fix(container): surface dockerfile in artifacts and write argus-audit.json#123
Merged
eFAILution merged 2 commits intofeat/argus-portabilityfrom May 6, 2026
Conversation
…audit.json Two related gaps in container scan artifacts that block security review and audit archiving: 1. ContainerScanResult dropped the originating Dockerfile path. The target carries it; scan_image() and the engine error paths threw it away. So argus-results.json, the per-image markdown, the SARIF, and the raw outputs only ever surfaced the auto-derived tag like ``scanner-bandit:argus-scan`` — useless to a reviewer asking "which Dockerfile produced this finding?". Fix: add ``dockerfile`` and ``context`` fields to ContainerScanResult and populate them from the target in every construction site (scan_image happy path + the three error paths in the engine). Empty strings for remote-pull entries. The canonical ScanResult metadata in _cmd_container_scan now surfaces ``dockerfile_path`` and ``context_path`` for build-mode targets and omits them for remote-pull entries (so downstream readers don't have to special-case empty strings). Extracted the metadata-building logic into a small helper ``_canonical_container_metadata(result)`` so the dict shape is unit-testable without spinning up the full container engine. 2. Container scans skipped the audit manifest entirely. Source scans have always called ``create_manifest()`` at start and ``finalize_manifest()`` before exit, writing argus-audit.json alongside argus-results.json. _cmd_container_scan never did. Fix: add the same create+finalize bookend, with scan_targets listing the Dockerfile path for build-mode entries (or the image ref for remote-pull entries) so the manifest answers "which container produced this run's artifacts?". The unified exit-code computation also moved from inline early-returns to a single finalize-and-return at the bottom of the function so every success path goes through the same finalization. Tests: 1585 passing (was 1580; +5 new — ContainerScanResult dockerfile/context defaults, the canonical-metadata helper for remote-pull, build-mode, and scanner-error cases). Verified end-to-end: argus scan container now writes both argus-results.json AND argus-audit.json under the run dir, plus container-scan.md and the raw/ subdir.
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
Contributor
🔒 Argus Container Security ScanBranch: 📊 Combined Findings Summary
Scanned: 4 containers | Build Failures: 0 📦 Container Breakdown
🔍 Detailed Findings by Container🚨 cli - 29 vulnerabilities (23 unique)Image: Combined (Deduplicated)
🔷 Trivy Scanner (29 findings, 23 unique)
⚓ Grype Scanner (0 findings, 0 unique)✅ No vulnerabilities detected by Grype 🟡 scanner-bandit - 2 vulnerabilities (2 unique)Image: Combined (Deduplicated)
🔷 Trivy Scanner (2 findings, 2 unique)
⚓ Grype Scanner (0 findings, 0 unique)✅ No vulnerabilities detected by Grype
|
| 🚨 Critical | 🟡 Medium | 🔵 Low | Total | Unique | |
|---|---|---|---|---|---|
| 0 | 7 | 44 | 63 | 114 | 50 |
🔷 Trivy Scanner (114 findings, 49 unique)
| CVE | Severity | Package | Version | Fixed |
|---|---|---|---|---|
| CVE-2026-4878 | libcap2 | 1:2.75-10+b8 | N/A | |
| CVE-2025-69720 | libncursesw6 | 6.5+20250216-2 | N/A | |
| CVE-2026-29111 | libsystemd0 | 257.9-1~deb13u1 | N/A | |
| CVE-2025-69720 | libtinfo6 | 6.5+20250216-2 | N/A | |
| CVE-2026-29111 | libudev1 | 257.9-1~deb13u1 | N/A | |
| CVE-2025-69720 | ncurses-base | 6.5+20250216-2 | N/A | |
| CVE-2025-69720 | ncurses-bin | 6.5+20250216-2 | N/A | |
