fix(actions): container format flag, checkov tuple parse, zap flag name

Three CI-breaking bugs:

1. scanner-container --format still space-separated (missed in prior fix)
2. Engine _run_in_container didn't handle checkov's parse_results returning
   a (findings, passed_count) tuple instead of a plain list
3. scanner-zap used --severity (invalid) instead of --severity-threshold,
   and set -euo pipefail caused early exit on unset vars

Author: eFAILution

.github/actions/scanner-container/action.yml

@@ -100,7 +100,7 @@ runs:
         python -m argus scan container \
           --image "$IMAGE_REF" \
           --scanners "$SCANNERS" \
-          --format json markdown sarif \
+          --format json --format markdown --format sarif \
           --output-dir "./$REPORT_DIR" \
           --no-timestamp \
           --severity-threshold "${FAIL_ON_SEVERITY:-none}" \

.github/actions/scanner-zap/action.yml

@@ -121,7 +121,6 @@ runs:
         STARTUP_TIMEOUT: ${{ inputs.startup_timeout }}
         FAIL_ON_SEVERITY: ${{ inputs.fail_on_severity }}
       run: |
-        set -euo pipefail
         mkdir -p zap-reports scanner-summaries
 
         # SDK auto-discovers argus.yml if present; works without one too
@@ -155,7 +154,7 @@ runs:
 
         # Pass severity threshold to SDK
         if [ "$FAIL_ON_SEVERITY" != "none" ]; then
-          CMD="$CMD --severity $FAIL_ON_SEVERITY"
+          CMD="$CMD --severity-threshold $FAIL_ON_SEVERITY"
         fi
 
         # Run scan (exit code 1 = findings above threshold)

argus/core/engine.py

@@ -352,8 +352,16 @@ def _run_in_container(
                 )
 
             findings = []
+            metadata_extra = {}
             if result_files and hasattr(scanner, "parse_results"):
-                findings = scanner.parse_results(result_files[0])
+                parsed = scanner.parse_results(result_files[0])
+                # parse_results may return a list or a (list, extra) tuple
+                if isinstance(parsed, tuple):
+                    findings, extra = parsed
+                    if isinstance(extra, int):
+                        metadata_extra["passed_count"] = extra
+                else:
+                    findings = parsed
                 logger.debug(
                     "Parsed %d finding(s) from %s",
                     len(findings),
@@ -367,6 +375,7 @@ def _run_in_container(
                     "execution": "container",
                     "image": image,
                     "digest": digest,
+                    **metadata_extra,
                 },
             )