[REQ] Support inputting tarballs

[audunsolemdal]

What kind of request is this?

New feature

What is your request or suggestion?

I am building container tarballs in my Github Actions workflows so that they can be uploaded to a self-hosted Github runner with network access to my container registry.

I would like to support inputting tarball files directly to copa, and have it import the tarball to a container image if need be. From my understanding #604 will support outputting tarball files, but copa will still require a loaded container image to run commands against.

    - name: Build docker image using cache
      uses: docker/build-push-action@v5
      id: build
      with:
        context: ${{ inputs.build-path }}
        file: ${{ inputs.dockerfile-path }}
        build-args: ${{ inputs.build-arg }}
        load: false
        push: false
        tags: ${{ steps.meta.outputs.tags }}
        labels: ${{ steps.meta.outputs.labels }}
        cache-from: type=gha
        outputs: type=docker,dest=./image.tar

      - name: Run Trivy vulnerability scanner for OS vulerabilities
        if: "${{ inputs.run-image-scan == 'true' && steps.build.outputs.cache-hit != 'true'}}"
        uses: aquasecurity/[email protected]
        with:
          input: ./image.tar
          format: "json"
          output: "report.json"
          severity: ${{inputs.image-scan-severity}}
          ignore-unfixed: true
          scanners: "vuln"
          vuln-type: "os"

       (..)
      - name: Run Copa action 
        if: steps.vuln_count.outputs.vuln_count != '0' 
        id: copa 
        uses: project-copacetic/copa-action@v1 
        with: 
          input-file: image.tar
          output-file: image-patched.tar

    - name: Put image in GHA cache
      id: cache
      uses: actions/cache@v4
      with:
        key: ${{ inputs.artifact }}
        path: ./image-patched.tar

Are you willing to submit PRs to contribute to this feature request?

• [ ] Yes, I am willing to implement it.