secrux-engines contains the build definitions and helper scripts for scanner engine images (Semgrep/Trivy).
These images are launched by executor-agent as part of task execution.
- Docker (engine images are Docker images)
cd secrux-engines
cp .env.example .env
docker compose buildOr use the one-click helper script:
cd secrux-engines
./build-local-engines.shBy default, it produces:
secrux-semgrep-engine:latestsecrux-trivy-engine:latest
Defined in secrux-engines/.env.example:
SEMGREP_IMAGE: Upstream base image used to build the Semgrep engine.TRIVY_IMAGE: Upstream base image used to build the Trivy engine.SECRUX_SEMGREP_ENGINE_IMAGE: Output image tag for the built Semgrep engine.SECRUX_TRIVY_ENGINE_IMAGE: Output image tag for the built Trivy engine.
These are consumed by the entrypoint scripts and are typically provided by executor-agent via task env:
Semgrep (run-semgrep.sh)
SEMGREP_APP_TOKEN: If set, runssemgrep login --token ...(non-interactive).SEMGREP_DEFAULT_COMMAND: Default command when no args are provided (defaultci).SEMGREP_CONFIG: Injects--configwhen missing.SEMGREP_FORMAT: Injects--formatwhen missing.SEMGREP_OUTPUT_FILE: Injects--outputwhen missing.SEMGREP_USE_PRO: Whentrue, injects--pro.SEMGREP_ENABLE_SARIF: Whentrue, injects--sarif.SEMGREP_LOG_FILE: When set, captures output and writes a JSON log file.
Trivy (run-trivy.sh)
TRIVY_CACHE_DIR: Creates the directory and injects--cache-dirwhen missing.TRIVY_NO_PROGRESS: Whentrue, injects--no-progressif supported by the Trivy version.
Configure your executor to use the built images (example snippet for config.json):
{
"engineImages": {
"semgrep": "secrux-semgrep-engine:latest",
"trivy": "secrux-trivy-engine:latest"
}
}run-semgrep.sh: wrapper entrypoint used by the Semgrep engine imagerun-trivy.sh: wrapper entrypoint used by the Trivy engine image