feature: container-scan command to trivy scan containers

[franciscoovazevedo]

No description provided.

[codacy-production]

Codacy's Analysis Summary

2 new issues, 2 flagged as potential false positives (≤ 1 medium issue)
2 new security issues (≤ 0 issue)
63 complexity
2 duplications

Review Pull Request in Codacy →

✨ AI Reviewer available: add the codacy-review label to get contextual insights without leaving GitHub.

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ +1.46% (target: -0.50%)	❌ 49.03% (target: 50.00%)

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (e1bb1bc)	5798	1179	20.33%
Head commit (41cedbc)	6056 (+258)	1320 (+141)	21.80% (+1.46%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#191)	259	127	49.03%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

[Copilot]

Pull request overview

This PR adds a new container-scan command to the Codacy CLI that wraps Trivy for container vulnerability scanning. The command provides configurable scanning options while setting sensible defaults for severity levels and package types.

Changes:

• Added new container-scan command with Trivy integration for container image vulnerability scanning
• Updated validation and configuration logic to exclude container-scan from requiring codacy.yaml
• Provided configurable flags for severity, package types, and unfixed vulnerability handling

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
cmd/container_scan.go	New command implementation that wraps Trivy with configurable scanning options
cmd/validation.go	Added container-scan to commands that skip codacy.yaml validation
cli-v2.go	Added container-scan to commands that bypass configuration requirements

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The error formatting is incorrect. color.Red does not support format specifiers like fmt.Printf. The error message will literally print "%v" instead of formatting the error value. Change this to use fmt.Sprintf to format the error first, or use a separate fmt.Printf call.

Suggested change

	color.Red("❌ Error: Failed to run Trivy: %v", err)
	color.Red(fmt.Sprintf("❌ Error: Failed to run Trivy: %v", err))

[Copilot]

The error handling logic has a flaw. If exitError.ExitCode() returns a value other than 1 (e.g., 2 or higher), the code falls through without exiting, logging the same error twice and calling os.Exit(1) at line 111. This creates confusing duplicate error logs. The code should exit after handling any exit error, not just exit code 1, or add an else statement to prevent fall-through.

[Copilot]

This new command lacks test coverage. Similar commands in this repository have corresponding test files (e.g., analyze_test.go, config_test.go, init_test.go, upload_test.go). Consider adding a container_scan_test.go file to test the buildTrivyArgs function and the error handling logic in runContainerScan.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Multiple tests in this file modify global flag variables (severityFlag, pkgTypesFlag, ignoreUnfixedFlag) without cleanup, which can cause test pollution where one test affects another. This occurs in TestBuildTrivyArgs (lines 126-132), TestBuildTrivyArgsOrder (lines 163-166), and TestBuildTrivyArgsDefaultsApplied (lines 379-382). Consider adding t.Cleanup() in each affected test to reset the flags to their original values after the test completes.

[Copilot]

The test creates a byte slice with 300 zero bytes and converts it to a string for testing the length limit. This creates a string of 300 null characters (\x00), which are not valid Docker image name characters and will fail the regex validation before reaching the length check. This test may not actually be testing the length validation logic. Consider using a valid character pattern like string(bytes.Repeat([]byte{'a'}, 300)) instead.

[Copilot]

The test expects an error with message "invalid image name format" for an image starting with a hyphen, but the validateImageName function doesn't have a specific check for this pattern. The regex ^[a-zA-Z0-9][a-zA-Z0-9._\-/:@]*$ requires the first character to be alphanumeric, so "-nginx" would fail the regex check and return "invalid image name format: contains disallowed characters" instead of "invalid image name format". The error message assertion may not match the actual error.

[Copilot]

The color.Red function is being called with a format string and argument, but color.Red doesn't support format strings like Printf. This will print the literal format string with "%v" in it, not the actual error message. Use fmt.Fprintf with color.Output or color.New(color.FgRed).Printf instead.

[Copilot]

The color.Red function is being called with a format string and argument, but color.Red doesn't support format strings like Printf. This will print the literal format string with "%v" in it, not the actual error message. Use fmt.Fprintf with color.Output or color.New(color.FgRed).Printf instead.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 9 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The resolveDockerfilePath function uses filepath.Join without validating that the resulting path doesn't escape the intended directory. A malicious docker-compose.yml could specify a build context like "../../../etc" and dockerfile like "passwd" to potentially read sensitive files. Consider adding validation to ensure the resolved path stays within safe boundaries or at least doesn't use absolute paths for user-controlled input.

