Fix oci-dir validation to allow directories without tags

- Allow oci-dir: prefix to reference directories without requiring tags
- Allow file:, docker-archive:, oci-archive: prefixes without tags
- Add comprehensive test coverage for oci-dir validation
- Fixes issue where skopeo-generated OCI directories were incorrectly rejected
- Test cases cover: oci-dir without tag, with tag, with tar files, missing directories

The OCI directory layout stores tag information internally, so requiring
a tag in the CLI input is incorrect. This fix allows commands like:
  cx scan create --container-images "oci-dir:my-alpine-image" ...
to work correctly with skopeo-generated OCI directories.

Author: Checkmarx Automation

internal/commands/scan.go

@@ -3593,7 +3593,7 @@ func validateContainerImageFormat(containerImage string) error {
 		return nil // Valid image:tag format
 	}
 
-	// Step 3: No colon found - check if it's a tar file
+	// Step 3: No colon found - check if it's a tar file or special prefix that doesn't require tags
 	lowerInput := strings.ToLower(sanitizedInput)
 	if strings.HasSuffix(lowerInput, ".tar") {
 		// It's a tar file - check if it exists locally
@@ -3618,7 +3618,20 @@ func validateContainerImageFormat(containerImage string) error {
 		return errors.Errorf("--container-images flag error: image does not have a tag. Did you try to scan a tar file?")
 	}
 
-	// Step 4: Not a tar file and no colon - assume user tries to use image with tag (error)
+	// Step 4: Special handling for prefixes that don't require tags (e.g., oci-dir:)
+	if hasKnownSource {
+		prefix := getPrefixFromInput(containerImage, knownSources)
+		// oci-dir can reference directories without tags, validate it
+		if prefix == "oci-dir:" {
+			return validatePrefixedContainerImage(containerImage, prefix)
+		}
+		// Archive prefixes (file:, docker-archive:, oci-archive:) can reference files without tags
+		if prefix == "file:" || prefix == "docker-archive:" || prefix == "oci-archive:" {
+			return validatePrefixedContainerImage(containerImage, prefix)
+		}
+	}
+
+	// Step 5: Not a tar file, no special prefix, and no colon - assume user forgot to add tag (error)
 	return errors.Errorf("--container-images flag error: image does not have a tag")
 }
 

internal/commands/scan_test.go

@@ -2195,6 +2195,7 @@ func TestValidateContainerImageFormat_Comprehensive(t *testing.T) {
 		containerImage string
 		expectedError  string
 		setupFiles     []string
+		setupDirs      []string
 	}{
 		// ==================== Basic Format Tests ====================
 		{
@@ -2409,6 +2410,37 @@ func TestValidateContainerImageFormat_Comprehensive(t *testing.T) {
 			expectedError:  "image does not have a tag",
 		},
 
+		// ==================== OCI-Dir Tests ====================
+		{
+			name:           "Valid oci-dir without tag",
+			containerImage: "oci-dir:my-alpine-image",
+			expectedError:  "",
+			setupDirs:      []string{"my-alpine-image"},
+		},
+		{
+			name:           "Valid oci-dir with tag",
+			containerImage: "oci-dir:my-image:latest",
+			expectedError:  "",
+			setupDirs:      []string{"my-image"},
+		},
+		{
+			name:           "Valid oci-dir with directory name",
+			containerImage: "oci-dir:oci-image-dir",
+			expectedError:  "",
+			setupDirs:      []string{"oci-image-dir"},
+		},
+		{
+			name:           "Invalid oci-dir - directory does not exist",
+			containerImage: "oci-dir:nonexistent-dir",
+			expectedError:  "--container-images flag error: path nonexistent-dir does not exist",
+		},
+		{
+			name:           "Valid oci-dir with tar file",
+			containerImage: "oci-dir:image.tar",
+			expectedError:  "",
+			setupFiles:     []string{"image.tar"},
+		},
+
 		// ==================== Dir Prefix (Forbidden) ====================
 		{
 			name:           "Invalid - dir prefix not supported",
@@ -2438,8 +2470,8 @@ func TestValidateContainerImageFormat_Comprehensive(t *testing.T) {
 	for _, tc := range testCases {
 		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
-			// Setup test files if needed
-			cleanupFuncs := setupTestFilesAndDirs(t, tc.setupFiles, nil)
+			// Setup test files and directories if needed
+			cleanupFuncs := setupTestFilesAndDirs(t, tc.setupFiles, tc.setupDirs)
 			defer func() {
 				for _, cleanup := range cleanupFuncs {
 					cleanup()