Enhance container scan functionality by adding RunWithStderr method to CommandRunner interface and implementing isScanFailure check. Introduced tests for scan failure scenarios and updated MockCommandRunner to support stderr handling.

Author: andrzej-janczak

cmd/container_scan.go

@@ -2,7 +2,9 @@
 package cmd
 
 import (
+	"bytes"
 	"fmt"
+	"io"
 	"os"
 	"os/exec"
 	"regexp"
@@ -28,19 +30,30 @@ var exitFunc = os.Exit
 // CommandRunner interface for running external commands (allows mocking in tests)
 type CommandRunner interface {
 	Run(name string, args []string) error
+	// RunWithStderr runs the command; if stderr is not nil, Trivy stderr is written to both os.Stderr and stderr.
+	RunWithStderr(name string, args []string, stderr io.Writer) error
 }
 
 // ExecCommandRunner runs commands using exec.Command
 type ExecCommandRunner struct{}
 
 // Run executes a command and returns its exit error
 func (r *ExecCommandRunner) Run(name string, args []string) error {
+	return r.RunWithStderr(name, args, nil)
+}
+
+// RunWithStderr runs the command; if stderr is not nil, command stderr is written to both os.Stderr and stderr.
+func (r *ExecCommandRunner) RunWithStderr(name string, args []string, stderr io.Writer) error {
 	// #nosec G204 -- name comes from config (codacy-installed Trivy path),
 	// and args are validated by validateImageName() which checks for shell metacharacters.
 	// exec.Command passes arguments directly without shell interpretation.
 	cmd := exec.Command(name, args...)
 	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
+	if stderr != nil {
+		cmd.Stderr = io.MultiWriter(os.Stderr, stderr)
+	} else {
+		cmd.Stderr = os.Stderr
+	}
 	return cmd.Run()
 }
 
@@ -162,7 +175,6 @@ func handleTrivyNotFound(err error) {
 	logger.Error("Trivy not found", logrus.Fields{"error": err.Error()})
 	color.Red("❌ Error: Trivy could not be installed or found")
 	fmt.Println("Run 'codacy-cli init' if you have no project yet, then try container-scan again so Trivy can be installed automatically.")
-	fmt.Println("exit-code 2")
 	exitFunc(2)
 }
 
@@ -177,7 +189,6 @@ func executeContainerScan(imageName string) int {
 	if err := validateImageName(imageName); err != nil {
 		logger.Error("Invalid image name", logrus.Fields{"image": imageName, "error": err.Error()})
 		color.Red("❌ Error: %v", err)
-		fmt.Println("exit-code 2")
 		return 2
 	}
 	logger.Info("Starting container scan", logrus.Fields{"image": imageName})
@@ -195,20 +206,36 @@ func executeContainerScan(imageName string) int {
 	return printScanSummary(hasVulnerabilities == 1)
 }
 
+// isScanFailure returns true if Trivy stderr indicates the scan failed (e.g. image not found, no runtime)
+// rather than a successful scan that found vulnerabilities. Trivy uses exit code 1 for both cases.
+func isScanFailure(stderr []byte) bool {
+	s := string(stderr)
+	return strings.Contains(s, "FATAL") ||
+		strings.Contains(s, "run error") ||
+		strings.Contains(s, "image scan error") ||
+		strings.Contains(s, "unable to find the specified image")
+}
+
 // scanImage scans the image and returns: 0=no vulns, 1=vulns found, -1=error
 func scanImage(imageName, trivyPath string) int {
 	fmt.Printf("🔍 Scanning container image: %s\n\n", imageName)
 	args := buildTrivyArgs(imageName)
 	logger.Info("Running Trivy container scan", logrus.Fields{"command": fmt.Sprintf("%s %v", trivyPath, args)})
 
