Description

Three fixes plus a workflow refactor, all surfaced while running argus scan and argus scan container against argus's own source and image set during the validation pass after PR #117.

Changes Made

• Added new scanner/workflow
• Modified existing scanner/workflow
• Updated documentation
• Fixed bug
• Other (please specify)

Details

1. argus validate now validates the top-level containers: block

Until now argus/core/schema.py recognized containers as a known top-level key but never inspected its contents. Typos and structural mistakes only surfaced (or failed silently) at scan time:

New _validate_containers helper walks the block and produces the same ConfigError objects the rest of the validator already emits, so both argus validate and the pre-scan validation in ArgusConfig._load_file pick it up. 15 unit tests in argus/tests/core/test_schema_containers.py.

2. argus scan container auto-loads argus.yml when no --config is given

The source-scan dispatcher has always done this; the container subcommand used to require an explicit --config FILE even when argus.yml sat right at the project root with a populated containers: block. Now both flows search the canonical _DEFAULT_CONFIG_NAMES list (argus.yml, argus.yaml, .argus.yml, .argus.yaml). CLI flags still take precedence over config-file values.

3. .ai/ doc cleanup

The recent context refresh (commit fa22779) claimed argus list and argus version are subcommands. They're not — argus --version is a top-level flag, and the registered subcommand list is init / scan / classify / collect / report / validate / mcp / completion / cache / view. .ai/context.yaml and .ai/architecture.yaml corrected.

4. .github/workflows/build-containers.yml — argus.yml as matrix source of truth

Hardcoded matrices in three places (build, scan, test-cli) replaced with a single preflight matrix job that reads argus.yml's containers.images list and emits a JSON matrix the downstream jobs consume via fromJson(needs.matrix.outputs.matrix). Adding a fifth scanner image is now one entry in argus.yml, not three matrix edits across the workflow plus the dogfood config.

The actual scanning still runs aquasecurity/trivy-action + anchore/scan-action — authored actions, not argus-scanning-argus. Argus-scanning-argus to validate argus is circular trust, and the user explicitly called this out:

Scanning argus with argus to prove that argus is secure may be bad taste.

So argus.yml drives the matrix, the trust boundary stays outside our own codebase.

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• Tested with different scanner combinations

Test Results

• New schema tests: 15 unit tests in test_schema_containers.py (happy paths, structural errors, image-entry validation, sub-scanner whitelist, unknown-key warnings)
• New CLI test: 1 regression test for the auto-config-load behavior
• Full SDK suite: 1513 passed, 8 skipped (was 1497 on main; +16 from new tests, no regressions)
• Pre-commit hooks: all green (yamllint, codespell, hardcoded-secrets, etc.)

Manual validation against the local checkout (the trigger for this PR):

• argus scan --config argus.yml: 6 scanners, 163 findings
• argus scan container --config argus.yml: 4 images built locally, 230s wall, 141 total findings (98 unique)
• argus scan container (no --config): now auto-detects argus.yml, runs identically to the explicit form ✅

Security Considerations

• No security impact
• Security enhancement
• Potential security implications (explain below)

Security Details

The workflow refactor (#4) makes argus.yml the input to a CI-time matrix builder, but the runner step reads only the checked-out repo file via yq (no untrusted input from PR titles/body/etc.). The pre-commit yamllint and the husky hook chain reviewed the change.

The trust-boundary point is the substantive one: by keeping aquasecurity/trivy-action and anchore/scan-action for the actual container scanning, argus's own image set is validated by external tools rather than by argus itself.

AI Context Updates (.ai/)

• .ai/architecture.yaml updated (removed false argus list claim, added missing --version clarification)
• .ai/workflows.yaml updated (if commands/tasks changed)
• .ai/decisions.yaml updated (if design decision made)
• .ai/errors.yaml updated (if common error addressed)
• N/A - No .ai/ updates needed

.ai/context.yaml cli_subcommands list reorganized; argus list and argus version removed (they don't exist); --version flag explicitly noted under a new cli_flags: section.

Checklist

• Code follows project style guidelines
• Documentation updated (.ai/ context corrections, workflow comments)
• Changelog updated (if applicable)
• All tests pass
• Reviewed by at least one maintainer
• Reviewed CONTRIBUTING.md guidelines

For New Scanners/Actions (if applicable)

• N/A — no new scanners/actions

Follow-ups (not in this PR)

Surfaced during the same dogfooding pass; deferred to keep this PR focused:

• lint-dockerfile doesn't appear in source-scan results even when its container image (hadolint) is unavailable locally. Other scanners surface as failed-execution rows with metadata.execution_failed; lint-dockerfile silently drops out. Worth investigating — likely a registry routing issue between LINTER_REGISTRY and SCANNER_REGISTRY for the engine's failure-row construction.