container scans

[Ngwerume]

No description provided.

[codacy-staging]

Up to standards ✅

🟢 Issues 1 high

Results:
1 new issue

Category	Results
Security	1 high

View in Codacy

🟢 Metrics 0 duplication

Metric	Results
Duplication	0

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codacy-production]

Pull Request Overview

This PR implements container security scanning but contains multiple high-severity issues that prevent a successful and secure deployment. The implementation is currently broken due to a variable interpolation bug in the shell script and a dependency conflict in the Dockerfile (Numpy 1.26.4 requires Python 3.9+).

Furthermore, the Docker image is insecure by default, running as root and failing to update a vulnerable lxml dependency. There is also a configuration mismatch between the provided documentation and the GitHub Actions workflow concerning the expected secret names, which will likely cause setup failures for users.

About this PR

• Inconsistent secret naming: The implementation (workflow/scripts) uses 'CODACY_API_TOKEN', while the documentation refers to 'CODACY_CLI_TOKEN'. This should be standardized to 'CODACY_API_TOKEN' across all files.
• The PR description is empty and no Jira ticket is linked. Providing context is essential for verifying requirements and ensuring the scanning setup aligns with project goals.

Test suggestions

• Docker image builds successfully using the provided Dockerfile
• .codacy-cli.sh correctly downloads and executes the Codacy CLI binary
• test-container-scan-local.sh successfully triggers a local scan with and without an API token
• GitHub Action workflow correctly initializes the CLI and uploads the SBOM
• Verify Docker container runs as a non-root user
• Verify that all dependencies in requirements.txt are installed during the build

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Docker image builds successfully using the provided Dockerfile
2. .codacy-cli.sh correctly downloads and executes the Codacy CLI binary
3. test-container-scan-local.sh successfully triggers a local scan with and without an API token
4. GitHub Action workflow correctly initializes the CLI and uploads the SBOM
5. Verify Docker container runs as a non-root user
6. Verify that all dependencies in requirements.txt are installed during the build

---

🗒️ Improve review quality by adding custom instructions

[codacy-production]

_{🔴 HIGH RISK}

Update lxml to version 6.1.0 to address CVE-2026-41066.

This might be a simple fix:

Suggested change

	lxml==4.7.1
	lxml==6.1.0

[codacy-production]

_{🔴 HIGH RISK}

Running as 'root' is a security hazard. Specify a non-root USER in the Dockerfile to limit privileges.

This might be a simple fix:

Suggested change

	CMD ["python", "main.py"]
	RUN useradd --create-home appuser
	USER appuser
	CMD ["python", "main.py"]

[codacy-production]

_{🔴 HIGH RISK}

Dependencies from requirements.txt are not being installed. Add the necessary COPY and RUN pip install commands to build a functional image.

Suggested change

	COPY main.py .
	COPY requirements.txt .
	RUN pip install --no-cache-dir -r requirements.txt
	COPY main.py .

[codacy-production]

_{🔴 HIGH RISK}

Numpy 1.26.4 requires Python 3.9 or higher. Update the base image to python:3.9 to ensure compatibility with the specified dependencies.

Suggested change

	FROM python:3.8
	FROM python:3.9

[codacy-production]

_{🔴 HIGH RISK}

The variable version is missing the $ prefix for interpolation, which will cause the download to fail.

Suggested change

	download "$url" "$bin_folder"
	url="https:[REDACTED:HIGH_ENTROPY]${version}/${remote_file}"

[codacy-production]

_{🔴 HIGH RISK}

Avoid using eval for command execution to prevent shell injection vulnerabilities. Execute the binary directly while passing all arguments safely using "$@".

Suggested change

	eval "$run_command $*"
	"$run_command" "$@"

[codacy-production]

_{⚪ LOW RISK}

Suggestion: Hardcoded organization ('codacy-acme') and repository ('engine-helper'). Consider using GitHub Actions context variables like '${{ github.repository_owner }}' and '${{ github.event.repository.name }}' for better portability.