From 89f0a003a83de9067c7b6a4f0a4999844bb9bfe0 Mon Sep 17 00:00:00 2001
From: Ranga Ngwerume <ranga.ngwerume@codacy.com>
Date: Wed, 22 Apr 2026 11:10:04 +0200
Subject: [PATCH 1/3] container scans

---
 .codacy-cli.sh                              | 149 ++++++++++++++++++++
 .github/workflows/codacy-container-scan.yml |  42 ++++++
 CODACY_CONTAINER_SCANNING.md                | 135 ++++++++++++++++++
 Dockerfile                                  |   7 +
 requirements.txt                            |   2 +-
 test-container-scan-local.sh                |  66 +++++++++
 6 files changed, 400 insertions(+), 1 deletion(-)
 create mode 100644 .codacy-cli.sh
 create mode 100644 .github/workflows/codacy-container-scan.yml
 create mode 100644 CODACY_CONTAINER_SCANNING.md
 create mode 100644 Dockerfile
 create mode 100755 test-container-scan-local.sh

diff --git a/.codacy-cli.sh b/.codacy-cli.sh
new file mode 100644
index 0000000..7057e3b
--- /dev/null
+++ b/.codacy-cli.sh
@@ -0,0 +1,149 @@
+#!/usr/bin/env bash
+
+
+set -e +o pipefail
+
+# Set up paths first
+bin_name="codacy-cli-v2"
+
+# Determine OS-specific paths
+os_name=$(uname)
+arch=$(uname -m)
+
+case "$arch" in
+"x86_64")
+  arch="amd64"
+  ;;
+"x86")
+  arch="386"
+  ;;
+"aarch64"|"arm64")
+  arch="arm64"
+  ;;
+esac
+
+if [ -z "$CODACY_CLI_V2_TMP_FOLDER" ]; then
+    if [ "$(uname)" = "Linux" ]; then
+        CODACY_CLI_V2_TMP_FOLDER="$HOME/.cache/codacy/codacy-cli-v2"
+    elif [ "$(uname)" = "Darwin" ]; then
+        CODACY_CLI_V2_TMP_FOLDER="$HOME/Library/Caches/Codacy/codacy-cli-v2"
+    else
+        CODACY_CLI_V2_TMP_FOLDER=".codacy-cli-v2"
+    fi
+fi
+
+version_file="$CODACY_CLI_V2_TMP_FOLDER/version.yaml"
+
+
+get_version_from_yaml() {
+    if [ -f "$version_file" ]; then
+        local version=$(grep -o 'version: *"[^"]*"' "$version_file" | cut -d'"' -f2)
+        if [ -n "$version" ]; then
+            echo "$version"
+            return 0
+        fi
+    fi
+    return 1
+}
+
+get_latest_version() {
+    local response
+    if [ -n "$GH_TOKEN" ]; then
+        response=$(curl -Lq --header "Authorization: Bearer $GH_TOKEN" "https://api.github.com/repos/codacy/codacy-cli-v2/releases/latest" 2>/dev/null)
+    else
+        response=$(curl -Lq "https://api.github.com/repos/codacy/codacy-cli-v2/releases/latest" 2>/dev/null)
+    fi
+
+    handle_rate_limit "$response"
+    local version=$(echo "$response" | grep -m 1 tag_name | cut -d'"' -f4)
+    echo "$version"
+}
+
+handle_rate_limit() {
+    local response="$1"
+    if echo "$response" | grep -q "API rate limit exceeded"; then
+          fatal "Error: GitHub API rate limit exceeded. Please try again later"
+    fi
+}
+
+download_file() {
+    local url="$1"
+
+    echo "Downloading from URL: ${url}"
+    if command -v curl > /dev/null 2>&1; then
+        curl -# -LS "$url" -O
+    elif command -v wget > /dev/null 2>&1; then
+        wget "$url"
+    else
+        fatal "Error: Could not find curl or wget, please install one."
+    fi
+}
+
+download() {
+    local url="$1"
+    local output_folder="$2"
+
+    ( cd "$output_folder" && download_file "$url" )
+}
+
+download_cli() {
+    # OS name lower case
+    suffix=$(echo "$os_name" | tr '[:upper:]' '[:lower:]')
+
+    local bin_folder="$1"
+    local bin_path="$2"
+    local version="$3"
+
+    if [ ! -f "$bin_path" ]; then
+        echo "📥 Downloading CLI version $version..."
+
+        remote_file="codacy-cli-v2_${version}_${suffix}_${arch}.tar.gz"
+        url="https://github.com/codacy/codacy-cli-v2/releases/download/${version}/${remote_file}"
+
+        download "$url" "$bin_folder"
+        tar xzfv "${bin_folder}/${remote_file}" -C "${bin_folder}"
+    fi
+}
+
+# Warn if CODACY_CLI_V2_VERSION is set and update is requested
+if [ -n "$CODACY_CLI_V2_VERSION" ] && [ "$1" = "update" ]; then
+    echo "⚠️  Warning: Performing update with forced version $CODACY_CLI_V2_VERSION"
+    echo "    Unset CODACY_CLI_V2_VERSION to use the latest version"
+fi
+
+# Ensure version.yaml exists and is up to date
+if [ ! -f "$version_file" ] || [ "$1" = "update" ]; then
+    echo "ℹ️  Fetching latest version..."
+    version=$(get_latest_version)
+    mkdir -p "$CODACY_CLI_V2_TMP_FOLDER"
+    echo "version: \"$version\"" > "$version_file"
+fi
+
+# Set the version to use
+if [ -n "$CODACY_CLI_V2_VERSION" ]; then
+    version="$CODACY_CLI_V2_VERSION"
