Surface compose service scan failures in CLI output#133
Open
avtandili-babilodze wants to merge 2 commits into
Open
Surface compose service scan failures in CLI output#133avtandili-babilodze wants to merge 2 commits into
avtandili-babilodze wants to merge 2 commits into
Conversation
When a per-service image scan fails during --compose scans (e.g. image not pulled locally), the failure was only logged via logger.error, which is invisible by default in CLI mode. The scan would otherwise complete and report a security score as if every service had actually been scanned. ComposeOrchestrator.run_full_scan now tracks which services failed and why, and threads that into the results dict. The CLI surfaces this via output.warn/output.detail and a Quick take line, e.g.: 1 of 2 service(s) could not be scanned: db No change to exit codes or scoring.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #133 +/- ##
=======================================
Coverage ? 77.53%
=======================================
Files ? 24
Lines ? 3708
Branches ? 0
=======================================
Hits ? 2875
Misses ? 833
Partials ? 0
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--composescans (image not pulled locally, scanner exception, etc.), the failure was only visible vialogger.error, invisible by default in CLI mode. The scan would otherwise complete and report a score as if every service was fully scanned.ComposeOrchestrator.run_full_scannow tracks which services failed and why (failed_services,scanned_services) instead of only a booleanall_success, and threads this into the returned results dict.output.warn/output.detailright after the score, and adds a line to the "Quick take" block, e.g.:Test plan
pytest tests/test_compose_scanner.py— 6 passed (4 existing + 2 new covering failed image scan and scanner exception)pytest tests/— 159 passed, no regressionsComposeOrchestrator+_render_scan_summaryagainstexamples/compose/docker-compose-insecure.ymlwith a mocked failing image scan (image not pulled locally) and confirmed the warning/detail/quick-take lines render as expected