refactor: migrate orchestrator to use OutputConfig throughout

- Add OutputConfig creation and usage in execute() function
- Replace 30+ args usages with structured OutputConfig fields
- Update function signatures to accept config objects:
  * invoke_sbomgen(args, config, output_config)
  * get_scan_result(args, config, output_config)
  * set_env_var_if_vuln_threshold_exceeded(output_config, vuln_counts)
  * post_*_step_summary(output_config, ...)
- Replace error-prone string comparisons with type-safe booleans:
  * args.display_vuln_findings == "enabled" → output_config.display_vulnerability_findings
  * args.threshold_fixable_only → output_config.threshold_fixable_only
- Eliminate args mutations by using local variables (sbom_artifact_type)
- Consolidate all file path management through OutputConfig
- Replace all threshold fields with structured config access

Achieves clean separation of concerns with type-safe, maintainable code.

Author: bluesentinelsec

entrypoint/entrypoint/orchestrator.py

@@ -14,57 +14,59 @@
 
 def execute(args) -> int:
     # NEW: Create structured config from legacy args (strangler fig pattern)
-    from entrypoint.data_model import ScanConfig, ArtifactType
+    from entrypoint.data_model import ScanConfig, ArtifactType, OutputConfig
     config = ScanConfig.from_args(args)
+    output_config = OutputConfig.from_args(args)
     logging.info(f"Created config: artifact_type={config.artifact_type.value}, artifact_path={config.artifact_path}, sbomgen_version={config.sbomgen_version}, timeout={config.timeout}s")
+    logging.info(f"Created output_config: display_findings={output_config.display_vulnerability_findings}, sbom_path={output_config.output_sbom_path}")
 
-    # OLD: Keep existing logic unchanged for now
+    # Use structured configs for type-safe, maintainable code
     logging.info(f"downloading and installing inspector-sbomgen version {config.sbomgen_version}")
     ret = install_sbomgen(config.sbomgen_version)
     require_true((ret == 0), "unable to download and install inspector-sbomgen")
 
     logging.info("generating SBOM from artifact")
-    ret = invoke_sbomgen(args, config)
+    ret = invoke_sbomgen(args, config, output_config)
     require_true(ret == 0, "unable to generate SBOM with inspector-sbomgen")
 
     logging.info("scanning SBOM contents with Amazon Inspector")
-    ret = invoke_inspector_scan(args.out_sbom, args.out_scan)
+    ret = invoke_inspector_scan(output_config.output_sbom_path, output_config.output_inspector_scan_path)
     require_true(ret == 0, "unable to scan SBOM contents with Amazon Inspector")
-    set_github_actions_output('inspector_scan_results', args.out_scan)
+    set_github_actions_output('inspector_scan_results', output_config.output_inspector_scan_path)
 
     logging.info("tallying vulnerabilities")
-    succeeded, scan_result, fixed_vuln_counts = get_scan_result(args)
+    succeeded, scan_result, fixed_vuln_counts = get_scan_result(args, config, output_config)
     require_true(succeeded, "unable to tally vulnerabilities")
 
     print_vuln_count_summary(scan_result)
 
-    vuln_counts = fixed_vuln_counts if args.threshold_fixable_only else scan_result
-    set_env_var_if_vuln_threshold_exceeded(args, vuln_counts)
+    vuln_counts = fixed_vuln_counts if output_config.threshold_fixable_only else scan_result
+    set_env_var_if_vuln_threshold_exceeded(output_config, vuln_counts)
 
-    write_pkg_vuln_report_csv(args.out_scan_csv, scan_result)
-    set_github_actions_output('inspector_scan_results_csv', args.out_scan_csv)
+    write_pkg_vuln_report_csv(output_config.output_inspector_scan_path_csv, scan_result)
+    set_github_actions_output('inspector_scan_results_csv', output_config.output_inspector_scan_path_csv)
 
-    pkg_vuln_markdown = write_pkg_vuln_report_markdown(args.out_scan_markdown, scan_result)
-    post_pkg_vuln_github_actions_step_summary(args, pkg_vuln_markdown)
-    set_github_actions_output('inspector_scan_results_markdown', args.out_scan_markdown)
+    pkg_vuln_markdown = write_pkg_vuln_report_markdown(output_config.output_inspector_scan_path_markdown, scan_result)
+    post_pkg_vuln_github_actions_step_summary(output_config, pkg_vuln_markdown)
+    set_github_actions_output('inspector_scan_results_markdown', output_config.output_inspector_scan_path_markdown)
 
