Add tar file detection and local resolution enforcement in scan commands

- Introduce `isTarFileReference` function to identify tar file references in container images.
- Implement `enforceLocalResolutionForTarFiles` function to automatically enable local resolution when tar files are detected in the `--container-images` flag.
- Enhance test coverage with new test cases for tar file detection and local resolution enforcement.
- Ensure integration with the scan create command to validate behavior with tar files.

Author: Checkmarx Automation

internal/commands/scan.go

@@ -2255,6 +2255,108 @@ func definePathForZipFileOrDirectory(cmd *cobra.Command) (zipFile, sourceDir str
 	return zipFile, sourceDir, err
 }
 
+// enforceLocalResolutionForTarFiles checks if any container image is a tar file
+// and enforces local resolution by setting the --containers-local-resolution flag.
+// Container-security scan-type related function.
+func enforceLocalResolutionForTarFiles(cmd *cobra.Command) error {
+	containerImagesFlag, _ := cmd.Flags().GetString(commonParams.ContainerImagesFlag)
+
+	// If no container images specified, nothing to check
+	if containerImagesFlag == "" {
+		return nil
+	}
+
+	// Check if --containers-local-resolution is already set
+	containerResolveLocally, _ := cmd.Flags().GetBool(commonParams.ContainerResolveLocallyFlag)
+
+	// If already set to true, we're good
+	if containerResolveLocally {
+		return nil
+	}
+
+	// Parse container images list
+	containerImagesList := strings.Split(strings.TrimSpace(containerImagesFlag), ",")
+	hasTarFile := false
+
+	for _, containerImageName := range containerImagesList {
+		// Normalize input: trim spaces and quotes
+		containerImageName = strings.TrimSpace(containerImageName)
+		containerImageName = strings.Trim(containerImageName, "'\"")
+
+		// Skip empty entries
+		if containerImageName == "" {
+			continue
+		}
+
+		// Check if this is a tar file by checking if it contains a tar file reference
+		if isTarFileReference(containerImageName) {
+			hasTarFile = true
+			break
+		}
+	}
+
+	// If at least one tar file is found, enforce local resolution
+	if hasTarFile {
+		logger.PrintIfVerbose("Detected tar file(s) in --container-images flag")
+		fmt.Println("Warning: Tar file(s) detected in --container-images. Automatically enabling --containers-local-resolution flag.")
+
+		// Set the flag to true
+		err := cmd.Flags().Set(commonParams.ContainerResolveLocallyFlag, "true")
+		if err != nil {
+			return errors.Wrapf(err, "Failed to set --containers-local-resolution flag")
+		}
+	}
+
+	return nil
+}
+
+// isTarFileReference checks if a container image reference points to a tar file.
+// Container-security scan-type related function.
+func isTarFileReference(imageRef string) bool {
+	// Known prefixes that might precede the actual file path
+	knownPrefixes := []string{
+		"docker-archive:",
+		"oci-archive:",
+		"file:",
+		"oci-dir:",
+	}
+
+	// First, trim quotes from the entire input
+	actualRef := strings.Trim(imageRef, "'\"")
+
+	// Strip known prefixes to get the actual reference
+	for _, prefix := range knownPrefixes {
+		if strings.HasPrefix(actualRef, prefix) {
+			actualRef = strings.TrimPrefix(actualRef, prefix)
+			actualRef = strings.Trim(actualRef, "'\"")
+			break
+		}
+	}
+
+	// Check if the reference ends with .tar (case-insensitive)
+	lowerRef := strings.ToLower(actualRef)
+
+	// If it ends with .tar, it's a tar file (no tag suffix allowed)
+	if strings.HasSuffix(lowerRef, ".tar") {
+		return true
+	}
+
+	// If it contains a colon but doesn't end with .tar, check if it's a file.tar:tag format (invalid)
+	// A tar file cannot have a tag suffix like file.tar:tag
+	if strings.Contains(actualRef, ":") {
+		parts := strings.Split(actualRef, ":")
+		if len(parts) >= 2 {
+			firstPart := strings.ToLower(parts[0])
+			// If the part before the colon is a tar file, this is invalid (tar files don't have tags)
+			if strings.HasSuffix(firstPart, ".tar") {
+				return false
+			}
+		}
+	}
+
+	return false
+}
+
 func runCreateScanCommand(
 	scansWrapper wrappers.ScansWrapper,
 	exportWrapper wrappers.ExportWrapper,
@@ -2281,6 +2383,11 @@ func runCreateScanCommand(
 		if err != nil {
 			return err
 		}
+		// Check if tar files are used in --container-images and enforce local resolution
+		err = enforceLocalResolutionForTarFiles(cmd)
+		if err != nil {
+			return err
+		}
 		ignorePolicy, _ := cmd.Flags().GetBool(commonParams.IgnorePolicyFlag)
 
