Add copa generate command

Signed-off-by: robert-cronin <robert.owen.cronin@gmail.com>

Author: robert-cronin

.github/workflows/build.yml

@@ -449,6 +449,48 @@ jobs:
         with:
           paths: "test-results.xml"
 
+  test-generate:
+    needs: build
+    name: Test generate command ${{ matrix.buildkit_mode }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    strategy:
+      fail-fast: false
+      matrix:
+        buildkit_mode: ${{fromJson(needs.build.outputs.buildkitenvs)}}
+    steps:
+      - name: Download copa from build artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: copa_edge_linux_amd64.tar.gz
+      - run: docker system prune -a -f --volumes
+      - name: Check out code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: "1.24"
+          check-latest: true
+      - name: Install required tools
+        shell: bash
+        run: .github/workflows/scripts/download-tooling.sh
+      - name: Download copa from build artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: copa_edge_linux_amd64.tar.gz
+      - name: Extract copa
+        shell: bash
+        run: |
+          tar xzf copa_edge_linux_amd64.tar.gz
+          ./copa --version
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      - name: Run e2e tests
+        shell: bash
+        run: |
+          set -eu -o pipefail
+          . .github/workflows/scripts/buildkitenvs/${{ matrix.buildkit_mode}}
+          go test -v ./test/e2e/generate --addr="${COPA_BUILDKIT_ADDR}" --copa="$(pwd)/copa" -timeout 0
+
   test-patch-multiplatform-plugin:
     needs: build
     name: Test multiplatform with plugin

go.mod

@@ -21,6 +21,7 @@ require (
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.1
 	github.com/openvex/go-vex v0.2.6
+	github.com/pkg/errors v0.9.1
 	github.com/quay/claircore v1.5.39
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.9.1
@@ -29,6 +30,7 @@ require (
 	github.com/tonistiigi/fsutil v0.0.0-20250605211040-586307ad452f
 	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b
 	golang.org/x/sync v0.17.0
+	golang.org/x/term v0.35.0
 	google.golang.org/grpc v1.75.0
 	k8s.io/apimachinery v0.34.1
 )
@@ -104,7 +106,6 @@ require (
 	github.com/package-url/packageurl-go v0.1.3 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/quay/claircore/toolkit v1.2.4 // indirect
@@ -145,7 +146,7 @@ require (
 	golang.org/x/crypto v0.41.0 // indirect
 	golang.org/x/mod v0.27.0 // indirect
 	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/sys v0.35.0 // indirect
+	golang.org/x/sys v0.36.0 // indirect
 	golang.org/x/text v0.28.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 	golang.org/x/tools v0.35.0 // indirect

go.sum

@@ -405,10 +405,10 @@ golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
-golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
+golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=

main.go

@@ -4,6 +4,7 @@ import (
 	"os"
 	"strings"
 
+	"github.com/project-copacetic/copacetic/pkg/generate"
 	"github.com/project-copacetic/copacetic/pkg/patch"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -37,6 +38,7 @@ func newRootCmd() *cobra.Command {
 	flags.BoolVar(&debug, "debug", false, "enable debug level logging")
 
 	rootCmd.AddCommand(patch.NewPatchCmd())
+	rootCmd.AddCommand(generate.NewGenerateCmd())
 	return rootCmd
 }
 

pkg/common/registry.go

@@ -0,0 +1,18 @@
+package common
+
+import (
+	"fmt"
+	"strings"
+)
+
+// GetRepoNameWithDigest extracts repo name with digest from image name and digest.
+// e.g. "docker.io/library/nginx:1.21.6-patched" -> "nginx@sha256:...".
+func GetRepoNameWithDigest(patchedImageName, imageDigest string) string {
+	parts := strings.Split(patchedImageName, "/")
+	last := parts[len(parts)-1]
+	if idx := strings.IndexRune(last, ':'); idx >= 0 {
+		last = last[:idx]
+	}
+	nameWithDigest := fmt.Sprintf("%s@%s", last, imageDigest)
+	return nameWithDigest
+}

