Refactor container scan command to accept a single image argument and update related tests. Removed support for multiple images in command usage and adjusted the execution logic accordingly.

Author: andrzej-janczak

cmd/container_scan.go

@@ -75,30 +75,27 @@ func init() {
 }
 
 var containerScanCmd = &cobra.Command{
-	Use:   "container-scan <IMAGE_NAME> [IMAGE_NAME...]",
-	Short: "Scan container images for vulnerabilities using Trivy",
-	Long: `Scan one or more container images for vulnerabilities using Trivy.
+	Use:   "container-scan <IMAGE_NAME>",
+	Short: "Scan a container image for vulnerabilities using Trivy",
+	Long: `Scan a container image for vulnerabilities using Trivy.
 
 By default, scans for HIGH and CRITICAL vulnerabilities in OS packages,
 ignoring unfixed issues. Use flags to override these defaults.
 
 The --exit-code 1 flag is always applied (not user-configurable) to ensure
-the command fails when vulnerabilities are found in any image.`,
-	Example: `  # Scan a single image
+the command fails when vulnerabilities are found.`,
+	Example: `  # Scan an image
   codacy-cli container-scan myapp:latest
 
-  # Scan multiple images
-  codacy-cli container-scan myapp:latest nginx:alpine redis:7
-
-  # Scan only for CRITICAL vulnerabilities across multiple images
-  codacy-cli container-scan --severity CRITICAL myapp:latest nginx:alpine
+  # Scan only for CRITICAL vulnerabilities
+  codacy-cli container-scan --severity CRITICAL myapp:latest
 
   # Scan all severities and package types
   codacy-cli container-scan --severity LOW,MEDIUM,HIGH,CRITICAL --pkg-types os,library myapp:latest
 
   # Include unfixed vulnerabilities
   codacy-cli container-scan --ignore-unfixed=false myapp:latest`,
-	Args: cobra.MinimumNArgs(1),
+	Args: cobra.ExactArgs(1),
 	Run:  runContainerScan,
 }
 
@@ -170,89 +167,63 @@ func handleTrivyNotFound(err error) {
 }
 
 func runContainerScan(_ *cobra.Command, args []string) {
-	exitCode := executeContainerScan(args)
+	exitCode := executeContainerScan(args[0])
 	exitFunc(exitCode)
 }
 
 // executeContainerScan performs the container scan and returns an exit code
 // Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error
-func executeContainerScan(imageNames []string) int {
-	if code := validateAllImages(imageNames); code != 0 {
-		return code
+func executeContainerScan(imageName string) int {
+	if err := validateImageName(imageName); err != nil {
+		logger.Error("Invalid image name", logrus.Fields{"image": imageName, "error": err.Error()})
+		color.Red("❌ Error: %v", err)
+		fmt.Println("exit-code 2")
+		return 2
 	}
-	logger.Info("Starting container scan", logrus.Fields{"images": imageNames, "count": len(imageNames)})
+	logger.Info("Starting container scan", logrus.Fields{"image": imageName})
 
 	trivyPath, err := getTrivyPath()
 	if err != nil {
 		handleTrivyNotFound(err)
 		return 2
 	}
 
-	hasVulnerabilities := scanAllImages(imageNames, trivyPath)
+	hasVulnerabilities := scanImage(imageName, trivyPath)
 	if hasVulnerabilities == -1 {
 		return 2
 	}
-	return printScanSummary(hasVulnerabilities == 1, imageNames)
+	return printScanSummary(hasVulnerabilities == 1)
 }
 
-func validateAllImages(imageNames []string) int {
-	for _, imageName := range imageNames {
-		if err := validateImageName(imageName); err != nil {
-			logger.Error("Invalid image name", logrus.Fields{"image": imageName, "error": err.Error()})
-			color.Red("❌ Error: %v", err)
-			fmt.Println("exit-code 2")
-			return 2
-		}
-	}
-	return 0
-}
+// scanImage scans the image and returns: 0=no vulns, 1=vulns found, -1=error
+func scanImage(imageName, trivyPath string) int {
+	fmt.Printf("🔍 Scanning container image: %s\n\n", imageName)
+	args := buildTrivyArgs(imageName)
+	logger.Info("Running Trivy container scan", logrus.Fields{"command": fmt.Sprintf("%s %v", trivyPath, args)})
 
