feat(linter): make HadolintLinter docker-aware so lint-dockerfile works without local hadolint

The original framing in PR #120 was that ``lint-dockerfile`` requires
the user to install hadolint locally OR wait for the
FileDiscoveryScanner template. The user pushed back — argus has the
official ``hadolint/hadolint:v2.14.0`` Docker image declared on the
linter, so the engine should be using it instead of complaining the
local binary is missing.

Two changes make that work:

1. Engine: in the auto/no-build_args defer path, hand off to
   ``scanner.scan(path, config)`` unconditionally instead of falling
   through to the is_available() gate. Scanners without build_args
   are signaling that they own dispatch internally — including the
   choice between local execution and the docker fallback. The
   is_available() gate was preventing scan() from ever being called
   when the local binary was absent, even though scan() could have
   handled it.

2. HadolintLinter.scan(): when ``self.is_available()`` returns False,
   construct a ``docker run`` command against ``self.container_image``
   instead of trying to invoke ``hadolint`` directly. Workspace
   mounts read-only at /workspace; discovered Dockerfile paths get
   translated to their /workspace/... equivalents. Hadolint accepts
   multiple file paths in one invocation, so the batched-call shape
   from the prior commit carries through cleanly.

   Bug along the way: the hadolint image has empty ENTRYPOINT and
   ``CMD = ["/bin/hadolint", "-"]``. Passing args at the end of
   ``docker run`` replaces CMD entirely, so the first arg becomes
   the command. Include the binary name explicitly as the first arg.

Verified end-to-end against this repo's checkout:

    $ argus scan lint-dockerfile --severity-threshold none
    INFO  DL3018  /workspace/docker/Dockerfile.cli:19 - Pin versions...
    INFO  DL4006  /workspace/docker/Dockerfile.cli:29 - Set the SHELL option...
    ... 11 findings across 3 Dockerfiles
    Status: PASS

Real lint findings flowing through, no local install required.

Doesn't ship a unit test for the docker subprocess path because mocking
``shutil.which("docker")`` plus the ``docker run`` invocation reliably
across pytest runs requires more plumbing than the value justifies for
a 25-line method that's verified end-to-end above. The
test_auto_backend_defers_to_scan_when_no_build_args test from this
PR's prior commit covers the engine handoff.

Author: eFAILution

argus/core/engine.py

@@ -992,12 +992,19 @@ def _run_scanner(
                         f"set backend to 'auto'/'local' to use the "
                         f"scanner's own scan() method."
                     )
+                # auto: the scanner takes ownership of dispatch. It
+                # likely has a custom flow (file-discovery linters that
+                # walk the workspace and run their tool per-batch) and
+                # handles local vs container internally — including the
+                # docker-run fallback when the local binary is absent.
+                # We hand off to scan() unconditionally rather than
+                # falling through to the is_available() gate.
                 logger.debug(
                     "Backend 'auto': scanner '%s' has no build_args/"
-                    "container_args — deferring to scanner.scan() instead "
-                    "of the container path",
+                    "container_args — handing off to scanner.scan()",
                     scanner.name,
                 )
+                return scanner.scan(path, config)
 
             # docker backend requires containers — fail explicitly
             if backend == "docker":

argus/linters/hadolint.py

@@ -27,6 +27,15 @@ def scan(self, path: str, config: dict | None = None) -> ScanResult:
         file's findings. Doing one batched call beats spawning
         ``len(dockerfiles)`` subprocesses by N startup costs and keeps
         the per-finding ``file`` field intact in the parsed output.
+
+        When the local ``hadolint`` binary isn't installed, falls back
+        to the official ``hadolint/hadolint`` Docker image (declared as
+        ``container_image`` and pulled by argus's standard mechanism).
+        Hadolint is a single Haskell binary with no Python wrapper on
+        PyPI — the container is the cleanest way to run it on a
+        machine that doesn't have the binary, and avoids requiring
+        contributors to install yet another tool just to lint our
+        Dockerfiles.
         """
         config = config or {}
         target = Path(path)
@@ -38,7 +47,24 @@ def scan(self, path: str, config: dict | None = None) -> ScanResult:
                 metadata={"info": "No Dockerfiles found"},
             )
 
-        cmd = self._build_command(dockerfiles, config)
+        if self.is_available():
+            cmd = self._build_command(dockerfiles, config)
+        else:
+            cmd = self._build_docker_command(target, dockerfiles, config)
+            if cmd is None:
+                return ScanResult(
+                    scanner=self.name,
+                    metadata={
+                        "execution_failed": True,
+                        "execution_failure_reason": (
+                            "hadolint not installed and Docker not available. "
+                            "Install hadolint from "
+                            "https://github.com/hadolint/hadolint/releases "
+                            "or install Docker to use the container backend."
+                        ),
+                    },
+                )
+
         result = subprocess.run(cmd, capture_output=True, text=True)
 
         # hadolint exits 0 when clean, non-zero when findings exist —
@@ -90,6 +116,47 @@ def _find_dockerfiles(self, target: Path) -> list[Path]:
             return [target]
         return sorted(target.rglob("Dockerfile*"))
 
+    def _build_docker_command(
+        self, target: Path, dockerfiles: list[Path], config: dict,
+    ) -> list[str] | None:
+        """Build a ``docker run hadolint ...`` command — local fallback for the container.
+
+        Returns ``None`` when Docker isn't available (the caller turns
+        that into a clean ``execution_failed`` row with both install
+        paths in the diagnostic). The mount is read-only; hadolint
+        only reads the Dockerfile contents and writes JSON to stdout.
+        """
+        if shutil.which("docker") is None:
+            return None
+
+        target_abs = target.resolve()
+        # Translate discovered host paths to their container-side
+        # equivalent under /workspace. dockerfiles came back from
+        # ``rglob`` on ``target`` so they're guaranteed to be under it.
+        container_paths = [
+            f"/workspace/{df.resolve().relative_to(target_abs).as_posix()}"
+            for df in dockerfiles
+        ]
+
+        # The hadolint/hadolint image has no ENTRYPOINT — its CMD is
+        # ``["/bin/hadolint", "-"]`` so passing args at the end of
+        # ``docker run`` replaces CMD entirely. Include the binary
+        # name explicitly as the first arg.
+        cmd = [
+            "docker", "run", "--rm",
+            "-v", f"{target_abs}:/workspace:ro",
+            self.container_image,
+            "hadolint",
+            "--format", "json",
+        ]
+        config_file = config.get("config_file")
+        if config_file:
+            cmd.extend(["--config", f"/workspace/{config_file}"])
+        for rule in config.get("ignore_rules", []) or []:
+            cmd.extend(["--ignore", rule])
+        cmd.extend(container_paths)
+        return cmd
+
     def _build_command(
         self, dockerfiles: list[Path], config: dict
     ) -> list[str]: