Skip to content

feat: Run trivy container scan #192

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
franciscoovazevedo wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

feat: Run trivy container scan #192

franciscoovazevedo wants to merge 4 commits into from
+541 −2

Conversation

@franciscoovazevedo
Copy link
Contributor

@franciscoovazevedo franciscoovazevedo commented Jan 23, 2026

No description provided.

Copilot AI review requested due to automatic review settings January 23, 2026 13:29
@codacy-production
Copy link

codacy-production bot commented Jan 23, 2026
edited
Loading

Codacy's Analysis Summary

3 new issues, 2 flagged as potential false positives (≤ 1 medium issue)
2 new security issues (≤ 0 issue)
54 complexity
0 duplications

Review Pull Request in Codacy →

AI Reviewer available: add the codacy-review label to get contextual insights without leaving GitHub.

Copilot AI reviewed Jan 23, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a new container-scan command to the Codacy CLI that enables vulnerability scanning of container images using Trivy. The command supports scanning single or multiple container images for vulnerabilities with configurable severity levels and package types.

Changes:

  • Added new container-scan command with support for multiple image scanning, customizable severity levels, package types, and unfixed vulnerability filtering
  • Updated validation logic to skip codacy.yaml requirement for container-scan command
  • Integrated Trivy as the vulnerability scanning engine with proper input validation to prevent command injection

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File Description
cmd/container_scan.go Implements the new container-scan command with Trivy integration, input validation, and multi-image scanning support
cmd/container_scan_test.go Provides unit tests for command arguments, flag defaults, image name validation, and Trivy argument construction
cmd/validation.go Adds container-scan to the list of commands that skip codacy.yaml validation
cli-v2.go Updates early-exit logic to allow container-scan to run without configuration file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@codacy-production
Copy link

codacy-production bot commented Jan 23, 2026
edited
Loading

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation Diff coverage
+0.75% (target: -0.50%) 46.90% (target: 50.00%)
Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (e1bb1bc) 5798 1179 20.33%
Head commit (5b9ff97) 5910 (+112) 1246 (+67) 21.08% (+0.75%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#192) 113 53 46.90%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

Copilot AI review requested due to automatic review settings January 23, 2026 13:50
codacy-production[bot]
codacy-production bot reviewed Jan 23, 2026
View reviewed changes
codacy-production[bot]
codacy-production bot reviewed Jan 23, 2026
View reviewed changes
codacy-production[bot]
codacy-production bot reviewed Jan 23, 2026
View reviewed changes
Copilot AI reviewed Jan 23, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI reviewed Jan 23, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

cmd/container_scan_test.go

func TestBuildTrivyArgs(t *testing.T) {
for _, tt := range trivyArgsTestCases {
t.Run(tt.name, func(t *testing.T) {
Copy link

Copilot AI Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests are modifying global flag variables (severityFlag, pkgTypesFlag, ignoreUnfixedFlag) which can cause test interference if tests run in parallel or in different orders. This is a test isolation issue that could lead to flaky tests. Consider one of these approaches:

  1. Use table-driven tests with a setup/teardown that resets flags between test cases
  2. Store original values and restore them with t.Cleanup()
  3. Refactor buildTrivyArgs to accept parameters instead of reading from global variables
Suggested change
t.Run(tt.name, func(t *testing.T) {
t.Run(tt.name, func(t *testing.T) {
// Preserve original global flag values and restore them after the subtest.
origSeverity := severityFlag
origPkgTypes := pkgTypesFlag
origIgnoreUnfixed := ignoreUnfixedFlag
t.Cleanup(func() {
severityFlag = origSeverity
pkgTypesFlag = origPkgTypes
ignoreUnfixedFlag = origIgnoreUnfixed
})

Copilot uses AI. Check for mistakes.
cmd/container_scan.go
Comment on lines +30 to +35
func init() {
containerScanCmd.Flags().StringVar(&severityFlag, "severity", "", "Comma-separated list of severities to scan for (default: HIGH,CRITICAL)")
containerScanCmd.Flags().StringVar(&pkgTypesFlag, "pkg-types", "", "Comma-separated list of package types to scan (default: os)")
containerScanCmd.Flags().BoolVar(&ignoreUnfixedFlag, "ignore-unfixed", true, "Ignore unfixed vulnerabilities")
rootCmd.AddCommand(containerScanCmd)
}
Copy link

Copilot AI Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The command definition places the init() function before the command variable definition, which is inconsistent with the codebase convention. Looking at other commands in the codebase (version.go:12-38, update.go:13-66, init.go:23-72), the standard pattern is to define the command variable first, then the init() function. This improves readability and follows Go conventions where init() functions typically appear at the end of the file.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@codacy-production codacy-production[bot] codacy-production[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@franciscoovazevedo