-// scanAllImages scans all images and returns: 0=no vulns, 1=vulns found, -1=error
-func scanAllImages(imageNames []string, trivyPath string) int {
-	hasVulnerabilities := false
-	for i, imageName := range imageNames {
-		printScanHeader(imageNames, imageName, i)
-		args := buildTrivyArgs(imageName)
-		logger.Info("Running Trivy container scan", logrus.Fields{"command": fmt.Sprintf("%s %v", trivyPath, args)})
-
-		if err := commandRunner.Run(trivyPath, args); err != nil {
-			if getExitCode(err) == 1 {
-				logger.Warn("Vulnerabilities found in image", logrus.Fields{"image": imageName})
-				hasVulnerabilities = true
-			} else {
-				logger.Error("Failed to run Trivy", logrus.Fields{"error": err.Error(), "image": imageName})
-				color.Red("❌ Error: Failed to run Trivy for %s: %v", imageName, err)
-				fmt.Println("exit-code 2")
-				return -1
-			}
-		} else {
-			logger.Info("No vulnerabilities found in image", logrus.Fields{"image": imageName})
+	if err := commandRunner.Run(trivyPath, args); err != nil {
+		if getExitCode(err) == 1 {
+			logger.Warn("Vulnerabilities found in image", logrus.Fields{"image": imageName})
+			return 1
 		}
+		logger.Error("Failed to run Trivy", logrus.Fields{"error": err.Error(), "image": imageName})
+		color.Red("❌ Error: Failed to run Trivy for %s: %v", imageName, err)
+		fmt.Println("exit-code 2")
+		return -1
 	}
-	if hasVulnerabilities {
-		return 1
-	}
+	logger.Info("No vulnerabilities found in image", logrus.Fields{"image": imageName})
 	return 0
 }
 
-func printScanHeader(imageNames []string, imageName string, index int) {
-	if len(imageNames) > 1 {
-		fmt.Printf("\n📦 [%d/%d] Scanning image: %s\n", index+1, len(imageNames), imageName)
-		fmt.Println(strings.Repeat("-", 50))
-	} else {
-		fmt.Printf("🔍 Scanning container image: %s\n\n", imageName)
-	}
-}
-
-func printScanSummary(hasVulnerabilities bool, imageNames []string) int {
+func printScanSummary(hasVulnerabilities bool) int {
 	fmt.Println()
 	if hasVulnerabilities {
-		logger.Warn("Container scan completed with vulnerabilities", logrus.Fields{"images": imageNames})
-		color.Red("❌ Scanning failed: vulnerabilities found in one or more container images")
+		logger.Warn("Container scan completed with vulnerabilities", logrus.Fields{})
+		color.Red("❌ Scanning failed: vulnerabilities found in the container image")
 		fmt.Println("exit-code 1")
 		return 1
 	}
-	logger.Info("Container scan completed successfully", logrus.Fields{"images": imageNames})
+	logger.Info("Container scan completed successfully", logrus.Fields{})
 	color.Green("✅ Success: No vulnerabilities found matching the specified criteria")
 	return 0
 }

cmd/container_scan_test.go

@@ -109,7 +109,7 @@ func TestExecuteContainerScan_Success(t *testing.T) {
 	pkgTypesFlag = ""
 	ignoreUnfixedFlag = true
 
-	exitCode := executeContainerScan([]string{"alpine:latest"})
+	exitCode := executeContainerScan("alpine:latest")
 	assert.Equal(t, 0, exitCode)
 	assert.Len(t, mockRunner.Calls, 1)
 	assert.Equal(t, "/usr/local/bin/trivy", mockRunner.Calls[0].Name)
@@ -149,46 +149,16 @@ func TestExecuteContainerScan_VulnerabilitiesFound(t *testing.T) {
 	pkgTypesFlag = ""
 	ignoreUnfixedFlag = true
 
-	exitCode := executeContainerScan([]string{"alpine:latest"})
+	exitCode := executeContainerScan("alpine:latest")
 	assert.Equal(t, 1, exitCode, "Should return exit code 1 when vulnerabilities are found")
 	assert.Len(t, mockRunner.Calls, 1)
 }
 