pkg/generate/cmd.go

@@ -0,0 +1,110 @@
+package generate
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/project-copacetic/copacetic/pkg/buildkit"
+	"github.com/project-copacetic/copacetic/pkg/types"
+	"github.com/spf13/cobra"
+	"golang.org/x/term"
+
+	// Register connection helpers for buildkit.
+	_ "github.com/moby/buildkit/client/connhelper/dockercontainer"
+	_ "github.com/moby/buildkit/client/connhelper/kubepod"
+	_ "github.com/moby/buildkit/client/connhelper/nerdctlcontainer"
+	_ "github.com/moby/buildkit/client/connhelper/podmancontainer"
+	_ "github.com/moby/buildkit/client/connhelper/ssh"
+)
+
+type generateArgs struct {
+	appImage      string
+	report        string
+	patchedTag    string
+	suffix        string
+	workingFolder string
+	timeout       time.Duration
+	scanner       string
+	ignoreError   bool
+	outputContext string
+	format        string
+	output        string
+	bkOpts        buildkit.Opts
+	platform      []string
+	loader        string
+}
+
+func NewGenerateCmd() *cobra.Command {
+	ga := generateArgs{}
+	generateCmd := &cobra.Command{
+		Use:   "generate",
+		Short: "Generate a Docker build context tar stream for patching container images",
+		Long: `Generate creates a tar stream containing a Dockerfile and patch layer that can be piped to 'docker build'.
+This command produces a build context with the patch diff layer and a Dockerfile that applies the patch.`,
+		Example: `  # Generate patch context and pipe to docker build
+  copa generate -i ubuntu:22.04 -r trivy.json | docker build -t ubuntu:22.04-patched -
+  
+  # Generate patch context without vulnerability report (update all packages)
+  copa generate -i alpine:3.18 | docker build -t alpine:3.18-patched -
+  
+  # Save context to file
+  copa generate -i alpine:3.18 -r scan.json --output-context patch.tar`,
+		RunE: func(_ *cobra.Command, _ []string) error {
+			// Check if stdout is a TTY when not writing to file
+			if ga.outputContext == "" && term.IsTerminal(int(os.Stdout.Fd())) {
+				return fmt.Errorf("refusing to write tar stream to terminal. Use --output-context to save to file or redirect stdout")
+			}
+
+			opts := &types.Options{
+				Image:         ga.appImage,
+				Report:        ga.report,
+				PatchedTag:    ga.patchedTag,
+				Suffix:        ga.suffix,
+				WorkingFolder: ga.workingFolder,
+				Timeout:       ga.timeout,
+				Scanner:       ga.scanner,
+				IgnoreError:   ga.ignoreError,
+				OutputContext: ga.outputContext,
+				Format:        ga.format,
+				Output:        ga.output,
+				BkAddr:        ga.bkOpts.Addr,
+				BkCACertPath:  ga.bkOpts.CACertPath,
+				BkCertPath:    ga.bkOpts.CertPath,
+				BkKeyPath:     ga.bkOpts.KeyPath,
+				Platforms:     ga.platform,
+				Loader:        ga.loader,
+			}
+			return Generate(context.Background(), opts)
+		},
+	}
+
+	flags := generateCmd.Flags()
+	flags.StringVarP(&ga.appImage, "image", "i", "", "Application image name and tag to patch")
+	flags.StringVarP(&ga.report, "report", "r", "", "Vulnerability report file path (optional)")
+	flags.StringVarP(&ga.patchedTag, "tag", "t", "", "Tag for the patched image")
+	flags.StringVarP(&ga.suffix, "tag-suffix", "", "patched", "Suffix for the patched image (if no explicit --tag provided)")
+	flags.StringVarP(&ga.workingFolder, "working-folder", "w", "", "Working folder, defaults to system temp folder")
+	flags.StringVarP(&ga.bkOpts.Addr, "addr", "a", "", "Address of buildkitd service, defaults to local docker daemon with fallback to "+buildkit.DefaultAddr)
+	flags.StringVarP(&ga.bkOpts.CACertPath, "cacert", "", "", "Absolute path to buildkitd CA certificate")
+	flags.StringVarP(&ga.bkOpts.CertPath, "cert", "", "", "Absolute path to buildkit client certificate")
+	flags.StringVarP(&ga.bkOpts.KeyPath, "key", "", "", "Absolute path to buildkit client key")
+	flags.DurationVar(&ga.timeout, "timeout", 5*time.Minute, "Timeout for the operation, defaults to '5m'")
+	flags.StringVarP(&ga.scanner, "scanner", "s", "trivy", "Scanner that generated the report, defaults to 'trivy'")
+	flags.BoolVar(&ga.ignoreError, "ignore-errors", false, "Ignore errors during patching")
+	flags.StringVarP(&ga.format, "format", "f", "openvex", "Output format, defaults to 'openvex'")
+	flags.StringVarP(&ga.output, "output", "o", "", "Output file path")
+	flags.StringSliceVar(&ga.platform, "platform", nil,
+		"Target platform(s) for multi-arch images when no report directory is provided (e.g., linux/amd64,linux/arm64). "+
+			"Valid platforms: linux/amd64, linux/arm64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/arm/v7, linux/arm/v6. "+
+			"If platform flag is used, only specified platforms are patched and the rest are preserved. If not specified, all platforms present in the image are patched.")
+	flags.StringVarP(&ga.loader, "loader", "l", "", "Loader to use for loading images. Options: 'docker', 'podman', or empty for auto-detection based on buildkit address")
+	flags.StringVar(&ga.outputContext, "output-context", "", "Path to save the generated tar context (instead of stdout)")
+
+	if err := generateCmd.MarkFlagRequired("image"); err != nil {
+		panic(err)
+	}
+
+	return generateCmd
+}