fix: dogfood scan now actually scans what we ship

Three related fixes that surfaced from running `argus scan` against
the argus repo itself:

1) supply-chain scanner ran in 795ms doing nothing.
   The Dockerfile sets ENTRYPOINT ["/bin/sh", "-c"] AND the scanner's
   container_args() also returned ["sh", "-c", "<cmd>"]. Docker exec
   resolved to `/bin/sh -c "sh" "-c" "<cmd>"` — the script was just
   "sh" (start a no-op interactive shell, exit), and the real zizmor
   + actionlint commands never ran. Returns a single-element list now;
   the entrypoint provides the shell. Empirical verification on
   argus's own .github/workflows/: 44 zizmor findings (38 after
   exclusion filtering) vs 0 before.

2) `argus scan --interface=browser` never auto-opened the browser.
   `_launch_view_after_scan` called `browser_launch(root=...)` without
   `open_browser=`, so it always defaulted to False. `argus view
   --interface=browser` correctly TTY-checks and auto-opens; the
   post-scan path now matches via `open_browser=sys.stdout.isatty()`.

3) argus.yml dogfood config wasn't linting our own Dockerfiles.
   We have four Dockerfiles in docker/ but no Dockerfile-targeting
   scanner was enabled. Enables `lint-dockerfile` (hadolint) so the
   default scan flags missing USER directives, mutable image tags,
   apt-without-flags, and friends. Also rewrites the inline comment
   block on the disabled scanners to point at the right on-demand
   commands (`argus scan container --discover .`, `argus scan zap
   --target ...`) for clarity.

Tests updated for the supply-chain shape change. Full SDK suite
(1363 tests) green.

Author: eFAILution

argus.yml

@@ -30,7 +30,18 @@ scanners:
   supply-chain:
     enabled: true
 
-  # Not applicable to this repo
+  # Lint our own Dockerfiles via hadolint as part of the default scan.
+  # Catches bad practices (mutable image tags, missing USER directives,
+  # apt without --no-install-recommends, etc.) on every run.
+  lint-dockerfile:
+    enabled: true
+
+  # Not applicable to this repo as part of the default scan:
+  # - trivy-iac / checkov target Terraform / CloudFormation / K8s — none here
+  # - container / zap operate on built images / running endpoints, not
+  #   source paths; run them on demand:
+  #     argus scan container --discover .
+  #     argus scan zap --target http://...
   trivy-iac:
     enabled: false
   checkov:

argus/cli.py

@@ -1349,7 +1349,11 @@ def _launch_view_after_scan(interface: str, results_dir: str) -> None:
         try:
             from argus.viewers.browser import launch as browser_launch, ViewerUnavailable
             try:
-                browser_launch(root=results_dir)
+                # Match `argus view --interface=browser` semantics: auto-open
+                # the user's default browser when stdout is a TTY (interactive
+                # invocation), skip in CI / piped contexts where webbrowser.open
+                # would fail or hang.
+                browser_launch(root=results_dir, open_browser=sys.stdout.isatty())
             except ViewerUnavailable as exc:
                 print(f"\n{exc}", file=sys.stderr)
         except ImportError as exc:  # pragma: no cover — defensive

argus/scanners/supply_chain.py

@@ -39,14 +39,17 @@ class SupplyChainScanner:
     def container_args(self, config: dict | None = None) -> list[str]:
         """Return CLI args for running zizmor+actionlint in a container.
 
-        Uses ``sh -c`` to chain two tools in a single container invocation.
-        This is safe because containers always run Linux regardless of the
-        host OS, so POSIX ``sh`` semantics are guaranteed.  The semicolon
-        between commands ensures actionlint runs even if zizmor exits
-        non-zero (findings found).
+        The supply-chain Dockerfile sets ``ENTRYPOINT ["/bin/sh", "-c"]``
+        so we pass a single-element list — the shell command string. The
+        previous shape (``["sh", "-c", "<cmd>"]``) double-dispatched the
+        shell: docker exec became ``/bin/sh -c "sh" "-c" "<cmd>"``, the
+        script was literally ``"sh"`` (start a no-op interactive shell),
+        and the real zizmor + actionlint commands never ran.
+
+        The semicolon between zizmor and actionlint ensures actionlint
+        runs even if zizmor exits non-zero (findings found).
         """
         return [
-            "sh", "-c",
             "zizmor --format sarif /workspace/.github/ > /output/zizmor.json 2>/dev/null; "
             "actionlint -format '{{json .}}' /workspace/.github/workflows/ > /output/actionlint.json 2>/dev/null || true",
         ]

argus/tests/scanners/test_supply_chain.py

@@ -227,11 +227,13 @@ def test_container_args_default(self):
         scanner = SupplyChainScanner()
         args = scanner.container_args()
 
+        # Single-element list: the supply-chain Dockerfile sets
+        # ENTRYPOINT ["/bin/sh", "-c"] so we pass just the command
+        # string. Returning ["sh", "-c", ...] would double-dispatch
+        # the shell and the real command would never run.
         assert isinstance(args, list)
-        assert args[0] == "sh"
-        assert args[1] == "-c"
-        # The shell command should reference both tools
-        shell_cmd = args[2]
+        assert len(args) == 1
+        shell_cmd = args[0]
         assert "zizmor" in shell_cmd
         assert "actionlint" in shell_cmd
 
@@ -242,5 +244,5 @@ def test_container_args_with_persona(self):
         # Current implementation does not vary container_args by config,
         # so verify the default structure is still returned intact.
         assert isinstance(args, list)
-        assert len(args) == 3
-        assert "zizmor" in args[2]
+        assert len(args) == 1
+        assert "zizmor" in args[0]