-	if err := commandRunner.Run(trivyPath, args); err != nil {
-		if getExitCode(err) == 1 {
+	var stderrBuf bytes.Buffer
+	if err := commandRunner.RunWithStderr(trivyPath, args, &stderrBuf); err != nil {
+		code := getExitCode(err)
+		if code == 1 && isScanFailure(stderrBuf.Bytes()) {
+			logger.Error("Scan failed (e.g. image not found or no container runtime)", logrus.Fields{"image": imageName, "error": err.Error()})
+			color.Red("❌ Scanning failed: unable to scan the container image (e.g. image not found or no container runtime)")
+			return -1
+		}
+		if code == 1 {
 			logger.Warn("Vulnerabilities found in image", logrus.Fields{"image": imageName})
 			return 1
 		}
 		logger.Error("Failed to run Trivy", logrus.Fields{"error": err.Error(), "image": imageName})
 		color.Red("❌ Error: Failed to run Trivy for %s: %v", imageName, err)
-		fmt.Println("exit-code 2")
 		return -1
 	}
 	logger.Info("No vulnerabilities found in image", logrus.Fields{"image": imageName})
@@ -220,7 +247,6 @@ func printScanSummary(hasVulnerabilities bool) int {
 	if hasVulnerabilities {
 		logger.Warn("Container scan completed with vulnerabilities", logrus.Fields{})
 		color.Red("❌ Scanning failed: vulnerabilities found in the container image")
-		fmt.Println("exit-code 1")
 		return 1
 	}
 	logger.Info("Container scan completed successfully", logrus.Fields{})

cmd/container_scan_test.go

@@ -2,25 +2,34 @@ package cmd
 
 import (
 	"errors"
+	"io"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 )
 
 // MockCommandRunner is a mock implementation of CommandRunner for testing
 type MockCommandRunner struct {
-	RunFunc func(name string, args []string) error
-	Calls   []struct {
+	RunFunc         func(name string, args []string) error
+	RunWithStderrFunc func(name string, args []string, stderr io.Writer) error
+	Calls           []struct {
 		Name string
 		Args []string
 	}
 }
 
 func (m *MockCommandRunner) Run(name string, args []string) error {
+	return m.RunWithStderr(name, args, nil)
+}
+
+func (m *MockCommandRunner) RunWithStderr(name string, args []string, stderr io.Writer) error {
 	m.Calls = append(m.Calls, struct {
 		Name string
 		Args []string
 	}{Name: name, Args: args})
+	if m.RunWithStderrFunc != nil {
+		return m.RunWithStderrFunc(name, args, stderr)
+	}
 	if m.RunFunc != nil {
 		return m.RunFunc(name, args)
 	}
@@ -206,6 +215,44 @@ func TestExecuteContainerScan_TrivyExecutionError(t *testing.T) {
 	assert.Equal(t, 2, exitCode)
 }
 
+func TestExecuteContainerScan_ScanFailureExit1(t *testing.T) {
+	state := saveState()
+	defer state.restore()
+
+	getTrivyPathResolver = func() (string, error) {
+		return "/usr/local/bin/trivy", nil
+	}
+
+	// Trivy exits 1 with FATAL/run error in stderr (e.g. image not found) -> we treat as scan error, not vulnerabilities
+	scanFailureStderr := "FATAL   Fatal error     run error: image scan error: unable to find the specified image"
+	mockRunner := &MockCommandRunner{
+		RunWithStderrFunc: func(_ string, _ []string, stderr io.Writer) error {
+			if stderr != nil {
+				_, _ = stderr.Write([]byte(scanFailureStderr))
+			}
+			return &mockExitError{code: 1}
+		},
+	}
+	commandRunner = mockRunner
+
+	severityFlag = ""
+	pkgTypesFlag = ""
+	ignoreUnfixedFlag = true
+
+	exitCode := executeContainerScan("random-string")
+	assert.Equal(t, 2, exitCode, "Should return exit code 2 when scan failed (not vulnerabilities found)")
+	assert.Len(t, mockRunner.Calls, 1)
+}
+
+func TestIsScanFailure(t *testing.T) {
+	assert.False(t, isScanFailure(nil), "nil stderr is not a scan failure")
+	assert.False(t, isScanFailure([]byte("")), "empty stderr is not a scan failure")
+	assert.False(t, isScanFailure([]byte("Total: 5 (HIGH: 2, CRITICAL: 3)")), "vulnerability table is not a scan failure")
+	assert.True(t, isScanFailure([]byte("FATAL   Fatal error")), "FATAL indicates scan failure")
+	assert.True(t, isScanFailure([]byte("run error: image scan error")), "run error indicates scan failure")
+	assert.True(t, isScanFailure([]byte("unable to find the specified image")), "unable to find image indicates scan failure")
+}
+
 // Tests for handleTrivyNotFound
 
 func TestHandleTrivyNotFound(t *testing.T) {