+else
+    version=$(get_version_from_yaml)
+fi
+
+
+# Set up version-specific paths
+bin_folder="${CODACY_CLI_V2_TMP_FOLDER}/${version}"
+
+mkdir -p "$bin_folder"
+bin_path="$bin_folder"/"$bin_name"
+
+# Download the tool if not already installed
+download_cli "$bin_folder" "$bin_path" "$version"
+chmod +x "$bin_path"
+
+run_command="$bin_path"
+if [ -z "$run_command" ]; then
+    fatal "Codacy cli v2 binary could not be found."
+fi
+
+if [ "$#" -eq 1 ] && [ "$1" = "download" ]; then
+    echo "Codacy cli v2 download succeeded"
+else
+    eval "$run_command $*"
+fi
\ No newline at end of file
diff --git a/.github/workflows/codacy-container-scan.yml b/.github/workflows/codacy-container-scan.yml
new file mode 100644
index 0000000..82e778a
--- /dev/null
+++ b/.github/workflows/codacy-container-scan.yml
@@ -0,0 +1,42 @@
+name: Codacy Container Scanning
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+  schedule:
+    # Run daily at 2 AM UTC
+    - cron: '0 2 * * *'
+
+jobs:
+  codacy-container-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Build Docker image
+        run: |
+          docker build -t engine-helper:${{ github.sha }} .
+          docker tag engine-helper:${{ github.sha }} engine-helper:latest
+
+      - name: Download Codacy CLI v2
+        run: |
+          curl -Ls https://raw.githubusercontent.com/codacy/codacy-cli-v2/main/codacy-cli.sh -o codacy-cli.sh
+          bash codacy-cli.sh download
+
+      - name: Generate and upload SBOM to Codacy
+        env:
+          CODACY_API_TOKEN: ${{ secrets.CODACY_API_TOKEN }}
+        run: |
+          bash codacy-cli.sh upload-sbom \
+            -a "${CODACY_API_TOKEN}" \
+            -p gh \
+            -o codacy-acme \
+            -r engine-helper \
+            engine-helper:${{ github.sha }}
diff --git a/CODACY_CONTAINER_SCANNING.md b/CODACY_CONTAINER_SCANNING.md
new file mode 100644
index 0000000..30d6955
--- /dev/null
+++ b/CODACY_CONTAINER_SCANNING.md
@@ -0,0 +1,135 @@
+# Codacy Container Scanning Setup
+
+This repository now includes Codacy container scanning capabilities for security analysis of Docker images.
+
+## Files Added
+
+1. **Dockerfile** - Multi-stage Python build configuration for the engine-helper application
+2. **.github/workflows/codacy-container-scan.yml** - GitHub Actions workflow for automated container scanning
+3. **test-container-scan-local.sh** - Local testing script to verify container scanning before pushing
+
+## Prerequisites
+
+- Docker installed locally
+- Codacy CLI token (from https://app.codacy.com/account/settings/tokens)
+- The engine-helper repository must be set up in Codacy
+
+## Local Testing
+
+### Step 1: Set Your Codacy Token
+
+```bash
+export CODACY_CLI_TOKEN=your_token_here
+```
+
+### Step 2: Run the Local Test Script
+
+```bash
+./test-container-scan-local.sh
+```
+
+This script will:
+1. Verify Docker is installed
+2. Build the Docker image
+3. Run Codacy container scanning (if token is set)
+4. Display next steps
+
+### Example Output
+
+```
+==========================================
+Codacy Container Scanning - Local Test
+==========================================
+
+Step 1: Building Docker image...
+✓ Docker image built: engine-helper:local-test
+
+Step 2: Running Codacy container scan...
+...
+```
+
+## GitHub Actions Workflow
+
+The workflow (`codacy-container-scan.yml`) is configured to:
+
+- **Triggers**: 
+  - Push to `main` and `develop` branches
+  - Pull requests to `main` and `develop` branches
+  - Daily scheduled run at 2 AM UTC
+
+- **Actions**:
+  1. Checkout code
+  2. Build Docker image
+  3. Run Codacy container security scan via SBOM
+  4. Upload scan artifacts (if available)
+
+## GitHub Secret Configuration
+
+Before the workflow runs on GitHub, you need to add your Codacy CLI token as a secret:
+
+1. Go to your repository settings
+2. Navigate to **Secrets and variables** → **Actions**
+3. Click **New repository secret**
+4. Name: `CODACY_CLI_TOKEN`
+5. Value: Your Codacy API token from https://app.codacy.com/account/settings/tokens
+6. Click **Add secret**
+
+## Monitoring Results
+
+After deployment:
+
+1. GitHub: Check workflow runs in **Actions** tab
+2. Codacy Dashboard: https://app.codacy.com
+3. Security Issues: Check the **Security** tab for container scan results
+
+## Troubleshooting
+
+### Local Test Issues
+
+**Docker not found:**
