Add run-writable subcommand.

This is to support the few plugins that expect that the target directory
is writable (e.g. to generate a lockfile).

backend/utilities/plugin_runner/README.md

@@ -50,6 +50,14 @@ Run the "gosec" plugin and start a debug shell in the container:
 bash-5.0#
 ```
 
+By default, the target directory is mounted as read-only to avoid unexpected changes that would change the results from run-to-run.
+This is fine for most plugins, but some plugins expect the target directory to be writable.
+For those plugins, use `run-writable` instead of `run`:
+
+```bash
+./plugin.sh run-writable gosec ~/git/my-repo
+```
+
 Stop all containers and release resources:
 
 ```bash

backend/utilities/plugin_runner/plugin.sh

@@ -7,13 +7,16 @@ readonly BASEDIR
 readonly TEMPDIR="$BASEDIR/tmp"
 readonly COMPOSEFILE="$TEMPDIR/docker-compose.yml"
 
+workdir_readonly=true
+
 # Print usage info to stderr.
 function usage {
   cat <<EOD >&2
 Usage: $0 (subcommand)
 
 Available subcommands:
     run - Run a core plugin in local containers.
+    run-writable - Same as "run", but mounts target directory as read-write.
     clean - Stop and clean up all containers.
 EOD
 }
@@ -142,7 +145,7 @@ services:
       - type: bind
         source: "$target"
         target: /work/base
-        read_only: true
+        read_only: $workdir_readonly
 EOD
 }
 
@@ -214,6 +217,10 @@ case "$cmd" in
   run)
     do_run "$@" || exit 1
     ;;
+  run-writable)
+    workdir_readonly=false
+    do_run "$@" || exit 1
+    ;;
   clean)
     do_clean "$@" || exit 1
     ;;