-    dockerfile.write_dockerfile_report_csv(args.out_scan, args.out_dockerfile_scan_csv)
-    set_github_actions_output('inspector_dockerile_scan_results_csv', args.out_dockerfile_scan_csv)
+    dockerfile.write_dockerfile_report_csv(output_config.output_inspector_scan_path, output_config.output_dockerfile_scan_csv)
+    set_github_actions_output('inspector_dockerile_scan_results_csv', output_config.output_dockerfile_scan_csv)
 
-    dockerfile.write_dockerfile_report_md(args.out_scan, args.out_dockerfile_scan_md)
-    set_github_actions_output('inspector_dockerile_scan_results_markdown', args.out_dockerfile_scan_md)
-    post_dockerfile_step_summary(args, scan_result.total_vulns())
+    dockerfile.write_dockerfile_report_md(output_config.output_inspector_scan_path, output_config.output_dockerfile_scan_markdown)
+    set_github_actions_output('inspector_dockerile_scan_results_markdown', output_config.output_dockerfile_scan_markdown)
+    post_dockerfile_step_summary(output_config, scan_result.total_vulns())
 
     return 0
 
 
-def post_dockerfile_step_summary(args, total_vulns):
-    if args.display_vuln_findings == "enabled" and total_vulns > 0:
+def post_dockerfile_step_summary(output_config, total_vulns):
+    if output_config.display_vulnerability_findings and total_vulns > 0:
         logging.info("posting Inspector Dockerfile scan findings to GitHub Actions step summary page")
 
         dockerfile_markdown = ""
         try:
-            with open(args.out_dockerfile_scan_md, "r") as f:
+            with open(output_config.output_dockerfile_scan_markdown, "r") as f:
                 dockerfile_markdown = f.read()
         except Exception as e:
             logging.debug(e)  # can be spammy, so set as debug log
@@ -152,39 +154,40 @@ def get_sbomgen_arch(host_cpu):
     return None
 
 
-def invoke_sbomgen(args, config) -> int:
+def invoke_sbomgen(args, config, output_config) -> int:
     sbomgen = installer.get_sbomgen_install_path()
     if sbomgen == "":
         logging.error("expected path to inspector-sbomgen but received empty string")
         return 1
 
     # marshall arguments between action.yml and cli.py
     path_arg = ""
+    sbom_artifact_type = ""
     if config.artifact_type == ArtifactType.REPOSITORY:
-        args.artifact_type = "directory"
+        sbom_artifact_type = "directory"
         path_arg = "--path"
 
     elif config.artifact_type == ArtifactType.CONTAINER:
-        args.artifact_type = "container"
+        sbom_artifact_type = "container"
         path_arg = "--image"
 
     elif config.artifact_type == ArtifactType.BINARY:
-        args.artifact_type = "binary"
+        sbom_artifact_type = "binary"
         path_arg = "--path"
 
     elif config.artifact_type == ArtifactType.ARCHIVE:
-        args.artifact_type = "archive"
+        sbom_artifact_type = "archive"
         path_arg = "--path"
 
     else:
         logging.error(
-            f"expected artifact type to be 'repository', 'container', 'binary' or 'archive' but received {args.artifact_type}")
+            f"expected artifact type to be 'repository', 'container', 'binary' or 'archive' but received {config.artifact_type.value}")
         return 1
 
     # invoke sbomgen with arguments
-    sbomgen_args = [args.artifact_type,
+    sbomgen_args = [sbom_artifact_type,
                     path_arg, config.artifact_path,
-                    "--outfile", args.out_sbom,
+                    "--outfile", output_config.output_sbom_path,
                     "--disable-progress-bar",
                     "--timeout", str(config.timeout),
                     ]
@@ -223,9 +226,9 @@ def invoke_sbomgen(args, config) -> int:
 