| CVE-2026-27456 | 🟡 MEDIUM | bsdutils | 1:2.41-5 | N/A |
| CVE-2026-3184 | 🟡 MEDIUM | bsdutils | 1:2.41-5 | N/A |
| CVE-2026-27456 | 🟡 MEDIUM | libblkid1 | 2.41-5 | N/A |
| CVE-2026-3184 | 🟡 MEDIUM | libblkid1 | 2.41-5 | N/A |
| CVE-2026-4046 | 🟡 MEDIUM | libc-bin | 2.41-12+deb13u2 | N/A |
| CVE-2026-4437 | 🟡 MEDIUM | libc-bin | 2.41-12+deb13u2 | N/A |
| CVE-2026-4438 | 🟡 MEDIUM | libc-bin | 2.41-12+deb13u2 | N/A |
| CVE-2026-5435 | 🟡 MEDIUM | libc-bin | 2.41-12+deb13u2 | N/A |
| CVE-2026-5450 | 🟡 MEDIUM | libc-bin | 2.41-12+deb13u2 | N/A |
| CVE-2026-5928 | 🟡 MEDIUM | libc-bin | 2.41-12+deb13u2 | N/A |
| CVE-2026-6238 | 🟡 MEDIUM | libc-bin | 2.41-12+deb13u2 | N/A |
| CVE-2026-4046 | 🟡 MEDIUM | libc6 | 2.41-12+deb13u2 | N/A |
| CVE-2026-4437 | 🟡 MEDIUM | libc6 | 2.41-12+deb13u2 | N/A |
| CVE-2026-4438 | 🟡 MEDIUM | libc6 | 2.41-12+deb13u2 | N/A |
| CVE-2026-5435 | 🟡 MEDIUM | libc6 | 2.41-12+deb13u2 | N/A |
| CVE-2026-5450 | 🟡 MEDIUM | libc6 | 2.41-12+deb13u2 | N/A |
| CVE-2026-5928 | 🟡 MEDIUM | libc6 | 2.41-12+deb13u2 | N/A |
| CVE-2026-6238 | 🟡 MEDIUM | libc6 | 2.41-12+deb13u2 | N/A |
| CVE-2026-27456 | 🟡 MEDIUM | liblastlog2-2 | 2.41-5 | N/A |
| CVE-2026-3184 | 🟡 MEDIUM | liblastlog2-2 | 2.41-5 | N/A |
| CVE-2026-34743 | 🟡 MEDIUM | liblzma5 | 5.8.1-1 | N/A |
| CVE-2026-27456 | 🟡 MEDIUM | libmount1 | 2.41-5 | N/A |
| CVE-2026-3184 | 🟡 MEDIUM | libmount1 | 2.41-5 | N/A |
| CVE-2026-27456 | 🟡 MEDIUM | libsmartcols1 | 2.41-5 | N/A |
| CVE-2026-3184 | 🟡 MEDIUM | libsmartcols1 | 2.41-5 | N/A |
| CVE-2026-40225 | 🟡 MEDIUM | libsystemd0 | 257.9-1~deb13u1 | N/A |
| CVE-2026-40226 | 🟡 MEDIUM | libsystemd0 | 257.9-1~deb13u1 | N/A |
| CVE-2026-4105 | 🟡 MEDIUM | libsystemd0 | 257.9-1~deb13u1 | N/A |
| CVE-2026-40225 | 🟡 MEDIUM | libudev1 | 257.9-1~deb13u1 | N/A |
| CVE-2026-40226 | 🟡 MEDIUM | libudev1 | 257.9-1~deb13u1 | N/A |
| CVE-2026-4105 | 🟡 MEDIUM | libudev1 | 257.9-1~deb13u1 | N/A |
| CVE-2026-27456 | 🟡 MEDIUM | libuuid1 | 2.41-5 | N/A |
| CVE-2026-3184 | 🟡 MEDIUM | libuuid1 | 2.41-5 | N/A |
| CVE-2026-27456 | 🟡 MEDIUM | login | 1:4.16.0-2+really2.41-5 | N/A |
| CVE-2026-3184 | 🟡 MEDIUM | login | 1:4.16.0-2+really2.41-5 | N/A |
| CVE-2026-27456 | 🟡 MEDIUM | mount | 2.41-5 | N/A |
| CVE-2026-3184 | 🟡 MEDIUM | mount | 2.41-5 | N/A |
| CVE-2026-5958 | 🟡 MEDIUM | sed | 4.9-2 | N/A |
| CVE-2026-5704 | 🟡 MEDIUM | tar | 1.35+dfsg-3.1 | N/A |
| CVE-2026-27456 | 🟡 MEDIUM | util-linux | 2.41-5 | N/A |
| CVE-2026-3184 | 🟡 MEDIUM | util-linux | 2.41-5 | N/A |
| CVE-2026-27171 | 🟡 MEDIUM | zlib1g | 1:1.3.dfsg+really1.3.1-1+b1 | N/A |
| CVE-2026-3219 | 🟡 MEDIUM | pip | 26.0.1 | N/A |
...and 64 more
⚓ Grype Scanner (0 findings, 0 unique)
✅ No vulnerabilities detected by Grype
⚠️ scanner-supply-chain - 9 vulnerabilities (9 unique)
Image: ghcr.io/huntridge-labs/argus/scanner-supply-chain:8523ab9b90a1bc20901788a0ac1a04e2bd8b6e92
Combined (Deduplicated)
| 🚨 Critical | 🟡 Medium | 🔵 Low | Total | Unique | |
|---|---|---|---|---|---|
| 0 | 4 | 5 | 0 | 9 | 9 |
🔷 Trivy Scanner (9 findings, 9 unique)
| CVE | Severity | Package | Version | Fixed |
|---|---|---|---|---|
| CVE-2026-32280 | stdlib | v1.26.1 | 1.25.9, 1.26.2 | |
| CVE-2026-32281 | stdlib | v1.26.1 | 1.25.9, 1.26.2 | |
| CVE-2026-32283 | stdlib | v1.26.1 | 1.25.9, 1.26.2 | |
| CVE-2026-33810 | stdlib | v1.26.1 | 1.26.2 | |
| CVE-2026-3219 | 🟡 MEDIUM | pip | 26.0.1 | N/A |
| CVE-2026-6357 | 🟡 MEDIUM | pip | 26.0.1 | 26.1 |
| CVE-2026-32282 | 🟡 MEDIUM | stdlib | v1.26.1 | 1.25.9, 1.26.2 |
