codacy and copilot review changes applied

Author: franciscoovazevedo

cmd/container_scan.go

@@ -35,7 +35,7 @@ func init() {
 }
 
 var containerScanCmd = &cobra.Command{
-	Use:   "container-scan [FLAGS] <IMAGE_NAME> [IMAGE_NAME...]",
+	Use:   "container-scan <IMAGE_NAME> [IMAGE_NAME...]",
 	Short: "Scan container images for vulnerabilities using Trivy",
 	Long: `Scan one or more container images for vulnerabilities using Trivy.
 
@@ -74,19 +74,19 @@ func validateImageName(imageName string) error {
 		return fmt.Errorf("image name is too long (max 256 characters)")
 	}
 
-	// Validate against allowed pattern
-	if !validImageNamePattern.MatchString(imageName) {
-		return fmt.Errorf("invalid image name format: contains disallowed characters")
-	}
-
-	// Additional check for dangerous shell metacharacters
+	// Check for dangerous shell metacharacters first for specific error messages
 	dangerousChars := []string{";", "&", "|", "$", "`", "(", ")", "{", "}", "<", ">", "!", "\\", "\n", "\r", "'", "\""}
 	for _, char := range dangerousChars {
 		if strings.Contains(imageName, char) {
 			return fmt.Errorf("invalid image name: contains disallowed character '%s'", char)
 		}
 	}
 
+	// Validate against allowed pattern for any other invalid characters
+	if !validImageNamePattern.MatchString(imageName) {
+		return fmt.Errorf("invalid image name format: contains disallowed characters")
+	}
+
 	return nil
 }
 
@@ -98,7 +98,8 @@ func getTrivyPath() string {
 		color.Red("❌ Error: Trivy is not installed or not found in PATH")
 		fmt.Println("Please install Trivy to use container scanning.")
 		fmt.Println("Visit: https://trivy.dev/latest/getting-started/installation/")
-		os.Exit(1)
+		fmt.Println("exit-code 2")
+		os.Exit(2)
 	}
 	logger.Info("Found Trivy", logrus.Fields{"path": trivyPath})
 	return trivyPath
@@ -112,7 +113,8 @@ func runContainerScan(_ *cobra.Command, args []string) {
 		if err := validateImageName(imageName); err != nil {
 			logger.Error("Invalid image name", logrus.Fields{"image": imageName, "error": err.Error()})
 			color.Red("❌ Error: %v", err)
-			os.Exit(1)
+			fmt.Println("exit-code 2")
+			os.Exit(2)
 		}
 	}
 
@@ -129,6 +131,9 @@ func runContainerScan(_ *cobra.Command, args []string) {
 			fmt.Printf("🔍 Scanning container image: %s\n\n", imageName)
 		}
 
+		// #nosec G204 -- imageName is validated by validateImageName() which checks for
+		// shell metacharacters and enforces a strict character allowlist. Additionally,
+		// exec.Command passes arguments directly without shell interpretation.
 		trivyCmd := exec.Command(trivyPath, buildTrivyArgs(imageName)...)
 		trivyCmd.Stdout = os.Stdout
 		trivyCmd.Stderr = os.Stderr
@@ -142,7 +147,8 @@ func runContainerScan(_ *cobra.Command, args []string) {
 			} else {
 				logger.Error("Failed to run Trivy", logrus.Fields{"error": err.Error(), "image": imageName})
 				color.Red("❌ Error: Failed to run Trivy for %s: %v", imageName, err)
-				os.Exit(1)
+				fmt.Println("exit-code 2")
+				os.Exit(2)
 			}
 		} else {
 			logger.Info("No vulnerabilities found in image", logrus.Fields{"image": imageName})
@@ -154,11 +160,13 @@ func runContainerScan(_ *cobra.Command, args []string) {
 	if hasVulnerabilities {
 		logger.Warn("Container scan completed with vulnerabilities", logrus.Fields{"images": imageNames})
 		color.Red("❌ Scanning failed: vulnerabilities found in one or more container images")
+		fmt.Println("exit-code 1")
 		os.Exit(1)
 	}
 
 	logger.Info("Container scan completed successfully", logrus.Fields{"images": imageNames})
 	color.Green("✅ Success: No vulnerabilities found matching the specified criteria")
+	fmt.Println("exit-code 0")
 }
 
