Fix symlink permissions

Dockerfile

@@ -1,5 +1,3 @@
-# syntax=docker/dockerfile:1.7-labs
-
 # Compile the Lambda binary
 FROM --platform=$BUILDPLATFORM public.ecr.aws/docker/library/golang:1.22.1-bullseye as builder
 WORKDIR /src
@@ -12,12 +10,13 @@ RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /lambda
 # Final build layer will use provided.al2023 as the base
 FROM public.ecr.aws/lambda/provided:al2023
 
-# Copy the relevant artifacts from the latest offline image
+# Copy the trivy CLI and DB artifacts from the latest offline image
+COPY --from=ghcr.io/bored-engineer/trivy-offline:latest /usr/local/bin/trivy /usr/local/bin/trivy
 ENV TRIVY_OFFLINE_SCAN=true
 ENV TRIVY_SKIP_POLICY_UPDATE=true
 ENV TRIVY_SKIP_JAVA_DB_UPDATE=true
 ENV TRIVY_SKIP_DB_UPDATE=true
-COPY --parents --from=ghcr.io/bored-engineer/trivy-offline:latest /usr/local/bin/trivy /contrib /root/.cache/trivy /
+COPY --chmod=777 --from=ghcr.io/bored-engineer/trivy-offline:latest /root/.cache/trivy /offline
 
 # Copy the Lambda binary from the builder stage and make it the entrypoint
 COPY --from=builder /lambda /usr/local/bin/lambda

lambda.go

@@ -41,7 +41,7 @@ func invoke(ctx context.Context, args []string) (*result, error) {
 	cmd.Env = append(cmd.Env, fmt.Sprintf("TRIVY_OUTPUT=%s", outputFile))
 
 	// Symlink the air-gapped DBs from the image layers to the cache directory and disable auto-update
-	offlineCacheDir := "/root/.cache/trivy"
+	offlineCacheDir := "/offline"
 	for _, directory := range []string{"policy", "java-db", "db"} {
 		src, dst := filepath.Join(offlineCacheDir, directory), filepath.Join(tmpDir, directory)
 		if err := os.Symlink(src, dst); err != nil {