+```bash
+# Install Docker from https://www.docker.com/products/docker-desktop
+```
+
+**Token not set:**
+```bash
+# Verify your token is exported
+echo $CODACY_CLI_TOKEN
+
+# If empty, export it again
+export CODACY_CLI_TOKEN=your_token_here
+```
+
+### GitHub Actions Issues
+
+**Secret not found:**
+- Verify the secret is added to the repository (check **Settings** → **Secrets**)
+- Secrets are not inherited from organization settings
+
+**Scan fails with authentication error:**
+- Verify the token is correct and not expired
+- Check token permissions in Codacy
+
+**Image build fails:**
+- Check Docker build output
+- Verify all dependencies in `requirements.txt` are installable
+
+## Next Steps
+
+1. ✅ Local testing: Run `./test-container-scan-local.sh`
+2. Verify Docker image builds successfully
+3. Commit changes to git:
+   ```bash
+   git add Dockerfile .github/workflows/codacy-container-scan.yml test-container-scan-local.sh
+   git commit -m "Add Codacy container scanning"
+   git push origin main
+   ```
+4. Add the `CODACY_CLI_TOKEN` secret to GitHub repository settings
+5. Push a change to trigger the workflow or check **Actions** tab for scheduled runs
+
+## Additional Resources
+
+- [Codacy CLI Documentation](https://docs.codacy.com/codacy-cli/overview/)
+- [Container Scanning Guide](https://docs.codacy.com/codacy-cli/container-scanning/)
+- [SBOM Uploads](https://docs.codacy.com/codacy-cli/sbom-uploads/)
+- [GitHub Actions Documentation](https://docs.github.com/en/actions)
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..e47f4f7
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,7 @@
+FROM python:3.8
+
+WORKDIR /app
+
+COPY main.py .
+
+CMD ["python", "main.py"]
diff --git a/requirements.txt b/requirements.txt
index 7414d19..dfa3b0a 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -13,7 +13,7 @@ idna==3.2
 kiwisolver==1.3.2
 lxml==4.7.1
 matplotlib==3.5.1
-numpy==1.21.4
+numpy==1.26.4
 packaging==21.3
 Pillow==8.4.0
 pycodestyle==2.7.0
diff --git a/test-container-scan-local.sh b/test-container-scan-local.sh
new file mode 100755
index 0000000..b399556
--- /dev/null
+++ b/test-container-scan-local.sh
@@ -0,0 +1,66 @@
+#!/bin/bash
+
+# Local Codacy Container Scanning Test Script
+# Uses Codacy CLI v2: https://github.com/codacy/codacy-cli-v2
+
+set -e
+
+echo "=========================================="
+echo "Codacy Container Scanning - Local Test"
+echo "=========================================="
+echo ""
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+CODACY_CLI_SCRIPT="${SCRIPT_DIR}/.codacy-cli.sh"
+
+# Check if Docker is installed
+if ! command -v docker &> /dev/null; then
+    echo "ERROR: Docker is not installed. Please install Docker and try again."
+    exit 1
+fi
+
+# Download Codacy CLI v2 wrapper script if not already present
+if [ ! -f "${CODACY_CLI_SCRIPT}" ]; then
+    echo "Downloading Codacy CLI v2..."
+    curl -Ls https://raw.githubusercontent.com/codacy/codacy-cli-v2/main/codacy-cli.sh -o "${CODACY_CLI_SCRIPT}"
+    bash "${CODACY_CLI_SCRIPT}" download
+    echo "✓ Codacy CLI v2 ready"
+    echo ""
+fi
+
+# Build the Docker image
+echo "Step 1: Building Docker image..."
+IMAGE_TAG="engine-helper:local-test"
+docker build -t "${IMAGE_TAG}" .
+echo "✓ Docker image built: ${IMAGE_TAG}"
+echo ""
+
+if [ -z "$CODACY_API_TOKEN" ]; then
+    echo "Step 2: Running local container scan (no upload)..."
+    echo "To also upload results to Codacy, set CODACY_API_TOKEN and re-run."
+    echo ""
+    bash "${CODACY_CLI_SCRIPT}" container-scan "${IMAGE_TAG}"
+else
+    echo "Step 2: Generating SBOM and uploading to Codacy..."
+    echo ""
+    bash "${CODACY_CLI_SCRIPT}" upload-sbom \
+        -a "${CODACY_API_TOKEN}" \
+        -p gh \
+        -o codacy-acme \
+        -r engine-helper \
+        "${IMAGE_TAG}"
+fi
+
+echo ""
+echo "=========================================="
+echo "Local test completed!"
+echo "=========================================="
+echo ""
+echo "Next steps:"
+echo "1. Review any vulnerabilities reported above"
+echo "2. Check Codacy dashboard at: https://app.codacy.com"
+echo "3. Once verified, commit and push to GitHub:"
+echo "   - git add Dockerfile .github/workflows/codacy-container-scan.yml"
+echo "   - git commit -m 'Add Codacy container scanning workflow'"
+echo "   - git push origin container-scan"
+echo ""

