fix binary build (#266)

* try adding missing dependency to cross setup

* maybe this way

* another try

* pin toolchain version

* Revert "another try"

This reverts commit 5a5948d.

* update dependencies

* update trivy config (#247)

* update nix flake

* add trivyignore config

* use ignore config in CI pipelines

* update cargo deny config

Author: wojcik91

.github/workflows/build-docker.yml

@@ -75,6 +75,9 @@ jobs:
 
       - name: Scan image with Trivy
         uses: aquasecurity/trivy-action@0.33.1
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
           image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
           format: "table"

.github/workflows/ci.yml

@@ -35,9 +35,12 @@ jobs:
 
       - name: Scan code with Trivy
         uses: aquasecurity/trivy-action@0.33.1
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
-          scan-type: 'fs'
-          scan-ref: '.'
+          scan-type: "fs"
+          scan-ref: "."
           exit-code: "1"
           ignore-unfixed: true
           severity: "CRITICAL,HIGH,MEDIUM"

.github/workflows/release.yml

@@ -99,7 +99,7 @@ jobs:
       - name: Install Rust stable
         uses: actions-rs/toolchain@v1
         with:
-          toolchain: stable
+          toolchain: 1.89.0 # "stable" causes rust-lld: error on aarch64-linux
           target: ${{ matrix.target }}
           override: true
 

.github/workflows/sbom.yml

@@ -34,40 +34,52 @@ jobs:
 
       - name: Create SBOM with Trivy
         uses: aquasecurity/trivy-action@0.33.1
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
-          scan-type: 'fs'
-          format: 'spdx-json'
+          scan-type: "fs"
+          format: "spdx-json"
           output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}.sbom.json"
-          scan-ref: '.'
+          scan-ref: "."
           severity: "CRITICAL,HIGH,MEDIUM,LOW"
           scanners: "vuln"
 
       - name: Create docker image SBOM with Trivy
         uses: aquasecurity/trivy-action@0.33.1
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
           image-ref: "ghcr.io/defguard/gateway:${{ steps.vars.outputs.VERSION }}"
-          scan-type: 'image'
-          format: 'spdx-json'
+          scan-type: "image"
+          format: "spdx-json"
           output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}-docker.sbom.json"
           severity: "CRITICAL,HIGH,MEDIUM,LOW"
           scanners: "vuln"
 
       - name: Create security advisory file with Trivy
         uses: aquasecurity/trivy-action@0.33.1
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
-          scan-type: 'fs'
-          format: 'json'
+          scan-type: "fs"
+          format: "json"
           output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}.advisories.json"
-          scan-ref: '.'
+          scan-ref: "."
           severity: "CRITICAL,HIGH,MEDIUM,LOW"
           scanners: "vuln"
 
       - name: Create docker image security advisory file with Trivy
         uses: aquasecurity/trivy-action@0.33.1
+        env:
+          TRIVY_SHOW_SUPPRESSED: 1
+          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
           image-ref: "ghcr.io/defguard/gateway:${{ steps.vars.outputs.VERSION }}"
-          scan-type: 'image'
-          format: 'json'
+          scan-type: "image"
+          format: "json"
           output: "defguard-gateway-${{ steps.vars.outputs.VERSION }}-docker.advisories.json"
           severity: "CRITICAL,HIGH,MEDIUM,LOW"
           scanners: "vuln"

.trivyignore.yaml

@@ -0,0 +1,4 @@
+vulnerabilities:
+  - id: GHSA-585q-cm62-757j
+    expired_at: 2026-02-12
+    statement: "No fixed version available yet. The Mullvad team intends to fix it in the coming weeks: https://github.com/mullvad/mnl-rs/issues/15"