     # make scan results readable by any user so
     # github actions can upload the file as a job artifact
-    os.system(f"chmod 444 {args.out_sbom}")
+    os.system(f"chmod 444 {output_config.output_sbom_path}")
 
-    set_github_actions_output('artifact_sbom', args.out_sbom)
+    set_github_actions_output('artifact_sbom', output_config.output_sbom_path)
 
     return ret
 
@@ -244,37 +247,37 @@ def invoke_inspector_scan(src_sbom, dst_scan):
     return ret
 
 
-def get_scan_result(args) -> tuple[bool, exporter.InspectorScanResult, fixed_vulns.FixedVulns]:
+def get_scan_result(args, config, output_config) -> tuple[bool, exporter.InspectorScanResult, fixed_vulns.FixedVulns]:
     scan_result = exporter.InspectorScanResult(vulnerabilities=[pkg_vuln.Vulnerability()])
     fixed_vulns_counts = fixed_vulns.FixedVulns(criticals=0, highs=0, mediums=0, lows=0, others=0)
 
     succeeded, fixed_vulns_counts = get_fixed_vuln_counts(
-        args.out_scan)
+        output_config.output_inspector_scan_path)
     if succeeded is False:
         return False, scan_result, fixed_vulns_counts
 
-    succeeded, criticals, highs, mediums, lows, others = get_vuln_counts(args.out_scan)
+    succeeded, criticals, highs, mediums, lows, others = get_vuln_counts(output_config.output_inspector_scan_path)
     if succeeded is False:
         return False, scan_result, fixed_vulns_counts
 
     try:
-        with open(args.out_scan, "r") as f:
+        with open(output_config.output_inspector_scan_path, "r") as f:
             inspector_scan = json.load(f)
             vulns = pkg_vuln.parse_inspector_scan_result(inspector_scan)
 
     except Exception as e:
         logging.error(e)
         return False, scan_result, fixed_vulns_counts
 
-    if args.show_only_fixable_vulns:
+    if output_config.show_only_fixable_vulns:
         for vuln in vulns:
             if vuln.fixed_ver == "null":
                 vulns.remove(vuln)
 
     scan_result = exporter.InspectorScanResult(
         vulnerabilities=vulns,
-        artifact_name=args.artifact_path,
-        artifact_type=args.artifact_type,
+        artifact_name=config.artifact_path,
+        artifact_type=config.artifact_type.value,
         criticals=str(criticals),
         highs=str(highs),
         mediums=str(mediums),
@@ -478,16 +481,16 @@ def write_pkg_vuln_report_markdown(out_scan_markdown, scan_result: exporter.Insp
     return markdown
 
 
-def set_env_var_if_vuln_threshold_exceeded(args,
+def set_env_var_if_vuln_threshold_exceeded(output_config,
                                            vuln_counts: typing.Union[
                                                exporter.InspectorScanResult, fixed_vulns.FixedVulns]):
-    is_exceeded = exceeds_threshold(vuln_counts.criticals, args.critical,
-                                    vuln_counts.highs, args.high,
-                                    vuln_counts.mediums, args.medium,
-                                    vuln_counts.lows, args.low,
-                                    vuln_counts.others, args.other)
+    is_exceeded = exceeds_threshold(vuln_counts.criticals, output_config.critical_threshold,
+                                    vuln_counts.highs, output_config.high_threshold,
+                                    vuln_counts.mediums, output_config.medium_threshold,
+                                    vuln_counts.lows, output_config.low_threshold,
+                                    vuln_counts.others, output_config.other_threshold)
 
-    if is_exceeded and args.thresholds:
+    if is_exceeded and output_config.thresholds:
         set_github_actions_output('vulnerability_threshold_exceeded', 1)
     else:
         set_github_actions_output('vulnerability_threshold_exceeded', 0)
@@ -550,8 +553,8 @@ def get_summarized_findings(scan_result: exporter.InspectorScanResult):
     return results
 
 
-def post_pkg_vuln_github_actions_step_summary(args, markdown):
-    if args.display_vuln_findings == "enabled":
+def post_pkg_vuln_github_actions_step_summary(output_config, markdown):
+    if output_config.display_vulnerability_findings:
         logging.info("posting Inspector scan findings to GitHub Actions step summary page")
         exporter.post_github_step_summary(markdown)