add container-scan command to trivy scan containers

Author: franciscoovazevedo

cli-v2.go

@@ -39,10 +39,10 @@ func main() {
 		}
 	}
 
-	// Check if command is init/update/version/help - these don't require configuration
+	// Check if command is init/update/version/help/container-scan - these don't require configuration
 	if len(os.Args) > 1 {
 		cmdName := os.Args[1]
-		if cmdName == "init" || cmdName == "update" || cmdName == "version" || cmdName == "help" {
+		if cmdName == "init" || cmdName == "update" || cmdName == "version" || cmdName == "help" || cmdName == "container-scan" {
 			cmd.Execute()
 			return
 		}

cmd/container_scan.go

@@ -0,0 +1,155 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+
+	"codacy/cli-v2/utils/logger"
+
+	"github.com/fatih/color"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+// Flag variables for container-scan command
+var (
+	severityFlag      string
+	pkgTypesFlag      string
+	ignoreUnfixedFlag bool
+)
+
+func init() {
+	containerScanCmd.Flags().StringVar(&severityFlag, "severity", "", "Comma-separated list of severities to scan for (default: HIGH,CRITICAL)")
+	containerScanCmd.Flags().StringVar(&pkgTypesFlag, "pkg-types", "", "Comma-separated list of package types to scan (default: os)")
+	containerScanCmd.Flags().BoolVar(&ignoreUnfixedFlag, "ignore-unfixed", true, "Ignore unfixed vulnerabilities")
+	rootCmd.AddCommand(containerScanCmd)
+}
+
+var containerScanCmd = &cobra.Command{
+	Use:   "container-scan [FLAGS] <IMAGE_NAME>",
+	Short: "Scan container images for vulnerabilities using Trivy",
+	Long: `Scan container images for vulnerabilities using Trivy.
+
+By default, scans for HIGH and CRITICAL vulnerabilities in OS packages,
+ignoring unfixed issues. Use flags to override these defaults.
+
+The --exit-code 1 flag is always applied (not user-configurable) to ensure
+the command fails when vulnerabilities are found.`,
+	Example: `  # Default behavior (HIGH,CRITICAL severity, os packages only)
+  codacy-cli container-scan myapp:latest
+
+  # Scan only for CRITICAL vulnerabilities
+  codacy-cli container-scan --severity CRITICAL myapp:latest
+
+  # Scan all severities and package types
+  codacy-cli container-scan --severity LOW,MEDIUM,HIGH,CRITICAL --pkg-types os,library myapp:latest
+
+  # Include unfixed vulnerabilities
+  codacy-cli container-scan --ignore-unfixed=false myapp:latest`,
+	Args: cobra.ExactArgs(1),
+	Run:  runContainerScan,
+}
+
+func runContainerScan(cmd *cobra.Command, args []string) {
+	imageName := args[0]
+
+	logger.Info("Starting container scan", logrus.Fields{
+		"image": imageName,
+	})
+
+	// Check if Trivy is installed
+	trivyPath, err := exec.LookPath("trivy")
+	if err != nil {
+		logger.Error("Trivy not found", logrus.Fields{
+			"error": err.Error(),
+		})
+		color.Red("❌ Error: Trivy is not installed or not found in PATH")
+		fmt.Println("Please install Trivy to use container scanning.")
+		fmt.Println("Visit: https://trivy.dev/latest/getting-started/installation/")
+		os.Exit(1)
+	}
+
+	logger.Info("Found Trivy", logrus.Fields{
+		"path": trivyPath,
+	})
+
+	// Build Trivy command arguments
+	trivyArgs := buildTrivyArgs(imageName)
+
+	trivyCmd := exec.Command(trivyPath, trivyArgs...)
+	trivyCmd.Stdout = os.Stdout
+	trivyCmd.Stderr = os.Stderr
+
+	logger.Info("Running Trivy container scan", logrus.Fields{
+		"command": trivyCmd.String(),
+	})
+
+	fmt.Printf("🔍 Scanning container image: %s\n\n", imageName)
+
+	err = trivyCmd.Run()
+	if err != nil {
+		// Check if the error is due to exit code 1 (vulnerabilities found)
+		if exitError, ok := err.(*exec.ExitError); ok {
+			exitCode := exitError.ExitCode()
+			logger.Warn("Container scan completed with vulnerabilities", logrus.Fields{
+				"image":     imageName,
+				"exit_code": exitCode,
+			})
+			if exitCode == 1 {
+				fmt.Println()
+				color.Red("❌ Scanning failed: vulnerabilities found in the container image")
+				os.Exit(1)
+			}
+		}
+
+		// Other errors
+		logger.Error("Failed to run Trivy", logrus.Fields{
+			"error": err.Error(),
+		})
+		color.Red("❌ Error: Failed to run Trivy: %v", err)
+		os.Exit(1)
+	}
+
+	logger.Info("Container scan completed successfully", logrus.Fields{
+		"image": imageName,
+	})
+
+	fmt.Println()
+	color.Green("✅ Success: No vulnerabilities found matching the specified criteria")
+}
+
+// buildTrivyArgs constructs the Trivy command arguments based on flags
+func buildTrivyArgs(imageName string) []string {
+	args := []string{
+		"image",
+		"--scanners", "vuln",
+	}
+
+	// Apply --ignore-unfixed if enabled (default: true)
+	if ignoreUnfixedFlag {
+		args = append(args, "--ignore-unfixed")
+	}
+
+	// Apply --severity (use default if not specified)
+	severity := severityFlag
+	if severity == "" {
+		severity = "HIGH,CRITICAL"
+	}
+	args = append(args, "--severity", severity)
+
+	// Apply --pkg-types (use default if not specified)
+	pkgTypes := pkgTypesFlag
+	if pkgTypes == "" {
+		pkgTypes = "os"
+	}
+	args = append(args, "--pkg-types", pkgTypes)
+
+	// Always apply --exit-code 1 (not user-configurable)
+	args = append(args, "--exit-code", "1")
+
+	// Add the image name as the last argument
+	args = append(args, imageName)
+
+	return args
+}

cmd/validation.go

@@ -83,6 +83,7 @@ func shouldSkipValidation(cmdName string) bool {
 		"reset",      // config reset should work even with empty/invalid codacy.yaml
 		"codacy-cli", // root command when called without subcommands
 		"update",
+		"container-scan", // container scanning doesn't need codacy.yaml
 	}
 
 	for _, skipCmd := range skipCommands {