 // buildTrivyArgs constructs the Trivy command arguments based on flags

cmd/container_scan_test.go

@@ -31,11 +31,11 @@ var trivyArgsTestCases = []trivyArgsTestCase{
 		},
 	},
 	{
-		name:          "custom severity only",
-		imageName:     "codacy/engine:1.0.0",
-		severity:      "CRITICAL",
-		pkgTypes:      "",
-		ignoreUnfixed: true,
+		name:                "custom severity only",
+		imageName:           "codacy/engine:1.0.0",
+		severity:            "CRITICAL",
+		pkgTypes:            "",
+		ignoreUnfixed:       true,
 		expectedContains:    []string{"--severity", "CRITICAL", "--pkg-types", "os", "--ignore-unfixed", "codacy/engine:1.0.0"},
 		expectedNotContains: []string{"HIGH,CRITICAL"},
 	},
@@ -153,7 +153,7 @@ func TestContainerScanCommandSkipsValidation(t *testing.T) {
 }
 
 func TestContainerScanCommandRequiresArg(t *testing.T) {
-	assert.Equal(t, "container-scan [FLAGS] <IMAGE_NAME> [IMAGE_NAME...]", containerScanCmd.Use, "Command use should match expected format")
+	assert.Equal(t, "container-scan <IMAGE_NAME> [IMAGE_NAME...]", containerScanCmd.Use, "Command use should match expected format")
 
 	err := containerScanCmd.Args(containerScanCmd, []string{})
 	assert.Error(t, err, "Should error when no args provided")
@@ -255,3 +255,84 @@ func TestBuildTrivyArgsDefaultsApplied(t *testing.T) {
 
 	assert.Contains(t, args, "--ignore-unfixed", "--ignore-unfixed should be present when enabled")
 }
+
+// Tests for multiple image support
+
+func TestValidateMultipleImages(t *testing.T) {
+	// All valid images should pass
+	validImages := []string{"alpine:latest", "nginx:1.21", "redis:7"}
+	for _, img := range validImages {
+		err := validateImageName(img)
+		assert.NoError(t, err, "Valid image %s should not error", img)
+	}
+}
+
+func TestValidateMultipleImagesFailsOnInvalid(t *testing.T) {
+	// Test that validation catches invalid images in a list
+	images := []string{"alpine:latest", "nginx;malicious", "redis:7"}
+
+	var firstError error
+	for _, img := range images {
+		if err := validateImageName(img); err != nil {
+			firstError = err
+			break
+		}
+	}
+
+	assert.Error(t, firstError, "Should catch invalid image in list")
+	assert.Contains(t, firstError.Error(), "disallowed character", "Should report specific error")
+}
+
+func TestBuildTrivyArgsForMultipleImages(t *testing.T) {
+	severityFlag = "CRITICAL"
+	pkgTypesFlag = ""
+	ignoreUnfixedFlag = true
+
+	images := []string{"alpine:latest", "nginx:1.21", "redis:7"}
+
+	// Verify each image gets correct args with same flags
+	for _, img := range images {
+		args := buildTrivyArgs(img)
+
+		assert.Equal(t, img, args[len(args)-1], "Image name should be last argument")
+		assert.Contains(t, args, "--severity", "Should contain severity flag")
+		assert.Contains(t, args, "CRITICAL", "Should use configured severity")
+	}
+}
+
+func TestContainerScanCommandAcceptsMultipleImages(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   []string
+		errMsg string
+	}{
+		{
+			name: "single image",
+			args: []string{"alpine:latest"},
+		},
+		{
+			name: "two images",
+			args: []string{"alpine:latest", "nginx:1.21"},
+		},
+		{
+			name: "three images",
+			args: []string{"alpine:latest", "nginx:1.21", "redis:7"},
+		},
+		{
+			name: "many images",
+			args: []string{"img1:v1", "img2:v2", "img3:v3", "img4:v4", "img5:v5"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := containerScanCmd.Args(containerScanCmd, tt.args)
+			assert.NoError(t, err, "Command should accept %d image(s)", len(tt.args))
+		})
+	}
+}
+
+func TestContainerScanCommandRejectsNoImages(t *testing.T) {
+	err := containerScanCmd.Args(containerScanCmd, []string{})
+	assert.Error(t, err, "Command should reject empty image list")
+}