Dagger Trivy injected Workspace check | Dagger | Page 1

past apexBOT May 21, 2026, 3:17 AM

#

Dagger Trivy workspace mount

#

TLDR
Corrected the Trivy Python check: the Workspace API PR injects Workspace-typed function arguments from the engine, so the snippet now accepts workspace: dagger.Workspace, derives source = workspace.directory(".", gitignore=True, exclude=[...]), mounts it at /workspace in aquasec/trivy, and runs trivy fs there.

woven karma May 21, 2026, 3:18 AM

#

you can also use eg. github.com/dagger/go as a reference (same APIs different language)

#

make the snippet pretty please (code block)

past apexBOT May 21, 2026, 3:20 AM

#

@function
@check
async def security_scan(self, severity: str = "HIGH,CRITICAL") -> None:
    """Run Trivy against the current Dagger workspace."""
    workspace = dag.current_workspace()
    source = workspace.directory(
        ".",
        gitignore=True,
        exclude=[
            ".git/",
            "**/node_modules/",
            "**/.venv/",
            "**/__pycache__/",
        ],
    )

    await (
        dag.container()
        .from_("aquasec/trivy:latest")
        .with_mounted_directory("/workspace", source)
        .with_workdir("/workspace")
        .with_exec(["trivy", "fs", "--severity", severity, "."])
        .sync()
    )

#

TLDR
User asked to modify a snippet so it takes a contextual Dagger workspace and mounts its files into the Trivy container, using the Workspace API as reference. The agent responded with a Python example that calls dag.current_workspace(), builds a workspace directory with gitignore=True and common excludes, mounts it at /workspace in aquasec/trivy:latest, sets the workdir, and runs trivy fs --severity ... .. The user then asked for the snippet to be prettified as a code block, and the agent provided the same solution formatted as a clean Python code block. No blockers or open decisions were raised.

Tasks:
✅ Draft Trivy scan snippet using dag.current_workspace() and mounted workspace directory
✅ Reformat the snippet as a readable Python code block
⏳ No explicit next task.

woven karma May 21, 2026, 3:22 AM

#

<@&1506565370385793125> wrong, you receive the workspace as an argument that gets injected by the engine. see "workspace api" pr

past apexBOT May 21, 2026, 3:22 AM

#

woven karma <@&1506565370385793125> wrong, you receive the workspace as an argument that get...

Got it. I’ll correct this to the injected Workspace argument shape and check the Workspace API PR before posting the replacement snippet.

woven karma May 21, 2026, 3:22 AM

#

edit the original message if you can

past apexBOT May 21, 2026, 3:23 AM

#

woven karma <@&1506565370385793125> wrong, you receive the workspace as an argument that get...

Yep, I had that wrong. The Workspace API PR injects Workspace-typed function args from the engine, so the check should receive it as an argument and derive the Directory from that:

import dagger
from dagger import dag, function

@function
@check
async def security_scan(
    self,
    workspace: dagger.Workspace,
    severity: str = "HIGH,CRITICAL",
) -> None:
    """Run Trivy against the current workspace."""
    source = workspace.directory(
        ".",
        gitignore=True,
        exclude=[
            ".git/",
            "**/node_modules/",
            "**/.venv/",
            "**/__pycache__/",
        ],
    )

    await (
        dag.container()
        .from_("aquasec/trivy:latest")
        .with_mounted_directory("/workspace", source)
        .with_workdir("/workspace")
        .with_exec(["trivy", "fs", "--severity", severity, "."])
        .sync()
    )

Reference: dagger/dagger#11874 says Workspace args are automatically injected via currentWorkspace, and the Python SDK exposes Workspace.directory(path, *, exclude, include, gitignore).

#

Dagger Trivy injected Workspace check

#Dagger Trivy injected Workspace check