Suggested change

	return path
	cleaned := filepath.Clean(path)
	// Disallow absolute paths or paths that escape upwards from the working directory
	if filepath.IsAbs(cleaned) || cleaned == ".." || strings.HasPrefix(cleaned, ".."+string(os.PathSeparator)) {
	logger.Warn("Unsafe Dockerfile path detected, falling back to default Dockerfile", logrus.Fields{
	"context": context,
	"dockerfile": dockerfile,
	})
	return "Dockerfile"
	}
	return cleaned

[Copilot]

The handleTrivyResult function is defined but never used in the codebase. The actual error handling is performed by handleScanError function in the scanImages function. This dead code should be removed to improve maintainability.

Suggested change

	// handleTrivyResult processes the Trivy command result and exits appropriately
	func handleTrivyResult(err error, imageName string) {
	if err == nil {
	logger.Info("Container scan completed successfully", logrus.Fields{"image": imageName})
	fmt.Println()
	color.Green("✅ Success: No vulnerabilities found matching the specified criteria")
	return
	}
	if exitError, ok := err.(*exec.ExitError); ok && exitError.ExitCode() == 1 {
	logger.Warn("Container scan completed with vulnerabilities", logrus.Fields{
	"image": imageName, "exit_code": 1,
	})
	fmt.Println()
	color.Red("❌ Scanning failed: vulnerabilities found in the container image")
	os.Exit(1)
	}
	logger.Error("Failed to run Trivy", logrus.Fields{"error": err.Error()})
	color.Red("❌ Error: Failed to run Trivy: %v", err)
	os.Exit(1)
	}

[Copilot]

The test case "image name too long" creates a byte slice of 300 bytes but doesn't initialize it with valid characters. This creates a string of 300 null bytes (\x00), which would fail validation at the regex check (line 96) before reaching the length check (line 91), making the test potentially verify the wrong validation logic.

[Copilot]

The severityFlag and pkgTypesFlag values are passed directly to Trivy without validation. While exec.Command properly separates arguments and prevents shell injection, malicious or malformed values could still cause unexpected Trivy behavior. Consider adding validation to ensure these flags contain only expected characters (e.g., alphanumeric, commas for severity levels).

[Copilot]

Multiple tool version changes (eslint: 9.38.0→8.57.0, pmd: 6.55.0→7.11.0, pylint: 3.3.9→3.3.6, revive: 1.12.0→1.7.0) are included in this PR. The eslint and pylint changes appear to be downgrades, while pmd is an upgrade. These version changes seem unrelated to the container-scan feature and would benefit from being in a separate PR or being explained in the PR description.

[Copilot]

Both the dockerfile and compose-file flag checks are labeled as "Priority 0" in the comments. Since these are mutually exclusive explicit flags and both have the same priority level, the second one should be labeled differently (e.g., "Priority 0b" or the logic should be adjusted to handle the case where both flags are provided).

Suggested change

	// Priority 0: Check explicit --compose-file flag
	// Priority 0b: Check explicit --compose-file flag

[Copilot]

The comment "Skip build stage aliases (e.g., FROM golang:1.21 AS builder)" is somewhat misleading. The regex pattern automatically captures only the image name (the first non-whitespace sequence after FROM) and stops at the AS keyword, so aliases aren't being "skipped" through explicit logic - they're naturally excluded by the regex pattern. Consider clarifying the comment to say "Extract base image (before AS clause if present)".

Suggested change

	// Skip build stage aliases (e.g., FROM golang:1.21 AS builder)
	// and scratch images
	// Extract base image (before AS clause if present) and
	// ignore scratch images and duplicates

[Copilot]

The test modifies package-level variables (severityFlag, pkgTypesFlag, ignoreUnfixedFlag) which are shared across all tests. If tests run in parallel or don't properly reset state, this could cause test failures or flaky behavior. Consider either using test fixtures that properly isolate state, or ensuring these tests cannot run in parallel with t.Parallel() omitted.

[Copilot]

The change from '[email protected]' to '[email protected]' for the runtime appears unrelated to the container-scan feature being added. While this may be a valid correction (since dartanalyzer is a Dart tool, not specifically a Flutter tool), it would be clearer if configuration changes unrelated to the main feature were in a separate commit or PR, or at least mentioned in the PR description.

[codacy-production]

Codacy found an issue: Detected non-static command inside Command.

[codacy-production]

Codacy found an issue: OS command injection is a critical vulnerability that can lead to a full system compromise as it may allow an adversary to pass in arbitrary commands or arguments to be executed.