refactor: re-export scanfailure types from armoapi-go

[kooomix]

Summary

• Re-export scanfailure types from armoapi-go/scanfailure for backward compatibility
• Canonical types now live in armosec/armoapi-go/scanfailure (PR feat: add scanfailure types for scan failure reporting armosec/armoapi-go#620)
• Existing consumers of kubescape/messaging/pulsar/common/scanfailure continue to work unchanged

Context

Part of SUB-7074 (scan failure notifications). Moving API contract types to armoapi-go where they belong.

Test plan

• go build ./... passes
• Type aliases ensure full backward compatibility

Summary by CodeRabbit

• Chores

  • Updated Go toolchain to version 1.24.1
  • Upgraded core and indirect dependencies (OpenTelemetry, testify, cobra, logrus, zstd, protobuf, and others)

• Refactor

  • Replaced local scan-failure type definitions with forwarded upstream types to centralize and align representations across packages

[coderabbitai]

Warning

Rate limit exceeded

@kooomix has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 50 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cc4b8305-0cd3-4139-882d-c4d315b7d3c2

📥 Commits

Reviewing files that changed from the base of the PR and between d6af473 and 62614ce.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod
• pulsar/common/scanfailure/types.go

📝 Walkthrough

Walkthrough

Go toolchain and dependencies upgraded (Go 1.24.1); local scanfailure types replaced by type aliases to github.com/armosec/armoapi-go/scanfailure, removing local implementations and String() method.

Changes

Cohort / File(s)	Summary
Dependency Management go.mod	Go version set to 1.24.1; various direct and indirect dependencies updated (armoapi-go, testify, OpenTelemetry, zstd, logrus, cobra, pflag, and others).
Type Migration to Upstream Package pulsar/common/scanfailure/types.go	Replaced local ScanFailureCase, WorkloadIdentifier, and ScanFailureReport definitions with type aliases to github.com/armosec/armoapi-go/scanfailure. Constants now reference upstream equivalents; local String() and struct definitions removed.

Sequence Diagram(s)

(omitted — changes are dependency and type-alias updates without new multi-component control flow)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: add scan failure onFinish topic and message type #97 — Related: also migrates/uses ScanFailureReport and ScanFailureCase from an upstream scanfailure package.

Suggested reviewers

• bvolovat
• matthyx
• YakirOren

Poem

🐰
I hopped through modules, tidy and bright,
Bumped the Go, set types to flight.
Upstream now holds the scan-failure song,
Compact and tidy — hop along! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: re-exporting scanfailure types from armoapi-go as type aliases. It is concise, specific, and clearly describes the primary refactoring objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/SUB-7105-scanfailure-from-armoapi

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

pulsar/common/scanfailure/types.go (1)

3-10: Clean backward compatibility implementation using type aliases.

The use of type aliases (=) rather than type definitions ensures full interchangeability with upstream types. Existing consumers won't need any code changes.

Consider adding an import alias for clarity since both packages share the same name:

import upstream "github.com/armosec/armoapi-go/scanfailure"

This makes it explicit which scanfailure is being referenced throughout the file.

♻️ Optional: Use import alias for clarity

-import "github.com/armosec/armoapi-go/scanfailure"
+import upstream "github.com/armosec/armoapi-go/scanfailure"

 // Re-export types from armoapi-go for backward compatibility.
 // New code should import from github.com/armosec/armoapi-go/scanfailure directly.

-type ScanFailureCase = scanfailure.ScanFailureCase
-type WorkloadIdentifier = scanfailure.WorkloadIdentifier
-type ScanFailureReport = scanfailure.ScanFailureReport
+type ScanFailureCase = upstream.ScanFailureCase
+type WorkloadIdentifier = upstream.WorkloadIdentifier
+type ScanFailureReport = upstream.ScanFailureReport

 const (
-	ScanFailureCVE            = scanfailure.ScanFailureCVE
-	ScanFailureSBOMGeneration = scanfailure.ScanFailureSBOMGeneration
-	ScanFailureOOMKilled      = scanfailure.ScanFailureOOMKilled
-	ScanFailureBackendPost    = scanfailure.ScanFailureBackendPost
+	ScanFailureCVE            = upstream.ScanFailureCVE
+	ScanFailureSBOMGeneration = upstream.ScanFailureSBOMGeneration
+	ScanFailureOOMKilled      = upstream.ScanFailureOOMKilled
+	ScanFailureBackendPost    = upstream.ScanFailureBackendPost
 )

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pulsar/common/scanfailure/types.go` around lines 3 - 10, The public type
aliases (ScanFailureCase, WorkloadIdentifier, ScanFailureReport) currently
import github.com/armosec/armoapi-go/scanfailure without an alias; change the
import to use an explicit alias (e.g., upstream) and update the aliases to
reference upstream.ScanFailureCase, upstream.WorkloadIdentifier, and
upstream.ScanFailureReport so it’s clear which package is being re-exported and
avoids name confusion.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 3: Update the Go toolchain line in go.mod from "go 1.24.1" to a newer
1.24.x patch (e.g., 1.24.13) to pick up recent security and bug fixes; after
changing the "go 1.24.1" entry, regenerate module metadata by running the usual
Go module upkeep (e.g., go mod tidy) and verify builds/tests to ensure
compatibility with the new patch release.