-func TestExecuteContainerScan_MultipleImages_SomeWithVulnerabilities(t *testing.T) {
-	state := saveState()
-	defer state.restore()
-
-	getTrivyPathResolver = func() (string, error) {
-		return "/usr/local/bin/trivy", nil
-	}
-
-	callCount := 0
-	mockRunner := &MockCommandRunner{
-		RunFunc: func(_ string, _ []string) error {
-			callCount++
-			// Second image has vulnerabilities
-			if callCount == 2 {
-				return &mockExitError{code: 1}
-			}
-			return nil
-		},
-	}
-	commandRunner = mockRunner
-
-	severityFlag = ""
-	pkgTypesFlag = ""
-	ignoreUnfixedFlag = true
-
-	exitCode := executeContainerScan([]string{"alpine:latest", "nginx:latest", "redis:7"})
-	assert.Equal(t, 1, exitCode, "Should return exit code 1 when any image has vulnerabilities")
-	assert.Len(t, mockRunner.Calls, 3, "Should scan all images even if one has vulnerabilities")
-}
-
 func TestExecuteContainerScan_InvalidImageName(t *testing.T) {
 	state := saveState()
 	defer state.restore()
 
-	exitCode := executeContainerScan([]string{"nginx;rm -rf /"})
+	exitCode := executeContainerScan("nginx;rm -rf /")
 	assert.Equal(t, 2, exitCode)
 }
 
@@ -206,45 +176,12 @@ func TestExecuteContainerScan_TrivyNotFound(t *testing.T) {
 		capturedExitCode = code
 	}
 
-	exitCode := executeContainerScan([]string{"alpine:latest"})
+	exitCode := executeContainerScan("alpine:latest")
 	// handleTrivyNotFound calls exitFunc(2), then returns 2
 	assert.Equal(t, 2, capturedExitCode)
 	assert.Equal(t, 2, exitCode)
 }
 
-func TestExecuteContainerScan_MultipleImages_AllPass(t *testing.T) {
-	state := saveState()
-	defer state.restore()
-
-	getTrivyPathResolver = func() (string, error) {
-		return "/usr/local/bin/trivy", nil
-	}
-
-	mockRunner := &MockCommandRunner{
-		RunFunc: func(_ string, _ []string) error {
-			return nil
-		},
-	}
-	commandRunner = mockRunner
-
-	severityFlag = ""
-	pkgTypesFlag = ""
-	ignoreUnfixedFlag = true
-
-	exitCode := executeContainerScan([]string{"alpine:latest", "nginx:latest", "redis:7"})
-	assert.Equal(t, 0, exitCode)
-	assert.Len(t, mockRunner.Calls, 3)
-}
-
-func TestExecuteContainerScan_MultipleImages_OneInvalid(t *testing.T) {
-	state := saveState()
-	defer state.restore()
-
-	// Should fail validation before running any scans
-	exitCode := executeContainerScan([]string{"alpine:latest", "nginx;bad", "redis:7"})
-	assert.Equal(t, 2, exitCode)
-}
-
 func TestExecuteContainerScan_TrivyExecutionError(t *testing.T) {
 	state := saveState()
 	defer state.restore()
@@ -265,27 +202,10 @@ func TestExecuteContainerScan_TrivyExecutionError(t *testing.T) {
 	pkgTypesFlag = ""
 	ignoreUnfixedFlag = true
 
-	exitCode := executeContainerScan([]string{"alpine:latest"})
+	exitCode := executeContainerScan("alpine:latest")
 	assert.Equal(t, 2, exitCode)
 }
 
-func TestExecuteContainerScan_EmptyImageList(t *testing.T) {
-	state := saveState()
-	defer state.restore()
-
-	getTrivyPathResolver = func() (string, error) {
-		return "/usr/local/bin/trivy", nil
-	}
-
-	mockRunner := &MockCommandRunner{}
-	commandRunner = mockRunner
-
-	// Empty list should succeed with no scans performed
-	exitCode := executeContainerScan([]string{})
-	assert.Equal(t, 0, exitCode)
-	assert.Len(t, mockRunner.Calls, 0)
-}
-
 // Tests for handleTrivyNotFound
 
 func TestHandleTrivyNotFound(t *testing.T) {
@@ -448,7 +368,7 @@ func TestContainerScanCommandSkipsValidation(t *testing.T) {
 }
 
