fix(container): parse_container_config accepts unwrapped inner-mapping shape (#113)

eFAILution · web-flow · commit 267e4be01bd8 · 2026-05-05T16:26:31.000-04:00
Regression in 0.7.2.dev83 (introduced when ``_load_container_config``
was added to support config-only invocation): the CLI now extracts
the inner ``containers:`` mapping from argus.yml before passing it to
``ContainerEngine``, but ``parse_container_config`` still required the
wrapped form (``config["containers"]["images"]``). The shape mismatch
silently dropped every config-defined target — ``argus scan container
--config argus.yml`` would enter the lifecycle, then immediately
report "No container targets found" despite a valid config.

Why the engine and the parser disagreed
- ContainerEngine accesses other config keys at the top level
  (``self.config.get("images")``, ``self.config.get("search_paths")``,
  ``self.config.get("scanners")``). The CLI returns the unwrapped
  inner mapping to match those — that's been the contract for
  everything except this one parser.
- ``parse_container_config`` was the only outlier — strict on
  wrapped shape — so it became the lone failure point on the
  config-driven path.

Fix
- Make ``parse_container_config`` accept BOTH shapes:
  - Wrapped: ``{"containers": {"images": [...], ...}}`` (full
    argus.yml mapping, the historical contract)
  - Unwrapped: ``{"images": [...], ...}`` (inner-mapping shape, the
    CLI's actual hand-off)
- Wrapped shape takes precedence when both are present, preserving
  the historical contract for any direct programmatic callers.

Tests (+5)
- New ``TestParseContainerConfigUnwrappedShape`` class:
  - ``test_unwrapped_shape_resolves_explicit_images`` — the user's
    exact repro (top-level ``containers.images`` with image,
    dockerfile, context).
  - ``test_unwrapped_shape_with_discover`` — same path with
    ``discover: true`` + ``search_paths``.
  - ``test_wrapped_shape_takes_precedence_when_both_keys_present``
    — defensive guard for the historical contract.
  - ``test_unwrapped_with_digest_pin_preserved`` — round-trip the
    recommended ``@sha256:...`` form.

Validation
- Full SDK suite: 1438 passed (+5), 8 skipped.
- Manual end-to-end against the user's exact repro shape: now
  resolves the ``docker:argus-scan`` target with dockerfile and
  context preserved.

Co-authored-by: eFAILution &lt;eFAILution@users.noreply.github.com&gt;
diff --git a/argus/container/discovery.py b/argus/container/discovery.py
@@ -59,21 +59,33 @@ def discover_dockerfiles(search_paths: list[str]) -> list[ContainerTarget]:
 def parse_container_config(config: dict) -> list[ContainerTarget]:
     """Parse container targets from argus.yml config.
 
-    Config format::
-
-        containers:
-          images:
-            - image: myapp:latest
-              dockerfile: Dockerfile
-            - image: worker:latest
-              dockerfile: docker/Dockerfile.worker
-              context: .
-          discover: true
-          search_paths: [".", "docker/"]
+    Accepts both shapes:
+
+    Wrapped — full ``argus.yml`` mapping with the top-level
+    ``containers:`` key still in place::
+
+        {"containers": {"images": [...], "discover": true, ...}}
+
+    Unwrapped — just the inner ``containers:`` mapping (the shape the
+    CLI's ``_load_container_config`` returns after extracting the
+    section and merging CLI overrides in place)::
+
+        {"images": [...], "discover": true, ...}
+
+    The engine's other config accessors (``self.config.get("images")``,
+    ``self.config.get("search_paths")``, etc.) operate on the
+    unwrapped shape — leaving this function strict on the wrapped
+    shape silently dropped config-driven targets when the CLI handed
+    in the unwrapped form. Tolerate both so the parser can't be the
+    only place in the dispatch path that disagrees about config
+    layout.
     """
-    containers = config.get("containers", {})
-    if not isinstance(containers, dict):
-        return []
+    nested = config.get("containers")
+    if isinstance(nested, dict):
+        containers = nested
+    else:
+        # Unwrapped shape — treat the input as already-the-inner mapping.
+        containers = config if isinstance(config, dict) else {}
 
     targets: list[ContainerTarget] = []
 
diff --git a/argus/tests/test_container_discovery.py b/argus/tests/test_container_discovery.py
@@ -197,3 +197,81 @@ def test_name_derives_from_image_ref(self):
         }
         targets = parse_container_config(config)
         assert targets[0].name == "org-myapp"
+
+
+class TestParseContainerConfigUnwrappedShape:
+    """Regression: ``parse_container_config`` must accept the inner-mapping
+    shape returned by the CLI's ``_load_container_config``.
+
+    The bug: dispatch path for ``argus scan container --config argus.yml``
+    extracted just the inner ``containers:`` mapping (matching the
+    rest of the engine's top-level key access — ``images``,
+    ``search_paths``, ``scanners``) and passed that to
+    ``ContainerEngine``. The parser's strict ``config.get("containers")``
+    lookup found nothing and the scan dropped all config-defined
+    targets with a "No container targets found" error despite a
+    well-formed config.
+    """
+
+    def test_unwrapped_shape_resolves_explicit_images(self):
+        # The user's exact repro from the bug report — top-level
+        # ``containers:`` block in argus.yml with one image entry,
+        # extracted into the inner-mapping shape by the CLI before
+        # being passed to the engine.
+        config = {
+            "images": [
+                {
+                    "image": "docker:argus-scan",
+                    "dockerfile": "docker/Dockerfile",
+                    "context": ".",
+                },
+            ],
+        }
+        targets = parse_container_config(config)
+        assert len(targets) == 1
+        target = targets[0]
+        assert target.image_ref == "docker:argus-scan"
+        assert target.dockerfile == Path("docker/Dockerfile")
+        assert target.context == Path(".")
+
+    def test_unwrapped_shape_with_discover(self, tmp_path):
+        # Verifies the unwrapped path also honors ``discover: true`` +
+        # ``search_paths``, not just explicit images. Combined with
+        # the test above this covers both target sources end-to-end.
+        (tmp_path / "Dockerfile").write_text("FROM scratch\n")
+        config = {
+            "discover": True,
+            "search_paths": [str(tmp_path)],
+        }
+        targets = parse_container_config(config)
+        assert len(targets) == 1
+        assert targets[0].dockerfile == (tmp_path / "Dockerfile").resolve()
+
+    def test_wrapped_shape_takes_precedence_when_both_keys_present(self):
+        # Defensive: if a config has BOTH a top-level ``containers:``
+        # mapping AND top-level ``images``/``discover`` keys, prefer
+        # the wrapped form to match the historical contract. The
+        # unwrapped fallback only fires when ``containers`` isn't a
+        # mapping at the top level.
+        config = {
+            "containers": {
+                "images": [{"image": "wrapped:1.0"}],
+            },
+            "images": [{"image": "unwrapped:1.0"}],
+        }
+        targets = parse_container_config(config)
+        assert len(targets) == 1
+        assert targets[0].image_ref == "wrapped:1.0"
+
+    def test_unwrapped_with_digest_pin_preserved(self):
+        # Digest-pinned refs are the recommended form (per
+        # argus.example.yml). Round-trip through the unwrapped path
+        # without losing the @sha256: suffix.
+        ref = (
+            "ghcr.io/myorg/app:1.0@sha256:"
+            "f1e2d3c4b5a6f7e8d9c0b1a2c3d4e5f6"
+            "a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2"
+        )
+        targets = parse_container_config({"images": [{"image": ref}]})
+        assert len(targets) == 1
+        assert targets[0].image_ref == ref
