/trivy-sbom/tests.yaml
+++ b/scanners/boostsecurityio/trivy-sbom/tests.yaml
@@ -5,11 +5,6 @@ tests:
     source:
       url: "https://github.com/gitleaks/gitleaks.git"
       ref: "v8.15.2"
-  - name: "osv-scanner"
-    type: "source-code"
-    source:
-      url: "https://github.com/google/osv-scanner.git"
-      ref: "main"
   - name: "rclone"
     type: "source-code"
     source: