feat(validate): surface containers block in success summary

The validate-success summary listed scanners, formats, and backend but
ignored the top-level containers block entirely. With containers
silently absent from the summary the user had no signal that argus
validate had inspected it — a typo at the block name (e.g.
``containerz:``) would still show up as a top-level-key warning, but a
correctly-named block with valid contents looked identical to no block
at all.

Add a Containers line that shows:
  Containers: 4 image(s)
    - ghcr.io/myorg/scanner-bandit:dev
    - ghcr.io/myorg/scanner-opengrep:dev
    ...
  Containers: discover from docker/, .
  Containers: 2 image(s) + discover from docker/

The line is only printed when the block is structurally a mapping; if
no containers block exists, the validator stays silent (matching the
optional nature of the block). Three new regression tests in
TestCmdValidate cover the present, absent, and discover variants.

Author: eFAILution

argus/cli.py

@@ -2609,6 +2609,31 @@ def cmd_validate(args: argparse.Namespace) -> int:
     backend = data.get("execution", {}).get("backend", "auto")
     print(f"   Backend: {backend}")
 
+    # Containers: only printed when the block exists and is structurally
+    # sound (validate already surfaced any errors above). The line gives
+    # the user a "yes, your containers config was inspected" signal that
+    # was missing — without it, a typo'd top-level key like ``containerz``
+    # used to fail silently here too.
+    containers = data.get("containers")
+    if isinstance(containers, dict):
+        images = containers.get("images") or []
+        discover = containers.get("discover", False)
+        search_paths = containers.get("search_paths") or []
+        parts = []
+        if isinstance(images, list) and images:
+            parts.append(f"{len(images)} image(s)")
+        if discover:
+            paths_str = ", ".join(search_paths) if search_paths else "."
+            parts.append(f"discover from {paths_str}")
+        summary = " + ".join(parts) if parts else "no targets"
+        print(f"   Containers: {summary}")
+        if isinstance(images, list) and images:
+            for entry in images:
+                if not isinstance(entry, dict):
+                    continue
+                ref = entry.get("image") or entry.get("dockerfile") or "<unknown>"
+                print(f"     - {ref}")
+
     # Tool readiness check
     unavailable = []
     tool_statuses = []

argus/tests/test_cli.py

@@ -872,6 +872,85 @@ def test_validate_strict_fails_on_warnings(self, tmp_path, capsys):
         captured = capsys.readouterr()
         assert "strict" in captured.out.lower() or "warning" in captured.out.lower()
 
+    def test_validate_summary_lists_containers_when_block_present(
+        self, tmp_path, capsys,
+    ):
+        """The summary should surface configured container targets so
+        the user knows the ``containers:`` block was inspected."""
+        config_file = tmp_path / "argus.yml"
+        config_file.write_text(
+            "scanners:\n"
+            "  bandit:\n"
+            "    enabled: true\n"
+            "containers:\n"
+            "  images:\n"
+            "    - image: ghcr.io/myorg/app:1.0\n"
+            "    - image: myorg/inhouse:dev\n"
+            "      dockerfile: docker/Dockerfile\n"
+        )
+        args = argparse.Namespace(
+            config=str(config_file),
+            check_tools=False,
+            strict=False,
+        )
+        result = cmd_validate(args)
+
+        assert result == EXIT_SUCCESS
+        out = capsys.readouterr().out
+        assert "Containers: 2 image(s)" in out
+        assert "ghcr.io/myorg/app:1.0" in out
+        assert "myorg/inhouse:dev" in out
+
+    def test_validate_summary_omits_containers_line_when_block_absent(
+        self, tmp_path, capsys,
+    ):
+        """When no ``containers:`` block exists, the summary should not
+        mention containers at all — the block is optional and silence
+        is the right signal."""
+        config_file = tmp_path / "argus.yml"
+        config_file.write_text(
+            "scanners:\n"
+            "  bandit:\n"
+            "    enabled: true\n"
+        )
+        args = argparse.Namespace(
+            config=str(config_file),
+            check_tools=False,
+            strict=False,
+        )
+        result = cmd_validate(args)
+
+        assert result == EXIT_SUCCESS
+        out = capsys.readouterr().out
+        assert "Containers:" not in out
+
+    def test_validate_summary_shows_discover_when_set(self, tmp_path, capsys):
+        """``discover: true`` should surface in the summary alongside
+        any configured search_paths."""
+        config_file = tmp_path / "argus.yml"
+        config_file.write_text(
+            "scanners:\n"
+            "  bandit:\n"
+            "    enabled: true\n"
+            "containers:\n"
+            "  discover: true\n"
+            "  search_paths:\n"
+            "    - docker/\n"
+            "    - .\n"
+        )
+        args = argparse.Namespace(
+            config=str(config_file),
+            check_tools=False,
+            strict=False,
+        )
+        result = cmd_validate(args)
+
+        assert result == EXIT_SUCCESS
+        out = capsys.readouterr().out
+        assert "Containers:" in out
+        assert "discover from" in out
+        assert "docker/" in out
+
 
 class TestCmdReport:
     """Integration tests for cmd_report."""