feat: 更新安全扫描引擎

.github/workflows/backend-ci-cd.yml

@@ -102,6 +102,7 @@ jobs:
           mkdir -p assets-amd64/sgp
           mkdir -p assets-arm64/sgp
           mkdir -p assets/vsix
+          mkdir tarballs
           touch docs/swagger.json
 
           # 下载 xdb
@@ -113,8 +114,8 @@ jobs:
           wget -O assets/vsix/monkeycode-${VERSION_NO_V}.vsix https://baizhiyun.oss-cn-hangzhou.aliyuncs.com/monkeycode/vsix/monkeycode-${VERSION_NO_V}.vsix
           
           # 下载 x86_64 SGP
-          wget -O assets-amd64/sgp/sgp https://baizhiyun.oss-cn-hangzhou.aliyuncs.com/monkeycode/sgp/x86_64/sgp
-          wget -O assets-amd64/sgp/sgp-rules https://baizhiyun.oss-cn-hangzhou.aliyuncs.com/monkeycode/sgp/x86_64/sgp-rules
+          wget -O tarballs/sgp.tgz https://baizhiyun.oss-cn-hangzhou.aliyuncs.com/monkeycode/sgp/x86_64/sgp.tgz
+          tar -xzvf tarballs/sgp.tgz -C assets-amd64
           chmod +x assets-amd64/sgp/sgp
           
           # 下载 aarch64 SGP

backend/build/Dockerfile.scanner

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.23-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS builder
 
 WORKDIR /src
 ENV CGO_ENABLED=0
@@ -23,6 +23,11 @@ cmd/scanner/main.go cmd/scanner/wire_gen.go
 
 FROM debian:bullseye-20250721-slim as binary
 
+RUN apt-get update && \
+    apt-get install -y ca-certificates && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
 WORKDIR /app
 
 ARG TARGETARCH

backend/pkg/scan/scan.go

@@ -19,6 +19,10 @@ func Scan(id string, workspace, rule string) (*Result, error) {
 		"--metrics=off",
 		"--disable-version-check",
 		"--disable-nosem",
+		"--confidence=HIGH",
+		"--confidence=MEDIUM",
+		"--impact=HIGH",
+		"--impact=MEDIUM",
 		"--time",
 		"--json",
 		"--output", output,