 		// Check if the user has permission to override policy management if --ignore-policy is set

internal/commands/scan_test.go

@@ -4050,3 +4050,170 @@ func Test_CreateScanWithExistingProjectAssign_to_Application_FF_DirectAssociatio
 	}
 	assert.Equal(t, strings.Contains(stdoutString, "Successfully updated the application"), true, "Expected output: %s", "Successfully updated the application")
 }
+
+// TestIsTarFileReference tests the tar file detection logic.
+// Container-security scan-type related test function.
+func TestIsTarFileReference(t *testing.T) {
+	testCases := []struct {
+		name     string
+		imageRef string
+		expected bool
+	}{
+		// Tar files (various formats)
+		{"Simple tar", "alpine.tar", true},
+		{"Tar with path", "/path/to/image.tar", true},
+		{"Tar case insensitive", "image.TAR", true},
+		{"Tar with quotes", "'alpine.tar'", true},
+		{"Tar multiple dots", "alpine.3.18.0.tar", true},
+
+		// Prefixed tar files
+		{"docker-archive tar", "docker-archive:alpine.tar", true},
+		{"oci-archive tar", "oci-archive:image.tar", true},
+		{"file prefix tar", "file:myimage.tar", true},
+		{"oci-dir tar", "oci-dir:image.tar", true},
+
+		// Non-tar images
+		{"Image with tag", "nginx:latest", false},
+		{"Image with registry", "registry.io/namespace/image:v1.0", false},
+		{"Compressed tar.gz", "image.tar.gz", false},
+
+		// Prefixed non-tar images
+		{"docker-archive image", "docker-archive:nginx:latest", false},
+		{"docker daemon image", "docker:nginx:latest", false},
+		{"registry image", "registry:ubuntu:20.04", false},
+		{"oci-dir with directory:tag", "oci-dir:/path/to/dir:latest", false},
+
+		// Invalid: tar file cannot have tag
+		{"Invalid tar with tag", "oci-dir:image.tar:latest", false},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if result := isTarFileReference(tc.imageRef); result != tc.expected {
+				t.Errorf("Expected %v for '%s', got %v", tc.expected, tc.imageRef, result)
+			}
+		})
+	}
+}
+
+// TestEnforceLocalResolutionForTarFiles tests the automatic enforcement of local resolution when tar files are detected.
+// Container-security scan-type related test function.
+func TestEnforceLocalResolutionForTarFiles(t *testing.T) {
+	testCases := []struct {
+		name                    string
+		containerImages         string
+		initialLocalResolution  bool
+		expectedLocalResolution bool
+		expectWarning           bool
+	}{
+		// No action needed
+		{"Empty images", "", false, false, false},
+		{"Already enabled", "alpine.tar", true, true, false},
+		{"Only image:tag", "nginx:latest,alpine:3.18", false, false, false},
+		{"Non-tar prefixes", "docker:nginx:latest,registry:ubuntu:22.04", false, false, false},
+		{"Invalid tar:tag format", "oci-dir:file.tar:latest", false, false, false},
+
+		// Should enable local resolution
+		{"Single tar", "alpine.tar", false, true, true},
+		{"Mixed tar+image", "nginx:latest,alpine.tar", false, true, true},
+		{"Tar with spaces/quotes", " 'alpine.tar' ,nginx:latest", false, true, true},
+		{"Prefixed tar", "docker-archive:alpine.tar", false, true, true},
+		{"oci-dir tar", "oci-dir:image.tar", false, true, true},
