fix(container-scanner): handle empty/malformed grype output without traceback

Three failure modes in the container sub-scanner runners produced
either a JSONDecodeError traceback or a silent downgrade of scanner
coverage:

1. Grype writes a 0-byte ``grype-results.json`` (common when its
   catalog/image-resolution step fails after the output handle is
   created). ``output_file.exists()`` is True, so the existing
   "no output" guard skipped, and ``json.loads("")`` blew up with a
   bare JSONDecodeError that propagated to the user.
2. Grype's ``except Exception: logger.exception(...); return []``
   path swallowed the error after dumping a Python traceback to
   stderr — engine never recorded ``scanner_errors["grype"]``,
   summary reported "Grype: 0 findings" as if the scan succeeded.
3. Trivy had a similar shape: ``logger.exception`` on parse failure
   spammed a traceback even though the runtime contract was correct.

Fix
- New shared helper ``_validate_scanner_output(scanner_name,
  output_file, result)`` validates in order: returncode == 0, file
  exists, file size > 0. On any failure, logs at ERROR level
  (clipped stderr, no traceback) and raises a single
  ``RuntimeError(f"<scanner> scan failed (exit N): <stderr>")``
  shape so the orchestrator records it under ``scanner_errors``
  consistently.
- ``_run_grype`` and ``_run_trivy`` both call the helper after
  their subprocess returns, then translate JSON parse errors into
  the same ``RuntimeError`` shape (instead of bare JSONDecodeError
  or silent ``return []``).
- ``logger.exception(...)`` → ``logger.error(...)`` on parse
  failure paths so users don't see a Python traceback for an
  expected scanner failure mode.

Behavior preserved
- Healthy scans (zero exit, JSON-parseable output) take the same
  fast path through the parser.
- The orchestrator's existing try/except around ``_run_grype`` /
  ``_run_trivy`` already catches ``RuntimeError`` and records it
  under ``scanner_errors``; this PR makes the runners *actually*
  raise that shape instead of silencing failures.
- Trivy still propagates findings when grype fails, and vice versa
  — partial scan coverage is preserved while the failed scanner is
  surfaced separately.

Tests (+13)
- ``TestValidateScannerOutput`` (6 cases): helper acceptance matrix —
  healthy run silent, non-zero exit raises with stderr breadcrumb,
  missing file raises, 0-byte file raises, stderr+0-byte combo
  raises with breadcrumb, short stderr preserved verbatim.
- ``TestRunGrype`` (4 cases, the user's exact acceptance matrix):
  non-zero exit + empty file, zero exit + empty file, malformed
  JSON, valid JSON happy path.
- ``TestRunTrivy`` (2 cases): mirror coverage — same failure-mode
  contract via the shared validator.
- ``TestOrchestratorRecordsScannerError`` (1 case): end-to-end
  assertion that grype's RuntimeError flows up to
  ``scanner_errors["grype"]`` AND trivy's findings still propagate
  in the same scan. Closes the loop on "preserve partial results
  from other scanners but clearly surface the failure."

Validation
- Full SDK suite: 1451 passed (+13 from this PR), 8 skipped.

Author: eFAILution

argus/container/scanner.py

@@ -1,5 +1,6 @@
 """Scan container images with trivy and grype, deduplicate findings."""
 
+import json
 import logging
 import shutil
 import tempfile
@@ -232,6 +233,70 @@ def _container_vol_args(
     return args
 
