Skip to content

Surface compose service scan failures in CLI output#133

Open
avtandili-babilodze wants to merge 2 commits into
OWASP:mainfrom
avtandili-babilodze:fix/compose-surface-failed-services
Open

Surface compose service scan failures in CLI output#133
avtandili-babilodze wants to merge 2 commits into
OWASP:mainfrom
avtandili-babilodze:fix/compose-surface-failed-services

Conversation

@avtandili-babilodze

Copy link
Copy Markdown

Summary

  • When a per-service image scan fails during --compose scans (image not pulled locally, scanner exception, etc.), the failure was only visible via logger.error, invisible by default in CLI mode. The scan would otherwise complete and report a score as if every service was fully scanned.
  • ComposeOrchestrator.run_full_scan now tracks which services failed and why (failed_services, scanned_services) instead of only a boolean all_success, and threads this into the returned results dict.
  • The CLI now surfaces this clearly via output.warn/output.detail right after the score, and adds a line to the "Quick take" block, e.g.:
    1 of 2 service(s) could not be scanned: db
      db: unable to find the specified image "postgres" in your local storage
    
  • No change to exit codes or scoring — this is a visibility fix only.

Test plan

  • pytest tests/test_compose_scanner.py — 6 passed (4 existing + 2 new covering failed image scan and scanner exception)
  • pytest tests/ — 159 passed, no regressions
  • Manually exercised ComposeOrchestrator + _render_scan_summary against examples/compose/docker-compose-insecure.yml with a mocked failing image scan (image not pulled locally) and confirmed the warning/detail/quick-take lines render as expected

When a per-service image scan fails during --compose scans (e.g. image
not pulled locally), the failure was only logged via logger.error,
which is invisible by default in CLI mode. The scan would otherwise
complete and report a security score as if every service had actually
been scanned.

ComposeOrchestrator.run_full_scan now tracks which services failed and
why, and threads that into the results dict. The CLI surfaces this via
output.warn/output.detail and a Quick take line, e.g.:

  1 of 2 service(s) could not be scanned: db

No change to exit codes or scoring.
@github-actions github-actions Bot added cli Changes to the CLI entry point core Changes to core scanning logic tests Changes to the test suite labels Jul 2, 2026
@codecov-commenter

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 74.50980% with 13 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (main@ab50baf). Learn more about missing BASE report.

Files with missing lines Patch % Lines
docksec/cli.py 30.76% 9 Missing ⚠️
docksec/compose_scanner.py 71.42% 4 Missing ⚠️
Additional details and impacted files
@@           Coverage Diff           @@
##             main     #133   +/-   ##
=======================================
  Coverage        ?   77.53%           
=======================================
  Files           ?       24           
  Lines           ?     3708           
  Branches        ?        0           
=======================================
  Hits            ?     2875           
  Misses          ?      833           
  Partials        ?        0           
Flag Coverage Δ
unittests 77.53% <74.50%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cli Changes to the CLI entry point core Changes to core scanning logic tests Changes to the test suite

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants