Fix trivy setup

[vadimpiven]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello @vadimpiven, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request streamlines the project's security scanning process by updating the Trivy configuration and ensuring all Python dependencies are current. The changes aim to improve the accuracy and efficiency of security checks while maintaining a robust and up-to-date development environment.

Highlights

• Trivy Configuration Update: The Trivy security scanning setup has been refined by modifying the mise.toml task to depend on a more general 'setup' and adding the --ignore-unfixed flag to the Trivy command. Additionally, explicit format, output, and ignore-unfixed settings were removed from trivy.yaml, likely centralizing control to the command line.
• Dependency Updates: Several Python package dependencies have been updated to their latest versions, including pyrefly, semgrep, packaging, pycparser, starlette, and wcwidth. The uv.lock file and pyproject.toml reflect these version bumps, ensuring the project uses up-to-date libraries.
• Dockerfile Base Image Refresh: The Dockerfile has been updated to use a newer SHA for the quay.io/pypa/manylinux_2_28 base image, ensuring the build environment is current.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/regular.yaml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[greptile-apps]

Greptile Overview

Greptile Summary

This PR refactors Trivy configuration by moving output-specific settings (format, output, ignore-unfixed) from the shared config file (trivy.yaml) to the workflow and CLI invocations, allowing different contexts to use different output formats while maintaining consistent scan behavior.

Key changes:

• Moved format: sarif, output: trivy-results.sarif, and ignore-unfixed: true from trivy.yaml to .github/workflows/regular.yaml and mise.toml CLI flags
• Updated mise.toml trivy task dependency from setup:pnpm to setup (broader dependency scope that includes pnpm)
• Updated Python dev dependencies: pyrefly 0.48.2 → 0.49.0, semgrep 1.148.0 → 1.149.0
• Updated manylinux_2_28 base image digest in Dockerfile
• Added empty dependencies = [] array to pyproject.toml (likely for uv compatibility)

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The changes are well-structured refactoring that improves flexibility by separating output configuration from scan behavior. All changes are consistent across files, dependency updates are minor version bumps, and the logic changes maintain equivalent functionality.
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/regular.yaml	Added format, output, and ignore-unfixed parameters to Trivy action to match trivy.yaml config changes
trivy.yaml	Moved format, output, and ignore-unfixed settings from config file to workflow/CLI to allow flexibility
mise.toml	Changed dependency from setup:pnpm to setup and added --ignore-unfixed flag to trivy command

[gemini-code-assist]

Code Review

This pull request aims to fix the Trivy setup and updates several dependencies. The changes to mise.toml to ensure all dependencies are set up before scanning and the fix in pyproject.toml for the workspace definition are good improvements. The dependency updates are also beneficial.

My main feedback is on the changes to trivy.yaml. Removing the SARIF output configuration and the ignore-unfixed setting could potentially break CI pipelines that rely on this file for security reporting. I've left a detailed comment on this file.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!