Define a Nix Flake for a CI/CD Build Container with Security & Analysis Tools

[vonjackets]

Description:
We need to create a Nix Flake that defines a containerized environment for running CI/CD builds, facilitating further testing, analysis, and security scanning of the project. The container should include all necessary tools to build, lint, test, and analyze the code while ensuring security compliance.

Ideally, this container would include a subset of tools and programs from the full developer sandbox environment, and since nix supports modularity so well, it's likely this work could result in multiple nix modules for building not just the environment images, but also for the packaging and testing tasks as well.

Requirements:

• The container should be defined using a Nix Flake.
• Integrate Anchore Syft & Grype for software bill of materials (SBOM) generation and vulnerability scanning.
• Perform antivirus scans (consider ClamAV or another suitable tool).
• Implement coverage analysis (e.g., cargo-llvm-cov).
• Support caching to optimize build times (e.g., leveraging Nix caching mechanisms).
• Ensure the container remains minimal, only including necessary tools to streamline execution in CI/CD.

Acceptance Criteria:

• A functional Nix Flake that produces a container image.
• Successful execution of Rust builds and analyses within the container.
• Security scans complete without blocking builds unless critical issues are detected.
• Proper documentation outlining usage, integration into CI/CD, and maintenance steps.

Additional Notes:

• Consider extending this container to support running integration tests in an isolated environment.
• Evaluate whether additional security hardening steps (e.g., seccomp profiles, non-root execution) are necessary.

Deliverables:

• A flake.nix and./or supporting module files for defining the container.
• Documentation on usage and integration.
• CI/CD workflow updates (if needed) to incorporate the new container.