 
+def _validate_scanner_output(
+    scanner_name: str,
+    output_file: Path,
+    result,
+) -> None:
+    """Raise RuntimeError when a sub-scanner's run looks unhealthy.
+
+    Container sub-scanners (trivy, grype) all hand off via the same
+    "subprocess writes JSON to a file path, we parse it" contract.
+    They all have the same failure modes:
+
+    1. subprocess exits non-zero — DB pull failed, image not
+       resolvable, registry auth missing, etc. Anything that prints
+       to stderr and bails before producing meaningful output.
+    2. output file isn't there — scanner crashed mid-run.
+    3. output file exists but is 0 bytes — common when a wrapper
+       process (e.g. ``docker run --rm``) exits non-zero from a
+       different stage than the scanner itself, leaving a stub
+       file from the redirect.
+
+    All three modes need to surface the scanner's own stderr (clipped
+    for terminal sanity), use ERROR-level logging without dumping a
+    Python traceback, and raise a single ``RuntimeError`` shape so
+    the caller can record it under ``scanner_errors`` consistently.
+
+    JSON parse failure is intentionally NOT validated here — every
+    sub-scanner uses a different parser, so the per-runner caller
+    owns that check (and translates exceptions into RuntimeError
+    via the same shape).
+    """
+    stderr = result.stderr.strip()[:500] if result.stderr else ""
+    stderr_label = stderr or "no stderr"
+
+    if result.returncode != 0:
+        logger.error(
+            "%s exited non-zero (%d): %s",
+            scanner_name, result.returncode, stderr_label,
+        )
+        raise RuntimeError(
+            f"{scanner_name} scan failed (exit {result.returncode}): "
+            f"{stderr or 'no output'}"
+        )
+
+    if not output_file.exists():
+        logger.error(
+            "%s produced no output file (exit %d): %s",
+            scanner_name, result.returncode, stderr_label,
+        )
+        raise RuntimeError(
+            f"{scanner_name} scan produced no output file "
+            f"(exit {result.returncode}): {stderr or 'no output'}"
+        )
+
+    if output_file.stat().st_size == 0:
+        logger.error(
+            "%s produced 0-byte output (exit %d): %s",
+            scanner_name, result.returncode, stderr_label,
+        )
+        raise RuntimeError(
+            f"{scanner_name} scan produced empty output file "
+            f"(exit {result.returncode}): {stderr or 'no output'}"
+        )
+
+
 def _run_trivy(
     image_ref: str, tmp_path: Path, local: bool = False,
 ) -> list[Finding]:
@@ -318,21 +383,21 @@ def _run_trivy(
         logger.error("trivy binary not found")
         return []
 
-    if not output_file.exists():
-        stderr = result.stderr.strip()[:500]
-        logger.error(
-            "trivy produced no output (exit %d): %s",
-            result.returncode, stderr,
-        )
-        raise RuntimeError(
-            f"trivy scan failed (exit {result.returncode}): {stderr or 'no output'}"
-        )
+    _validate_scanner_output("trivy", output_file, result)
 
     try:
         return _parser.parse_trivy_results(output_file)
-    except Exception:
-        logger.exception("Failed to parse trivy results for %s", image_ref)
-        raise
+    except json.JSONDecodeError as exc:
+        logger.error("trivy output JSON parse error for %s: %s", image_ref, exc)
+        raise RuntimeError(
+            f"trivy output JSON parse error: {exc}"
+        ) from exc
+    except Exception as exc:
+        # Non-decode parser errors (schema mismatch, missing keys) —
+        # log without traceback and re-raise as RuntimeError so the
+        # engine catches it as a structured scanner_errors entry.
+        logger.error("trivy output parse error for %s: %s", image_ref, exc)
+        raise RuntimeError(f"trivy output parse error: {exc}") from exc
 
 
 def _run_grype(
@@ -407,21 +472,26 @@ def _run_grype(
         logger.error("grype binary not found")
         return []
 
-    if not output_file.exists():
-        stderr = result.stderr.strip()[:500]
-        logger.error(
-            "grype produced no output (exit %d): %s",
-            result.returncode, stderr,
-        )
-        raise RuntimeError(
-            f"grype scan failed (exit {result.returncode}): {stderr or 'no output'}"
-        )
+    _validate_scanner_output("grype", output_file, result)
 
     try:
         return _parser.parse_grype_results(output_file)
-    except Exception:
-        logger.exception("Failed to parse grype results for %s", image_ref)
-        return []
+    except json.JSONDecodeError as exc:
+        # The user-reported regression: grype writes a 0-byte file
+        # when its image-resolution / catalog step fails after the
+        # output handle is created. Validation above catches that
+        # branch first, but JSON-shape errors (truncated output,
+        # malformed schema) still land here. Raise instead of
+        # swallowing — the engine catches the RuntimeError and
+        # records it under scanner_errors so the summary reflects
+        # reality instead of silently dropping grype's contribution.
+        logger.error("grype output JSON parse error for %s: %s", image_ref, exc)
+        raise RuntimeError(
+            f"grype output JSON parse error: {exc}"
+        ) from exc
+    except Exception as exc:
+        logger.error("grype output parse error for %s: %s", image_ref, exc)
+        raise RuntimeError(f"grype output parse error: {exc}") from exc
 
 
 def _run_syft(image_ref: str, tmp_path: Path) -> None: