Conversation
… update related tests. Removed support for multiple images in command usage and adjusted the execution logic accordingly.
…o CommandRunner interface and implementing isScanFailure check. Introduced tests for scan failure scenarios and updated MockCommandRunner to support stderr handling.
…Adjusted rule indices for existing vulnerabilities and added a new entry for eslint vulnerability CVE-2025-50537.
Codacy's Analysis Summary0 new issue (≤ 1 medium issue) Review Pull Request in Codacy →
|
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferences |
There was a problem hiding this comment.
Pull request overview
This PR introduces a new container-scan command that leverages Trivy to scan container images for vulnerabilities, and adjusts configuration/validation paths so it can run without a codacy.yaml. It also updates the Trivy SARIF expected output and adds comprehensive tests around the new behavior and arguments.
Changes:
- Add
container-scanCobra command, including image-name validation, Trivy auto-install/lookup, error handling, and argument construction for Trivy. - Exempt
container-scanfrom configuration validation and from requiring an existingcodacy.yamlwhen invoked frommain. - Update Trivy SARIF expected output fixture to account for new vulnerability findings and rule indices, and add extensive unit tests for the new command and helpers.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
plugins/tools/trivy/test/expected.sarif |
Updates the expected Trivy SARIF output (including a new eslint CVE entry and adjusted ruleIndex values) to align tests with the current Trivy behavior. |
cmd/validation.go |
Extends the shouldSkipValidation list so container-scan bypasses codacy.yaml validation, matching its design to work without project config. |
cmd/container_scan.go |
Implements the container-scan command, including Docker image name validation, Trivy path resolution and installation, scan execution with stderr classification between “scan failed” vs “vulns found”, and argument building based on flags. |
cmd/container_scan_test.go |
Adds unit tests covering getTrivyPath, executeContainerScan exit-code behavior, image name validation, Trivy argument construction, command argument rules, flag defaults, and the validation-skip behavior for container-scan. |
cli-v2.go |
Adjusts main so container-scan is treated like init/update/version/help and can run even when the project configuration file is missing or invalid. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| trivyPath, err := getTrivyPath() | ||
| if err != nil { | ||
| handleTrivyNotFound(err) | ||
| return 2 | ||
| } |
There was a problem hiding this comment.
executeContainerScan both calls handleTrivyNotFound(err) (which invokes exitFunc(2)) and then returns 2, which runContainerScan passes again to exitFunc. In production this double-exit isn’t observable because os.Exit terminates the process immediately, but it mixes responsibilities for exiting between lower- and higher-level helpers and forces the tests to stub exitFunc around both places. To simplify control flow and make the code easier to reason about and test, consider having executeContainerScan only return an exit code (for example by changing handleTrivyNotFound to just log and return a code) and let runContainerScan be the single place that calls exitFunc.
cmd/container_scan.go
Outdated
| args = append(args, "--ignore-unfixed") | ||
| } | ||
|
|
||
| // Apply --severity (use default if not specified) |
| "--scanners", "vuln", | ||
| } | ||
|
|
||
| // Apply --ignore-unfixed if enabled (default: true) |
There was a problem hiding this comment.
we should not allow users to define this flags
cmd/container_scan.go
Outdated
| } | ||
| args = append(args, "--severity", severity) | ||
|
|
||
| // Apply --pkg-types (use default if not specified) |
There was a problem hiding this comment.
flags are removed
…s flags. Default values for severity and package types are now hardcoded in the buildTrivyArgs function. Updated related tests to reflect these changes.
2 participants
tested: