fix(ci): fix container scan PR comment showing identical collapsed titles

Each matrix job now writes just its per-container detail section via
report_single() (named <details><summary>📦 scanner-bandit — N vulns),
plus a JSON summary with severity counts.

The combine step reads all JSON summaries to build:
1. Combined findings summary table (aggregated counts)
2. Container breakdown table (one row per image with severity columns)
3. Per-container detail sections (each named, distinguishable collapsed)

Replaces the old approach where each matrix job produced a full report
wrapped in an identical 🐳 Container Security Scan header.

Author: eFAILution

.github/workflows/build-containers.yml

@@ -185,16 +185,24 @@ jobs:
               trivy_findings=trivy_findings,
               combined_findings=trivy_findings,
           )
-          summary = ContainerScanSummary(results=[result])
 
+          # Write just this container's detail section (not the full report)
           reporter = ContainerMarkdownReporter()
-          reporter.report(summary, "scanner-summaries")
+          reporter.report_single(result, "scanner-summaries")
 
-          # Rename for per-image aggregation
-          src = Path("scanner-summaries/container-scan.md")
-          dst = Path(f"scanner-summaries/{image_name}.md")
-          if src.exists():
-              dst.write_text(src.read_text())
+          # Also write a JSON summary for the combine step
+          import json
+          json.dump({
+              "name": image_name,
+              "image_ref": image_ref,
+              "critical": result.critical_count,
+              "high": result.high_count,
+              "medium": result.medium_count,
+              "low": result.low_count,
+              "total": result.total_count,
+              "unique": result.unique_count,
+              "build_success": result.build_success,
+          }, open(f"scanner-summaries/{image_name}.json", "w"))
           PYEOF
         env:
           IMAGE_NAME: ${{ matrix.image }}
@@ -344,20 +352,70 @@ jobs:
           path: cli-results
         continue-on-error: true
 
-      # Combine per-image argus markdown reports into one file
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+        with:
+          python-version: '3.13'
+
+      - name: Install Argus SDK
+        run: |
+          pip install --quiet pyyaml
+          echo "PYTHONPATH=$GITHUB_WORKSPACE" >> "$GITHUB_ENV"
+
+      # Build combined report with summary table + per-container sections
       - name: Combine scanner summaries
         run: |
-          mkdir -p scanner-summaries
-          {
-            for md in scanner-summaries/*.md; do
-              [ -f "$md" ] && cat "$md" && echo ""
-            done
-            if [ -f "cli-results/argus-summary.md" ]; then
-              echo "---"
-              echo ""
-              cat cli-results/argus-summary.md
-            fi
-          } > scanner-summaries/combined-container-scan.md
+          python3 << 'PYEOF'
+          import sys, os, glob, json
+          sys.path.insert(0, os.environ.get("PYTHONPATH", "."))
+
+          from pathlib import Path
+          from argus.container.scanner import ContainerScanResult, ContainerScanSummary
+          from argus.reporters.container_markdown import ContainerMarkdownReporter
+
+          # Load per-image JSON summaries for accurate severity counts
+          results = []
+          for json_file in sorted(Path("scanner-summaries").glob("*.json")):
+              data = json.load(open(json_file))
+              # Create a minimal result with counts (findings list empty —
+              # the per-image markdown sections have the detail)
+              r = ContainerScanResult(
+                  name=data["name"],
+                  image_ref=data.get("image_ref", data["name"]),
+                  build_success=data.get("build_success", True),
+              )
+              # Inject counts via the combined_findings proxy
+              # (ContainerScanResult computes counts from combined_findings)
+              from argus.core.models import Finding, Severity
+              for sev, count in [
+                  (Severity.CRITICAL, data.get("critical", 0)),
+                  (Severity.HIGH, data.get("high", 0)),
+                  (Severity.MEDIUM, data.get("medium", 0)),
+                  (Severity.LOW, data.get("low", 0)),
+              ]:
+                  for _ in range(count):
+                      r.combined_findings.append(
+                          Finding(id="count", severity=sev, title="")
+                      )
+              results.append(r)
+
+          summary = ContainerScanSummary(results=results)
+          section_files = sorted(Path("scanner-summaries").glob("*.md"))
+
+          # Build combined report: summary table + breakdown + per-container sections
+          content = ContainerMarkdownReporter.build_combined_report(
+              section_files=section_files,
+              summary=summary,
+          )
+
+          # Append CLI scan results if available
+          cli_md = Path("cli-results/argus-summary.md")
+          if cli_md.exists():
+              content += "\n---\n\n" + cli_md.read_text()
+
+          Path("scanner-summaries/combined-container-scan.md").write_text(content)
+          print(f"Combined report: {len(section_files)} container sections")
+          PYEOF
 
       # Post using the existing comment-pr composite action
       - name: Comment PR with scan results

argus/reporters/container_markdown.py

@@ -64,7 +64,7 @@ def report(
         return filepath
 
     # ------------------------------------------------------------------
-    # Top-level builder
+    # Top-level builder (full multi-container report)
     # ------------------------------------------------------------------
 
     def _build(self, summary: Any, artifacts_url: str = "") -> str:
@@ -95,6 +95,74 @@ def _build(self, summary: Any, artifacts_url: str = "") -> str:
         lines.append("</details>")
         return "\n".join(lines)
 
+    # ------------------------------------------------------------------
+    # Single-container section (for CI matrix jobs)
+    # ------------------------------------------------------------------
+
+    def report_single(
+        self,
+        result: Any,
+        output_dir: Optional[Path] = None,
+    ) -> Path:
+        """Write a single container's detail section to a named file.
+
+        Produces just the per-container ``<details>`` block (no outer
+        wrapper, no combined summary). Designed for CI matrix jobs
+        where each container is scanned in a separate job and the
+        results are combined later by ``build_combined_report``.
+        """
+        dest = Path(output_dir) if output_dir else _DEFAULT_OUTPUT_DIR
+        dest.mkdir(parents=True, exist_ok=True)
+
+        name = getattr(result, "name", "unknown")
+        filepath = dest / f"{name}.md"
+        content = "\n".join(self._build_container_detail(result))
+        filepath.write_text(content, encoding="utf-8")
+        return filepath
+
+    @classmethod
+    def build_combined_report(
+        cls,
+        section_files: list[Path],
+        summary: Any,
+        artifacts_url: str = "",
+    ) -> str:
+        """Combine per-container sections into a full report.
+
+        Call this from the CI combine step after downloading all
+        per-container markdown files from matrix job artifacts.
+
+        Parameters
+        ----------
+        section_files:
+            Paths to per-container markdown files (from ``report_single``).
+        summary:
+            A ``ContainerScanSummary`` with all results for the
+            combined header and breakdown table.
+        """
+        reporter = cls()
+        lines: list[str] = []
+
+        lines.extend(reporter._build_combined_summary(summary))
+        lines.extend(reporter._build_breakdown_table(summary))
+
+        lines.append("### \U0001f50d Detailed Findings by Container")
+        lines.append("")
+
+        for path in sorted(section_files):
+            if path.exists():
+                lines.append(path.read_text(encoding="utf-8"))
+                lines.append("")
+
+        if artifacts_url:
+            lines.append(
+                f"**\U0001f4c1 Artifacts:** "
+                f"[Container Scan Reports]({artifacts_url})"
+            )
+            lines.append("")
+
+        return "\n".join(lines)
+
     # ------------------------------------------------------------------
     # Combined findings summary
     # ------------------------------------------------------------------