Update dependencies and refactor container image handling

- Upgrade containers-resolver to v1.0.23 and containers-syft-packages-extractor to v1.0.19 in go.mod and go.sum.
- Refactor container image processing logic to pass images as-is to syft, removing the previous prefix-stripping functionality.
- Consolidate container image prefix constants for improved readability and maintainability.
- Enhance validation logic for container image formats by utilizing defined constants instead of hardcoded strings.

Author: Checkmarx Automation

go.mod

@@ -3,7 +3,7 @@ module github.com/checkmarx/ast-cli
 go 1.24.6
 
 require (
-	github.com/Checkmarx/containers-resolver v1.0.22
+	github.com/Checkmarx/containers-resolver v1.0.23
 	github.com/Checkmarx/containers-types v1.0.9
 	github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63
 	github.com/Checkmarx/gen-ai-wrapper v1.0.2
@@ -50,7 +50,7 @@ require (
 	github.com/BobuSumisu/aho-corasick v1.0.3 // indirect
 	github.com/BurntSushi/toml v1.5.0 // indirect
 	github.com/Checkmarx/containers-images-extractor v1.0.18
-	github.com/Checkmarx/containers-syft-packages-extractor v1.0.18 // indirect
+	github.com/Checkmarx/containers-syft-packages-extractor v1.0.19 // indirect
 	github.com/CycloneDX/cyclonedx-go v0.9.2 // indirect
 	github.com/DataDog/zstd v1.5.6 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect

go.sum

@@ -65,14 +65,10 @@ github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Checkmarx/containers-images-extractor v1.0.18 h1:vj22lJurK72Zw28uenlzntDKIiXK0zN993lfsMdJh+w=
 github.com/Checkmarx/containers-images-extractor v1.0.18/go.mod h1:n3B8u4/WZCtsIwamIz7Prz6Ktl169i+aJb9Yq5R3D2M=
-github.com/Checkmarx/containers-resolver v1.0.21 h1:HFl9ZfdzH7Fh3jvdRxnTIHYotI/3ZNMJTFP70c1jZWU=
-github.com/Checkmarx/containers-resolver v1.0.21/go.mod h1:Kq7Jb+bvCx+BObImrydImkFIPWyhaZaX6lJyoz+IhA4=
-github.com/Checkmarx/containers-resolver v1.0.22 h1:UXIbMLS/olOSTRpm0EIgDdJUkRZ1yDbIF7TInyB8/wQ=
-github.com/Checkmarx/containers-resolver v1.0.22/go.mod h1:63a9NJmj4xktasA0tUDm5hclErwesdWT4taF7jrAgUg=
-github.com/Checkmarx/containers-syft-packages-extractor v1.0.17 h1:OrqJ7Z+9Cpz+258B9uMGgxA8/prTuHmG0w7UJ+y6Fvw=
-github.com/Checkmarx/containers-syft-packages-extractor v1.0.17/go.mod h1:o5O/uQuZVaHTsOU4PXQyRseGSblR+HXsdfZv7Hrt5CA=
-github.com/Checkmarx/containers-syft-packages-extractor v1.0.18 h1:Y1mE3oE2AkU05ooTvCIxsh8TpaWkJt6t83nqJMY9bDw=
-github.com/Checkmarx/containers-syft-packages-extractor v1.0.18/go.mod h1:o5O/uQuZVaHTsOU4PXQyRseGSblR+HXsdfZv7Hrt5CA=
+github.com/Checkmarx/containers-resolver v1.0.23 h1:cXu7d3TCHHD3s3JGu8jazm28qeLBAwLWJ5J09yA5qGo=
+github.com/Checkmarx/containers-resolver v1.0.23/go.mod h1:gNcfCDiUs/mDYOW/FXBqnC9Dy3Q300oAT2UFap9D40o=
+github.com/Checkmarx/containers-syft-packages-extractor v1.0.19 h1:0FifsoDW5HDnRpL3pzQKN31smWy8nD7Zm42D40AA4VY=
+github.com/Checkmarx/containers-syft-packages-extractor v1.0.19/go.mod h1:LBuo6NbNip0iZUCwmd5gFWYaLAlnl5STidlI2FYwoUw=
 github.com/Checkmarx/containers-types v1.0.9 h1:LbHDj9LZ0x3f28wDx398WC19sw0U0EfEewHMLStBwvs=
 github.com/Checkmarx/containers-types v1.0.9/go.mod h1:KR0w8XCosq3+6jRCfQrH7i//Nj2u11qaUJM62CREFZA=
 github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63 h1:SCuTcE+CFvgjbIxUNL8rsdB2sAhfuNx85HvxImKta3g=
@@ -745,8 +741,6 @@ github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/z
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
-github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/mapstructure v1.5.1-0.20220423092549-19e70c243037 h1:HFfFxOGn95p7f1McxDK/LbYRMTjNKiDEOMgUIzMSXdU=
 github.com/mitchellh/mapstructure v1.5.1-0.20220423092549-19e70c243037/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=

