codacy and copilot review changes applied

franciscoovazevedo · franciscoovazevedo · commit 5b9ff979c09e · 2026-01-23T13:50:47.000Z
diff --git a/cmd/container_scan.go b/cmd/container_scan.go
@@ -35,7 +35,7 @@ func init() {
 }
 
 var containerScanCmd = &cobra.Command{
-	Use:   "container-scan [FLAGS] <IMAGE_NAME> [IMAGE_NAME...]",
+	Use:   "container-scan <IMAGE_NAME> [IMAGE_NAME...]",
 	Short: "Scan container images for vulnerabilities using Trivy",
 	Long: `Scan one or more container images for vulnerabilities using Trivy.
 
@@ -74,19 +74,19 @@ func validateImageName(imageName string) error {
 		return fmt.Errorf("image name is too long (max 256 characters)")
 	}
 
-	// Validate against allowed pattern
-	if !validImageNamePattern.MatchString(imageName) {
-		return fmt.Errorf("invalid image name format: contains disallowed characters")
-	}
-
-	// Additional check for dangerous shell metacharacters
+	// Check for dangerous shell metacharacters first for specific error messages
 	dangerousChars := []string{";", "&", "|", "$", "`", "(", ")", "{", "}", "<", ">", "!", "\\", "\n", "\r", "'", "\""}
 	for _, char := range dangerousChars {
 		if strings.Contains(imageName, char) {
 			return fmt.Errorf("invalid image name: contains disallowed character '%s'", char)
 		}
 	}
 
+	// Validate against allowed pattern for any other invalid characters
+	if !validImageNamePattern.MatchString(imageName) {
+		return fmt.Errorf("invalid image name format: contains disallowed characters")
+	}
+
 	return nil
 }
 
@@ -129,6 +129,9 @@ func runContainerScan(_ *cobra.Command, args []string) {
 			fmt.Printf("🔍 Scanning container image: %s\n\n", imageName)
 		}
 
+		// #nosec G204 -- imageName is validated by validateImageName() which checks for
+		// shell metacharacters and enforces a strict character allowlist. Additionally,
+		// exec.Command passes arguments directly without shell interpretation.
 		trivyCmd := exec.Command(trivyPath, buildTrivyArgs(imageName)...)
 		trivyCmd.Stdout = os.Stdout
 		trivyCmd.Stderr = os.Stderr
diff --git a/cmd/container_scan_test.go b/cmd/container_scan_test.go
@@ -153,7 +153,7 @@ func TestContainerScanCommandSkipsValidation(t *testing.T) {
 }
 
 func TestContainerScanCommandRequiresArg(t *testing.T) {
-	assert.Equal(t, "container-scan [FLAGS] <IMAGE_NAME> [IMAGE_NAME...]", containerScanCmd.Use, "Command use should match expected format")
+	assert.Equal(t, "container-scan <IMAGE_NAME> [IMAGE_NAME...]", containerScanCmd.Use, "Command use should match expected format")
 
 	err := containerScanCmd.Args(containerScanCmd, []string{})
 	assert.Error(t, err, "Should error when no args provided")
@@ -255,3 +255,84 @@ func TestBuildTrivyArgsDefaultsApplied(t *testing.T) {
 
 	assert.Contains(t, args, "--ignore-unfixed", "--ignore-unfixed should be present when enabled")
 }
+
+// Tests for multiple image support
+
+func TestValidateMultipleImages(t *testing.T) {
+	// All valid images should pass
+	validImages := []string{"alpine:latest", "nginx:1.21", "redis:7"}
+	for _, img := range validImages {
+		err := validateImageName(img)
+		assert.NoError(t, err, "Valid image %s should not error", img)
+	}
+}
+
+func TestValidateMultipleImagesFailsOnInvalid(t *testing.T) {
+	// Test that validation catches invalid images in a list
+	images := []string{"alpine:latest", "nginx;malicious", "redis:7"}
+
+	var firstError error
+	for _, img := range images {
+		if err := validateImageName(img); err != nil {
+			firstError = err
+			break
+		}
+	}
+
+	assert.Error(t, firstError, "Should catch invalid image in list")
+	assert.Contains(t, firstError.Error(), "disallowed character", "Should report specific error")
+}
+
+func TestBuildTrivyArgsForMultipleImages(t *testing.T) {
+	severityFlag = "CRITICAL"
+	pkgTypesFlag = ""
+	ignoreUnfixedFlag = true
+
+	images := []string{"alpine:latest", "nginx:1.21", "redis:7"}
+
+	// Verify each image gets correct args with same flags
+	for _, img := range images {
+		args := buildTrivyArgs(img)
+
+		assert.Equal(t, img, args[len(args)-1], "Image name should be last argument")
+		assert.Contains(t, args, "--severity", "Should contain severity flag")
+		assert.Contains(t, args, "CRITICAL", "Should use configured severity")
+	}
+}
+
+func TestContainerScanCommandAcceptsMultipleImages(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   []string
+		errMsg string
+	}{
+		{
+			name: "single image",
+			args: []string{"alpine:latest"},
+		},
+		{
+			name: "two images",
+			args: []string{"alpine:latest", "nginx:1.21"},
+		},
+		{
+			name: "three images",
+			args: []string{"alpine:latest", "nginx:1.21", "redis:7"},
+		},
+		{
+			name: "many images",
+			args: []string{"img1:v1", "img2:v2", "img3:v3", "img4:v4", "img5:v5"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := containerScanCmd.Args(containerScanCmd, tt.args)
+			assert.NoError(t, err, "Command should accept %d image(s)", len(tt.args))
+		})
+	}
+}
+
+func TestContainerScanCommandRejectsNoImages(t *testing.T) {
+	err := containerScanCmd.Args(containerScanCmd, []string{})
+	assert.Error(t, err, "Command should reject empty image list")
+}