 func TestContainerScanCommandRequiresArg(t *testing.T) {
-	assert.Equal(t, "container-scan <IMAGE_NAME> [IMAGE_NAME...]", containerScanCmd.Use, "Command use should match expected format")
+	assert.Equal(t, "container-scan <IMAGE_NAME>", containerScanCmd.Use, "Command use should match expected format")
 
 	err := containerScanCmd.Args(containerScanCmd, []string{})
 	assert.Error(t, err, "Should error when no args provided")
@@ -457,10 +377,7 @@ func TestContainerScanCommandRequiresArg(t *testing.T) {
 	assert.NoError(t, err, "Should not error when one arg provided")
 
 	err = containerScanCmd.Args(containerScanCmd, []string{"image1", "image2"})
-	assert.NoError(t, err, "Should not error when multiple args provided")
-
-	err = containerScanCmd.Args(containerScanCmd, []string{"image1", "image2", "image3"})
-	assert.NoError(t, err, "Should not error when many args provided")
+	assert.Error(t, err, "Should error when multiple args provided")
 }
 
 func TestContainerScanFlagDefaults(t *testing.T) {
@@ -551,80 +468,24 @@ func TestBuildTrivyArgsDefaultsApplied(t *testing.T) {
 	assert.Contains(t, args, "--ignore-unfixed", "--ignore-unfixed should be present when enabled")
 }
 
-// Tests for multiple image support
-
-func TestValidateMultipleImages(t *testing.T) {
-	// All valid images should pass
-	validImages := []string{"alpine:latest", "nginx:1.21", "redis:7"}
-	for _, img := range validImages {
-		err := validateImageName(img)
-		assert.NoError(t, err, "Valid image %s should not error", img)
-	}
-}
-
-func TestValidateMultipleImagesFailsOnInvalid(t *testing.T) {
-	// Test that validation catches invalid images in a list
-	images := []string{"alpine:latest", "nginx;malicious", "redis:7"}
-
-	var firstError error
-	for _, img := range images {
-		if err := validateImageName(img); err != nil {
-			firstError = err
-			break
-		}
-	}
-
-	assert.Error(t, firstError, "Should catch invalid image in list")
-	assert.Contains(t, firstError.Error(), "disallowed character", "Should report specific error")
-}
-
-func TestBuildTrivyArgsForMultipleImages(t *testing.T) {
+func TestBuildTrivyArgsWithDifferentImages(t *testing.T) {
 	severityFlag = "CRITICAL"
 	pkgTypesFlag = ""
 	ignoreUnfixedFlag = true
 
 	images := []string{"alpine:latest", "nginx:1.21", "redis:7"}
 
-	// Verify each image gets correct args with same flags
 	for _, img := range images {
 		args := buildTrivyArgs(img)
-
 		assert.Equal(t, img, args[len(args)-1], "Image name should be last argument")
 		assert.Contains(t, args, "--severity", "Should contain severity flag")
 		assert.Contains(t, args, "CRITICAL", "Should use configured severity")
 	}
 }
 
-func TestContainerScanCommandAcceptsMultipleImages(t *testing.T) {
-	tests := []struct {
-		name   string
-		args   []string
-		errMsg string
-	}{
-		{
-			name: "single image",
-			args: []string{"alpine:latest"},
-		},
-		{
-			name: "two images",
-			args: []string{"alpine:latest", "nginx:1.21"},
-		},
-		{
-			name: "three images",
-			args: []string{"alpine:latest", "nginx:1.21", "redis:7"},
-		},
-		{
-			name: "many images",
-			args: []string{"img1:v1", "img2:v2", "img3:v3", "img4:v4", "img5:v5"},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := containerScanCmd.Args(containerScanCmd, tt.args)
-			assert.NoError(t, err, "Command should accept %d image(s)", len(tt.args))
-		})
-	}
+func TestContainerScanCommandAcceptsExactlyOneImage(t *testing.T) {
+	err := containerScanCmd.Args(containerScanCmd, []string{"alpine:latest"})
+	assert.NoError(t, err, "Command should accept single image")
 }
 
 func TestContainerScanCommandRejectsNoImages(t *testing.T) {