In `@pulsar/common/scanfailure/types.go`:
- Around line 12-17: The code references a non-existent package `scanfailure`
and re-exports constants `ScanFailureCVE`, `ScanFailureSBOMGeneration`,
`ScanFailureOOMKilled`, and `ScanFailureBackendPost`, which causes build
failures; remove the import/usages of `scanfailure` and either define these
constants locally in types.go (e.g., string/typed constant values that match the
expected enum names) or import the correct existing package that actually
defines them; update any places that reference the re-exported symbols
(ScanFailureCVE, ScanFailureSBOMGeneration, ScanFailureOOMKilled,
ScanFailureBackendPost) to use the new local constants or the correct package
name so the code compiles.

---

Nitpick comments:
In `@pulsar/common/scanfailure/types.go`:
- Around line 3-10: The public type aliases (ScanFailureCase,
WorkloadIdentifier, ScanFailureReport) currently import
github.com/armosec/armoapi-go/scanfailure without an alias; change the import to
use an explicit alias (e.g., upstream) and update the aliases to reference
upstream.ScanFailureCase, upstream.WorkloadIdentifier, and
upstream.ScanFailureReport so it’s clear which package is being re-exported and
avoids name confusion.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 59610f2b-f1f1-4777-a966-b0e4f27ffdee

📥 Commits

Reviewing files that changed from the base of the PR and between cb4d47a and 91cb06c.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod
• pulsar/common/scanfailure/types.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if there are any Go version constraints in CI configuration files
fd -e yml -e yaml | xargs -I {} sh -c 'echo "=== {} ===" && grep -n "go-version\|golang" {} 2>/dev/null || true'

Repository: kubescape/messaging

Length of output: 1745

---

🌐 Web query:

Go 1.24.1 release date stability

💡 Result:

• Release date: Go 1.24.1 was released on March 4, 2025. [1]
• Stability: 1.24.1 is a “minor revision” (patch release)—intended to be a safe, production upgrade within the Go 1.24 line, with security fixes (notably in net/http) and bug fixes, not breaking changes. [1]
• Practical guidance (today): If you’re asking whether 1.24.1 is stable, yes—but it’s outdated; the Go team shipped many subsequent 1.24 patch releases (e.g., go1.24.13 on Feb 4, 2026). In general you should run the latest Go 1.24.x patch for the best security/stability. [1]

Sources:
[1] Go “Release History” (go1.24.1 entry and later 1.24.x entries) — go.dev.

---

Consider using a newer Go 1.24.x patch release.

Go 1.24.1 is a stable patch release with security fixes and bug fixes. However, as of March 2026, newer patch releases in the 1.24 line are available (e.g., 1.24.13 from February 2026). Consider upgrading to the latest patch release for better security coverage and stability.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 3, Update the Go toolchain line in go.mod from "go 1.24.1" to
a newer 1.24.x patch (e.g., 1.24.13) to pick up recent security and bug fixes;
after changing the "go 1.24.1" entry, regenerate module metadata by running the
usual Go module upkeep (e.g., go mod tidy) and verify builds/tests to ensure
compatibility with the new patch release.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for consumers of these constants in the codebase to understand usage
rg -n "ScanFailure(CVE|SBOMGeneration|OOMKilled|BackendPost)" --type go -g '!vendor/*'

Repository: kubescape/messaging

Length of output: 1745

---

🏁 Script executed:

#!/bin/bash
# First, let's read the file being reviewed to understand the imports
cat -n pulsar/common/scanfailure/types.go

Repository: kubescape/messaging

Length of output: 1837

---

🏁 Script executed:

#!/bin/bash
# Search for the import statement to confirm the upstream package
rg -n "armoapi-go|scanfailure" --type go pulsar/common/scanfailure/types.go

Repository: kubescape/messaging

Length of output: 1837

---

🏁 Script executed:

#!/bin/bash
# Check go.mod to see if armoapi-go is a dependency
cat go.mod | grep -i armoapi

Repository: kubescape/messaging

Length of output: 1837

---

🌐 Web query:

armoapi-go scanfailure package constants export

💡 Result:

In Go (including in armoapi-go), a package-level constant is exported (public) only if its identifier starts with an uppercase letter.

