From 439a44bc85a95046cde4eff8a396575f8a31acba Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Tue, 21 Apr 2026 23:29:50 -0300
Subject: [PATCH] ci(data-prepper): scan staged supply-chain inputs

---
 services/logging/Jenkinsfile.data-prepper | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/services/logging/Jenkinsfile.data-prepper b/services/logging/Jenkinsfile.data-prepper
index 8b075530..dd4a8f25 100644
--- a/services/logging/Jenkinsfile.data-prepper
+++ b/services/logging/Jenkinsfile.data-prepper
@@ -82,7 +82,12 @@ spec:
             set +e
             sonar-scanner "${args[@]}" | tee build/sonar-scanner.log
             sonar_rc=${PIPESTATUS[0]}
-            trivy fs --cache-dir "${TRIVY_CACHE_DIR}" --skip-db-update --timeout 5m --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL dockerfiles/Dockerfile.data-prepper services/logging/Jenkinsfile.data-prepper
+            scan_root=build/data-prepper-supply-chain-scan
+            rm -rf "${scan_root}"
+            mkdir -p "${scan_root}/dockerfiles" "${scan_root}/services/logging"
+            cp dockerfiles/Dockerfile.data-prepper "${scan_root}/dockerfiles/Dockerfile.data-prepper"
+            cp services/logging/Jenkinsfile.data-prepper "${scan_root}/services/logging/Jenkinsfile.data-prepper"
+            trivy fs --cache-dir "${TRIVY_CACHE_DIR}" --skip-db-update --timeout 5m --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL "${scan_root}"
             trivy_rc=$?
             set -e
             printf '%s\n' "${sonar_rc}" > build/sonarqube-analysis.rc