From 580a09b35207a119af84c86b5e20b2fc40b9d3d9 Mon Sep 17 00:00:00 2001
From: Ranga Ngwerume <ranga.ngwerume@codacy.com>
Date: Wed, 22 Apr 2026 11:15:41 +0200
Subject: [PATCH 2/3] Add init

---
 .github/workflows/codacy-container-scan.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/codacy-container-scan.yml b/.github/workflows/codacy-container-scan.yml
index 82e778a..edbcd16 100644
--- a/.github/workflows/codacy-container-scan.yml
+++ b/.github/workflows/codacy-container-scan.yml
@@ -30,6 +30,16 @@ jobs:
           curl -Ls https://raw.githubusercontent.com/codacy/codacy-cli-v2/main/codacy-cli.sh -o codacy-cli.sh
           bash codacy-cli.sh download
 
+      - name: Initialize Codacy CLI v2
+        env:
+          CODACY_API_TOKEN: ${{ secrets.CODACY_API_TOKEN }}
+        run: |
+          bash codacy-cli.sh init \
+            -a "${CODACY_API_TOKEN}" \
+            -p gh \
+            -o codacy-acme \
+            -r engine-helper
+
       - name: Generate and upload SBOM to Codacy
         env:
           CODACY_API_TOKEN: ${{ secrets.CODACY_API_TOKEN }}

From 3120e8d95df10f658e5377acc1669a3d30cd70bf Mon Sep 17 00:00:00 2001
From: Ranga Ngwerume <ranga.ngwerume@codacy.com>
Date: Wed, 22 Apr 2026 11:17:41 +0200
Subject: [PATCH 3/3] resolved -a

---
 .github/workflows/codacy-container-scan.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/codacy-container-scan.yml b/.github/workflows/codacy-container-scan.yml
index edbcd16..2a31564 100644
--- a/.github/workflows/codacy-container-scan.yml
+++ b/.github/workflows/codacy-container-scan.yml
@@ -35,18 +35,18 @@ jobs:
           CODACY_API_TOKEN: ${{ secrets.CODACY_API_TOKEN }}
         run: |
           bash codacy-cli.sh init \
-            -a "${CODACY_API_TOKEN}" \
-            -p gh \
-            -o codacy-acme \
-            -r engine-helper
+            --api-token "${CODACY_API_TOKEN}" \
+            --provider gh \
+            --organization codacy-acme \
+            --repository engine-helper
 
       - name: Generate and upload SBOM to Codacy
         env:
           CODACY_API_TOKEN: ${{ secrets.CODACY_API_TOKEN }}
         run: |
           bash codacy-cli.sh upload-sbom \
-            -a "${CODACY_API_TOKEN}" \
-            -p gh \
-            -o codacy-acme \
-            -r engine-helper \
+            --api-token "${CODACY_API_TOKEN}" \
+            --provider gh \
+            --organization codacy-acme \
+            --repository engine-helper \
             engine-helper:${{ github.sha }}