feat: add scan failure onFinish topic and message type

[kooomix]

Summary

• Add ScanFailureOnFinishPulsarTopic constant (scan-failure-finished-v1) for the scan failure onFinish fan-out
• Add ScanFailureOnFinishedMessage struct in systemhealth package, embedding scanfailure.ScanFailureReport with rate-limit metadata fields

Part of SUB-7106 (Scan Failure Ingester fan-out pipeline).

Dependencies

• Requires armosec-infra with scanfailure package (from SUB-7113 B.1)

Test plan

• go build ./... passes after armosec-infra dependency is pinned
• Downstream event-ingester-service compiles against this

Summary by CodeRabbit

• New Features
  • Enhanced scan-failure notifications with detailed workload impact (cluster, namespace, workload type/name) and richer per-image failure reports.
  • Added a finished-scan notification channel for end-of-scan events.
  • Included on-finish summary metadata (send time, rate-limit summary flag, daily counts/limits) in finished-scan messages.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds new scan-failure domain types and a Pulsar topic constant: a detailed ScanFailureReport and related enums/structs, an enriched ScanFailureOnFinishedMessage with on-finish metadata, and a new topic name for finished scan-failure messages.

Changes

Cohort / File(s)	Summary
Scan-failure domain types pulsar/common/scanfailure/types.go	Adds ScanFailureCase enum, WorkloadIdentifier, and ScanFailureReport types with JSON/BSON tags and a String() method for the enum.
On-finish message metadata pulsar/common/systemhealth/datastructures.go	Adds ScanFailureOnFinishedMessage embedding scanfailure.ScanFailureReport and adding SendTime, IsRateLimitSummary, DailyCount, and DailyLimit fields.
Pulsar topic pulsar/common/topics.go	Adds public constant ScanFailureOnFinishPulsarTopic = "scan-failure-finished-v1".
Module / manifest go.mod, manifest_file	Small dependency/manifest updates referenced by the change set.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• YakirOren
• benm-armo

Poem

🐰 I hopped through structs and name,
Added cases for the scan-fail game,
Reports now carry finish time,
A Pulsar topic sounds the chime,
Hooray — a carrot-shaped new frame! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a scan failure onFinish topic and message type, which matches the core additions across all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/scan-failure-ingester

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pulsar/common/systemhealth/datastructures.go`:
- Line 7: The import github.com/armosec/armosec-infra/scanfailure is referenced
in datastructures.go but the module is not declared in go.mod; add the
dependency to go.mod (for example by running a go command to add the module or
adding a require line for github.com/armosec/armosec-infra at an appropriate
version) so the package scanfailure can be resolved and the build succeeds.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d6e86f87-6254-424c-8f6e-a43c88f9b1b5

📥 Commits

Reviewing files that changed from the base of the PR and between c5075cd and 9547665.

📒 Files selected for processing (2)

• pulsar/common/systemhealth/datastructures.go
• pulsar/common/topics.go

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

pulsar/common/systemhealth/datastructures.go (1)

7-7: ⚠️ Potential issue | 🔴 Critical

Build still failing: repository access issue for armosec-infra.

The dependency is now declared in go.mod (line 8: v0.0.479), which addresses the original "no required module" error. However, CI is still failing with a different error: git ls-remote -q origin ... exit status 128. This typically indicates the repository is private and CI lacks credentials, or the specified version tag doesn't exist.

Ensure:

1. The armosec-infra repository grants access to the CI runner (via SSH keys or GOPRIVATE/GONOPROXY settings).
2. Version v0.0.479 exists and is tagged in the upstream repository.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pulsar/common/systemhealth/datastructures.go` at line 7, CI cannot fetch the
dependency github.com/armosec/armosec-infra (imported as scanfailure) at version
v0.0.479; ensure the CI runner has access to that repository or change the
dependency to a public/accessible tag: either grant CI repo access (SSH keys or
token), set GOPRIVATE/GONOPROXY appropriately so go can fetch private modules,
or update go.mod to a valid existing tag/version for armosec-infra if v0.0.479
doesn't exist.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 8: The go.mod entry for github.com/armosec/armosec-infra is failing
because the upstream repo is missing; inspect usages in
pulsar/common/systemhealth/datastructures.go to identify which types/functions
are imported from that module, then determine whether the upstream was moved or
renamed (search GitHub/organization, check go.sum commit hashes, or check
project docs/PRs). If the module was moved, update the import path in go.mod and
the imports in datastructures.go to the new module path and run go
get/<module>@<version> and go mod tidy; if it no longer exists or was internal,
replace the dependency by copying the required types into an internal package or
point go.mod to an alternative fork/local replace directive (using replace
github.com/armosec/armosec-infra => ../local/path or a maintained fork URL) and
update imports accordingly so the build succeeds.