| CVE-2026-32288 | 🟡 MEDIUM | stdlib | v1.26.1 | 1.25.9, 1.26.2 |
| CVE-2026-32289 | 🟡 MEDIUM | stdlib | v1.26.1 | 1.25.9, 1.26.2 |
⚓ Grype Scanner (0 findings, 0 unique)
✅ No vulnerabilities detected by Grype
Generated by Argus
…hreading Brings codecov/patch above the 80% threshold by exercising the new dockerfile/context plumbing through every engine path that builds a ContainerScanResult — build failure, OSError during scan, generic Exception during scan — plus the happy-path threading from scan_image. Each test asserts dockerfile and context are populated from the target (build entries) or empty (remote-pull entries). Five new tests in TestEngineErrorPathsCarryDockerfile and TestScanImageThreadsDockerfile.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Two related gaps in container scan artifacts that block security review and audit archiving.
Changes Made
Details
1. Dockerfile path missing from container scan artifacts
ContainerScanResultdropped the originating Dockerfile path. The target carried it;scan_image()and the engine's three error paths threw it away. Soargus-results.json, the per-image markdown, the SARIF, and the raw outputs only ever surfaced the auto-derived tag likescanner-bandit:argus-scan— useless to a reviewer asking "which Dockerfile produced this finding?".Fix:
dockerfile: str = ""andcontext: str = ""fields toContainerScanResultScanResult.metadatasurfacesdockerfile_pathandcontext_pathfor build-mode targets and omits them for remote-pull entries — downstream readers don't have to special-case empty strings_canonical_container_metadata(result)so the dict shape is unit-testable without spinning up the full engine2. No audit manifest for container scans
Source scans have always called
create_manifest()at start andfinalize_manifest()before each exit, writingargus-audit.jsonalongsideargus-results.json._cmd_container_scannever did. Soargus scan containerskipped the entire audit-trail layer source scans have.Fix:
_cmd_container_scanscan_targetslists the Dockerfile path for build-mode entries (or the image ref for remote-pull entries) so the manifest answers "which container produced this run's artifacts?"EXIT_ERRORbefore returningVerification
End-to-end smoke test against the dogfood
argus.yml:argus-results.jsonfor a build-mode entry now includes:{ "scanner": "container/scanner-bandit", "metadata": { "image_ref": "scanner-bandit:argus-scan", "build_success": true, "dockerfile_path": "docker/Dockerfile.bandit", "context_path": "." } }Remote-pull entries omit the dockerfile/context keys (no special-casing needed downstream).
Testing
Test Results
TestContainerScanResultDockerfileFields— defaults to empty for remote-pull, populated for build entriesTestCanonicalContainerMetadata—_canonical_container_metadata(result)omits dockerfile keys for remote-pull, includes them for build, surfaces scanner_errorsargus.audit.test_manifest(existing) covers the manifest-write layer the new_cmd_container_scanconsumer plugs intoSecurity Considerations
Security Details
This is the audit-trail completion that source scans have had since day one. A security reviewer or compliance archive looking at a container scan's artifacts can now trace any finding back to its originating Dockerfile without cross-referencing the workflow definition or shell history. The audit manifest captures the exact targets, config path, exit code, and findings summary at finalize time.
AI Context Updates (.ai/)
Checklist
For New Scanners/Actions (if applicable)