So if the scanfailure package has something like:

package scanfailure

const scanTimeout = "timeout"

…it will not be accessible as scanfailure.scanTimeout from another package. Rename it to start with uppercase:

package scanfailure

// ScanTimeout ...
const ScanTimeout = "timeout"

Then other packages can use it as:

import "github.com/armosec/armoapi-go/scanfailure"

_ = scanfailure.ScanTimeout

This is the same pattern used elsewhere in armoapi-go (e.g., containerscan exports constants like UnknownSeverity, CriticalSeverity, etc.). [1]

If you’re running golint, exported constants should also have a doc comment (either per-const or on the const (...) block). [2]

Sources:
[1] https://github.com/armosec/armoapi-go/blob/main/containerscan/consts.go
[2] https://stackoverflow.com/questions/37887756/exported-const-should-have-a-comment

---

🌐 Web query:

github.com armoapi-go scanfailure ScanFailureCVE

💡 Result:

I looked in armosec/armoapi-go and couldn’t find any identifier or type named ScanFailureCVE (or ScanFailure / scanfailure) in the public source I was able to access.

What is in the repo (relevant to CVEs / scan results):

• The repo exists at armosec/armoapi-go; its latest GitHub release is v0.0.688 (Mar 12, 2026). [1]
• The containerscan package defines scan-result and vulnerability data structures such as Vulnerability (with fields like Name, Severity, Fixes, etc.) and ScanResultReport, but no ScanFailure* types/fields. [2] [3]
• There is an errors-oriented stub type: CommonContainerScanSummaryResultStub includes ErrorsList []string. [2]

If you meant a scan-failure concept in ARMO/Kubescape, it may live in a different repository (e.g., armosec/kubescape) or under a different name than ScanFailureCVE.

Sources: GitHub repo landing/release info [1], raw Go source for containerscan structs [2] [3].

[1] (github.com)
[2] (raw.githubusercontent.com)
[3] (raw.githubusercontent.com)

Citations:

• 1: https://github.com/armosec/armoapi-go
• 2: https://raw.githubusercontent.com/armosec/armoapi-go/main/containerscan/commondatastructures.go
• 3: https://raw.githubusercontent.com/armosec/armoapi-go/main/containerscan/rawdatastrucutres.go

---

🌐 Web query:

site:github.com/armosec/armoapi-go scanfailure

💡 Result:

GitHub code search shows no matches for scanfailure in armosec/armoapi-go (0 files). [1]
Likewise, searching for ScanFailure (and scanFailure) in the same repo also returns 0 files. [2]

Sources: [1] [2]

---

Remove the non-existent imports from armoapi-go/scanfailure.

The scanfailure package does not exist in armosec/armoapi-go. GitHub code search shows zero matches for both scanfailure and ScanFailure* across the entire repo. This code will fail to compile because armoapi-go/scanfailure cannot be imported and the constants ScanFailureCVE, ScanFailureSBOMGeneration, ScanFailureOOMKilled, and ScanFailureBackendPost do not exist there.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pulsar/common/scanfailure/types.go` around lines 12 - 17, The code references
a non-existent package `scanfailure` and re-exports constants `ScanFailureCVE`,
`ScanFailureSBOMGeneration`, `ScanFailureOOMKilled`, and
`ScanFailureBackendPost`, which causes build failures; remove the import/usages
of `scanfailure` and either define these constants locally in types.go (e.g.,
string/typed constant values that match the expected enum names) or import the
correct existing package that actually defines them; update any places that
reference the re-exported symbols (ScanFailureCVE, ScanFailureSBOMGeneration,
ScanFailureOOMKilled, ScanFailureBackendPost) to use the new local constants or
the correct package name so the code compiles.

[github-actions]

Summary:

• License scan: failure
• Credentials scan: skipped
• Vulnerabilities scan: skipped
• Unit test: success
• Go linting: success

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pulsar/common/scanfailure/types.go`:
- Line 13: The build fails because ScanFailureUnknown re-export refers to
scanfailure.ScanFailureUnknown which doesn't exist in the pinned armoapi-go;
either update the dependency to a version that exports
scanfailure.ScanFailureUnknown, or add a local backward-compatible fallback in
this package: detect the missing symbol and define a local ScanFailureUnknown
constant equal to the zero value of the scanfailure enum (use the same type as
other re-exports), e.g., mirror how other constants are re-exported in this file
but assign the zero value when scanfailure.ScanFailureUnknown is absent so the
package builds on older armoapi-go versions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 58e61677-df99-4d46-9220-ddab6b9adb1f

📥 Commits

Reviewing files that changed from the base of the PR and between 91cb06c and d6af473.

📒 Files selected for processing (1)

• pulsar/common/scanfailure/types.go

[github-actions]

Summary:

• License scan: failure
• Credentials scan: skipped
• Vulnerabilities scan: skipped
• Unit test: success
• Go linting: success

[github-actions]

Summary:

• License scan: failure
• Credentials scan: skipped
• Vulnerabilities scan: skipped
• Unit test: success
• Go linting: success

[github-actions]

Summary:

• License scan: failure
• Credentials scan: skipped
• Vulnerabilities scan: skipped
• Unit test: success
• Go linting: success

[kooomix]

Superseded — moving to a two-struct approach: armoapi-go owns the flat wire format, messaging owns the notification struct with workload lists.