---

Duplicate comments:
In `@pulsar/common/systemhealth/datastructures.go`:
- Line 7: CI cannot fetch the dependency github.com/armosec/armosec-infra
(imported as scanfailure) at version v0.0.479; ensure the CI runner has access
to that repository or change the dependency to a public/accessible tag: either
grant CI repo access (SSH keys or token), set GOPRIVATE/GONOPROXY appropriately
so go can fetch private modules, or update go.mod to a valid existing
tag/version for armosec-infra if v0.0.479 doesn't exist.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1539bd1f-7e7c-4102-8ec7-c080ed09b9b9

📥 Commits

Reviewing files that changed from the base of the PR and between 9547665 and ff6a943.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• go.mod
• pulsar/common/systemhealth/datastructures.go
• pulsar/common/topics.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pulsar/common/topics.go

[github-actions]

Summary:

• License scan: failure
• Credentials scan: skipped
• Vulnerabilities scan: skipped
• Unit test: success
• Go linting: success

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pulsar/common/systemhealth/datastructures.go`:
- Around line 49-58: The FailureCase field on ScanFailureOnFinishedMessage is an
untyped int mirroring armosec-infra; define a local typed enum (e.g., type
ScanFailureCase int) and a set of constants (e.g., const (ScanFailureCaseUnknown
ScanFailureCase = iota; ScanFailureCaseX ...)) to represent the valid cases,
change ScanFailureOnFinishedMessage.FailureCase from int to that new
ScanFailureCase type, and add conversion helpers at integration boundaries
(marshal/unmarshal or explicit ConvertToInfraCase/ConvertFromInfraCase
functions) so external integration still maps to the private repo values without
exposing raw ints in this public module.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b9d2d3d5-433c-4aa8-a39c-b120ff903ce3

📥 Commits

Reviewing files that changed from the base of the PR and between ff6a943 and 6962b0e.

📒 Files selected for processing (2)

• pulsar/common/systemhealth/datastructures.go
• pulsar/common/topics.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pulsar/common/topics.go

[github-actions]

Summary:

• License scan: failure
• Credentials scan: skipped
• Vulnerabilities scan: skipped
• Unit test: success
• Go linting: success

[coderabbitai]

🧹 Nitpick comments (1)

pulsar/common/systemhealth/datastructures.go (1)

42-50: Consider documenting the embedding vs explicit-fields pattern choice.

The struct uses embedding for ScanFailureReport which differs from the established pattern in SecurityRisksIngesterOnFinishedMessage (which uses explicit fields). Both approaches are valid—embedding is more DRY and automatically inherits new fields from ScanFailureReport. However, embedding means JSON field names are controlled by the embedded struct's tags, which could be a consideration for API contracts.

If intentional, this is fine. Just noting the pattern difference for awareness.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pulsar/common/systemhealth/datastructures.go` around lines 42 - 50, The
struct ScanFailureOnFinishedMessage currently embeds
scanfailure.ScanFailureReport which differs from the explicit-field pattern used
in SecurityRisksIngesterOnFinishedMessage; update the comment above
ScanFailureOnFinishedMessage to document that embedding is intentional, note
that JSON field names are inherited from scanfailure.ScanFailureReport (and thus
part of the API contract), and mention tradeoffs (DRY vs explicit control) so
future maintainers know why embedding was chosen and to be cautious about
changing fields in scanfailure.ScanFailureReport.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pulsar/common/systemhealth/datastructures.go`:
- Around line 42-50: The struct ScanFailureOnFinishedMessage currently embeds
scanfailure.ScanFailureReport which differs from the explicit-field pattern used
in SecurityRisksIngesterOnFinishedMessage; update the comment above
ScanFailureOnFinishedMessage to document that embedding is intentional, note
that JSON field names are inherited from scanfailure.ScanFailureReport (and thus
part of the API contract), and mention tradeoffs (DRY vs explicit control) so
future maintainers know why embedding was chosen and to be cautious about
changing fields in scanfailure.ScanFailureReport.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a55069de-1bdc-49b6-b781-4e393adb3dca

📥 Commits

Reviewing files that changed from the base of the PR and between 6962b0e and ef7f4ec.

📒 Files selected for processing (3)

• pulsar/common/scanfailure/types.go
• pulsar/common/systemhealth/datastructures.go
• pulsar/common/topics.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pulsar/common/topics.go

[github-actions]

Summary:

• License scan: failure
• Credentials scan: skipped
• Vulnerabilities scan: skipped
• Unit test: success
• Go linting: success