+		{"Tar at end", "nginx:latest,ubuntu.tar", false, true, true},
+	}
+
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			// Create a mock command
+			cmd := &cobra.Command{}
+			cmd.Flags().String(commonParams.ContainerImagesFlag, "", "")
+			cmd.Flags().Bool(commonParams.ContainerResolveLocallyFlag, false, "")
+
+			// Set the initial flag values
+			_ = cmd.Flags().Set(commonParams.ContainerImagesFlag, tc.containerImages)
+			_ = cmd.Flags().Set(commonParams.ContainerResolveLocallyFlag, fmt.Sprintf("%v", tc.initialLocalResolution))
+
+			// Capture output to check for warning message
+			oldStdout := os.Stdout
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			// Run the function
+			err := enforceLocalResolutionForTarFiles(cmd)
+
+			// Restore stdout
+			w.Close()
+			os.Stdout = oldStdout
+			var buf bytes.Buffer
+			_, _ = io.Copy(&buf, r)
+			output := buf.String()
+
+			// Validate results
+			if err != nil {
+				t.Errorf("Unexpected error: %v", err)
+			}
+
+			actualLocalResolution, _ := cmd.Flags().GetBool(commonParams.ContainerResolveLocallyFlag)
+			if actualLocalResolution != tc.expectedLocalResolution {
+				t.Errorf("Expected local resolution=%v, got=%v", tc.expectedLocalResolution, actualLocalResolution)
+			}
+
+			hasWarning := strings.Contains(output, "Warning:") && strings.Contains(output, "Tar file")
+			if tc.expectWarning && !hasWarning {
+				t.Errorf("Expected warning but got: %s", output)
+			} else if !tc.expectWarning && hasWarning {
+				t.Errorf("Unexpected warning: %s", output)
+			}
+		})
+	}
+}
+
+// TestEnforceLocalResolutionForTarFiles_Integration tests the integration with scan create command.
+// Container-security scan-type related test function.
+func TestEnforceLocalResolutionForTarFiles_Integration(t *testing.T) {
+	tempDir := t.TempDir()
+	tarFile := filepath.Join(tempDir, "test.tar")
+	if file, err := os.Create(tarFile); err != nil {
+		t.Fatalf("Failed to create test tar: %v", err)
+	} else {
+		file.Close()
+	}
+
+	testCases := []struct {
+		name       string
+		images     string
+		addFlag    bool
+		expectWarn bool
+	}{
+		{"Tar without flag", tarFile, false, true},
+		{"Tar with flag", tarFile, true, false},
+		{"Image without flag", "nginx:latest", false, false},
+		{"Mixed without flag", tarFile + ",nginx:latest", false, true},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			args := []string{"scan", "create", "--project-name", "MOCK", "-s", ".",
+				"-b", "test-branch", "--scan-types", "containers", "--container-images", tc.images}
+			if tc.addFlag {
+				args = append(args, "--containers-local-resolution")
+			}
+
+			oldStdout := os.Stdout
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+			execCmdNilAssertion(t, args...)
+			w.Close()
+			os.Stdout = oldStdout
+
+			var buf bytes.Buffer
+			_, _ = io.Copy(&buf, r)
+			hasWarning := strings.Contains(buf.String(), "Warning:") && strings.Contains(buf.String(), "Tar file")
+
+			if tc.expectWarn != hasWarning {
+				t.Errorf("Expected warning=%v, got=%v", tc.expectWarn, hasWarning)
+			}
+		})
+	}
+}