Description

Two related gaps in container scan artifacts that block security review and audit archiving.

Changes Made

• Added new scanner/workflow
• Modified existing scanner/workflow
• Updated documentation
• Fixed bug
• Other (please specify)

Details

1. Dockerfile path missing from container scan artifacts

ContainerScanResult dropped the originating Dockerfile path. The target carried it; scan_image() and the engine's three error paths threw it away. So argus-results.json, the per-image markdown, the SARIF, and the raw outputs only ever surfaced the auto-derived tag like scanner-bandit:argus-scan — useless to a reviewer asking "which Dockerfile produced this finding?".

Fix:

• Add dockerfile: str = "" and context: str = "" fields to ContainerScanResult
• Populate them from the target in every construction site (scan_image happy path + the three engine error paths)
• Empty strings for remote-pull entries
• Canonical ScanResult.metadata surfaces dockerfile_path and context_path for build-mode targets and omits them for remote-pull entries — downstream readers don't have to special-case empty strings
• Extracted the metadata-building logic into a small helper _canonical_container_metadata(result) so the dict shape is unit-testable without spinning up the full engine

2. No audit manifest for container scans

Source scans have always called create_manifest() at start and finalize_manifest() before each exit, writing argus-audit.json alongside argus-results.json. _cmd_container_scan never did. So argus scan container skipped the entire audit-trail layer source scans have.

Fix:

• Add the same create + finalize bookend in _cmd_container_scan
• scan_targets lists the Dockerfile path for build-mode entries (or the image ref for remote-pull entries) so the manifest answers "which container produced this run's artifacts?"
• Unified exit-code computation moved from inline early-returns to a single finalize-and-return at the bottom of the function so every success path goes through the same finalization
• Engine-error path also finalizes the manifest with EXIT_ERROR before returning

Verification

End-to-end smoke test against the dogfood argus.yml:

argus-results/latest/
├── argus-audit.json    ← NEW (was missing for container scans)
├── argus-results.json
├── argus.log
├── container-scan.md
└── raw/

argus-results.json for a build-mode entry now includes:

{
  "scanner": "container/scanner-bandit",
  "metadata": {
    "image_ref": "scanner-bandit:argus-scan",
    "build_success": true,
    "dockerfile_path": "docker/Dockerfile.bandit",
    "context_path": "."
  }
}

Remote-pull entries omit the dockerfile/context keys (no special-casing needed downstream).

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• Tested with different scanner combinations

Test Results

• 5 new unit tests:
  • TestContainerScanResultDockerfileFields — defaults to empty for remote-pull, populated for build entries
  • TestCanonicalContainerMetadata — _canonical_container_metadata(result) omits dockerfile keys for remote-pull, includes them for build, surfaces scanner_errors
• Full SDK suite: 1585 passing (was 1580 before this PR)
• argus.audit.test_manifest (existing) covers the manifest-write layer the new _cmd_container_scan consumer plugs into

Security Considerations

• No security impact
• Security enhancement
• Potential security implications (explain below)

Security Details

This is the audit-trail completion that source scans have had since day one. A security reviewer or compliance archive looking at a container scan's artifacts can now trace any finding back to its originating Dockerfile without cross-referencing the workflow definition or shell history. The audit manifest captures the exact targets, config path, exit code, and findings summary at finalize time.

AI Context Updates (.ai/)

• N/A - No .ai/ updates needed (artifact-shape fix; no architecture or workflow changes)

Checklist

• Code follows project style guidelines
• Documentation updated (inline comments + commit message describe the audit-trail symmetry with source scans)
• Changelog updated (if applicable)
• All tests pass
• Reviewed by at least one maintainer
• Reviewed CONTRIBUTING.md guidelines

For New Scanners/Actions (if applicable)

• N/A — modifying existing container-scan flow only