internal/commands/scan.go

@@ -2062,10 +2062,9 @@ func runContainerResolver(cmd *cobra.Command, directoryPath, containerImageFlag
 
 		logger.PrintIfVerbose(fmt.Sprintf("User input container images identified: %v", strings.Join(containerImagesList, ", ")))
 
-		// Process container images for syft compatibility (strip prefixes as syft does)
-		processedImages := processContainerImagesForSyft(containerImagesList)
-		logger.PrintIfVerbose(fmt.Sprintf("Processed container images for syft: %v", strings.Join(processedImages, ", ")))
-		containerImagesList = processedImages
+		// Pass images as-is to syft - it needs the prefixes to determine the image source
+		// Examples: "oci-dir:my-alpine-image", "docker:nginx:latest", "file:alpine.tar"
+		logger.PrintIfVerbose(fmt.Sprintf("Container images will be passed to syft: %v", strings.Join(containerImagesList, ", ")))
 	}
 	if containerResolveLocally || len(containerImagesList) > 0 {
 		containerResolverErr := containerResolver.Resolve(directoryPath, directoryPath, containerImagesList, debug)
@@ -2076,64 +2075,6 @@ func runContainerResolver(cmd *cobra.Command, directoryPath, containerImageFlag
 	return nil
 }
 
-// processContainerImagesForSyft processes container image references using syft's scheme extraction logic.
-// Container-security scan-type related function.
-// This function strips known prefixes (docker:, podman:, file:, etc.) from image references
-// to match syft/stereoscope's expected input format.
-func processContainerImagesForSyft(images []string) []string {
-	var processedImages []string
-
-	// Define known source provider tags (based on syft/stereoscope providers)
-	knownSources := []string{
-		"file", "dir", "docker", "podman", "containerd", "registry",
-		"docker-archive", "oci-archive", "oci-dir", "singularity",
-	}
-
-	for _, image := range images {
-		// Use the same scheme extraction logic as syft/stereoscope
-		source, strippedInput := extractSchemeSource(image, knownSources)
-
-		var processedImage string
-		if source != "" {
-			// Valid scheme found - use the stripped input (like syft does)
-			processedImage = strippedInput
-		} else {
-			// No valid scheme - pass the original input unchanged
-			processedImage = image
-		}
-
-		processedImages = append(processedImages, processedImage)
-	}
-
-	return processedImages
-}
-
-// extractSchemeSource mimics stereoscope.ExtractSchemeSource behavior.
-// Container-security scan-type related function.
-// This function extracts and validates source prefixes from container image references.
-func extractSchemeSource(userInput string, sources []string) (source, newInput string) {
-	const SchemeSeparator = ":"
-	const minPartsForScheme = 2
-	const schemePartIndex = 0
-	const inputPartIndex = 1
-
-	parts := strings.SplitN(userInput, SchemeSeparator, minPartsForScheme)
-	if len(parts) < minPartsForScheme {
-		return "", userInput
-	}
-
-	// Check if the first part is a valid source hint
-	sourceHint := strings.TrimSpace(strings.ToLower(parts[schemePartIndex]))
-	for _, validSource := range sources {
-		if sourceHint == validSource {
-			return sourceHint, parts[inputPartIndex]
-		}
-	}
-
-	// No valid scheme found
-	return "", userInput
-}
-
 func uploadZip(uploadsWrapper wrappers.UploadsWrapper, zipFilePath string, unzip, userProvidedZip bool, featureFlagsWrapper wrappers.FeatureFlagsWrapper) (
 	url, zipPath string,
 	err error,
@@ -2315,10 +2256,10 @@ func enforceLocalResolutionForTarFiles(cmd *cobra.Command) error {
 func isTarFileReference(imageRef string) bool {
 	// Known prefixes that might precede the actual file path
 	knownPrefixes := []string{
-		"docker-archive:",
-		"oci-archive:",
-		"file:",
-		"oci-dir:",
+		dockerArchivePrefix,
+		ociArchivePrefix,
+		filePrefix,
+		ociDirPrefix,
 	}
 
 	// First, trim quotes from the entire input
@@ -3528,6 +3469,19 @@ func validateCreateScanFlags(cmd *cobra.Command) error {
 	return nil
 }
 
+// Container image prefix constants for validation
+const (
+	dockerPrefix        = "docker:"
+	podmanPrefix        = "podman:"
+	containerdPrefix    = "containerd:"
+	registryPrefix      = "registry:"
+	dockerArchivePrefix = "docker-archive:"
+	ociArchivePrefix    = "oci-archive:"
+	ociDirPrefix        = "oci-dir:"
+	filePrefix          = "file:"
+	dirPrefix           = "dir:"
+)
+
 // validateContainerImageFormat validates container image references for the --container-images flag.
 // Container-security scan-type related function.
 // This function implements comprehensive validation logic for all supported container image formats:
@@ -3538,18 +3492,18 @@ func validateCreateScanFlags(cmd *cobra.Command) error {
 func validateContainerImageFormat(containerImage string) error {
 	// Define known sources (prefixes) for container image references
 	knownSources := []string{
-		"docker:",
-		"podman:",
-		"containerd:",
-		"registry:",
-		"docker-archive:",
-		"oci-archive:",
-		"oci-dir:",
-		"file:",
+		dockerPrefix,
+		podmanPrefix,
+		containerdPrefix,
+		registryPrefix,
+		dockerArchivePrefix,
+		ociArchivePrefix,
+		ociDirPrefix,
+		filePrefix,
 	}
 
 	// Check for explicitly forbidden prefixes first
-	if strings.HasPrefix(containerImage, "dir:") {
+	if strings.HasPrefix(containerImage, dirPrefix) {
 		return errors.Errorf("Invalid value for --container-images flag. The 'dir:' prefix is not supported as it would scan entire directories rather than a single image")
 	}
 
@@ -3622,11 +3576,11 @@ func validateContainerImageFormat(containerImage string) error {
 	if hasKnownSource {
 		prefix := getPrefixFromInput(containerImage, knownSources)
 		// oci-dir can reference directories without tags, validate it
-		if prefix == "oci-dir:" {
+		if prefix == ociDirPrefix {
 			return validatePrefixedContainerImage(containerImage, prefix)
 		}
 		// Archive prefixes (file:, docker-archive:, oci-archive:) can reference files without tags
-		if prefix == "file:" || prefix == "docker-archive:" || prefix == "oci-archive:" {
+		if prefix == filePrefix || prefix == dockerArchivePrefix || prefix == ociArchivePrefix {
 			return validatePrefixedContainerImage(containerImage, prefix)
 		}
 	}
@@ -3664,13 +3618,13 @@ func validatePrefixedContainerImage(containerImage, prefix string) error {
 
 	// Delegate to specific validators based on prefix type
 	switch prefix {
-	case "docker-archive:", "oci-archive:", "file:":
+	case dockerArchivePrefix, ociArchivePrefix, filePrefix:
 		return validateArchivePrefix(imageRef)
-	case "oci-dir:":
+	case ociDirPrefix:
 		return validateOCIDirPrefix(imageRef)
-	case "registry:":
+	case registryPrefix:
 		return validateRegistryPrefix(imageRef)
-	case "docker:", "podman:", "containerd:":
+	case dockerPrefix, podmanPrefix, containerdPrefix:
 		return validateDaemonPrefix(imageRef, prefix)
 	default:
 		return nil