feat(security): add TriggerScan method for post-update CVE verification

ashish1099 · ashish1099 · commit b5f2ec28fb62 · 2026-04-02T09:53:41.000+05:30
Add ScanResponse model matching the security-exporter /scan endpoint
response with severity breakdown and cves_fixed count.

Add TriggerScan() to SecurityExporter interface with 6-minute timeout
to accommodate full vulnerability scan duration.
diff --git a/pkg/security/model.go b/pkg/security/model.go
@@ -9,3 +9,17 @@ type TotalNumberOfPackagesWithUpdateResponse struct {
 	TotalNumberOfPackagesWithUpdate int  `json:"total_number_of_packages_with_update"`
 	HasKernelUpdate                 bool `json:"has_kernel_update"`
 }
+
+type ScanResponse struct {
+	Success               bool   `json:"success"`
+	TotalCVEs             int    `json:"total_cves"`
+	CriticalCVEs          int    `json:"critical_cves"`
+	HighCVEs              int    `json:"high_cves"`
+	MediumCVEs            int    `json:"medium_cves"`
+	LowCVEs               int    `json:"low_cves"`
+	PackagesWithUpdates   int    `json:"packages_with_updates"`
+	KernelUpdateAvailable bool   `json:"kernel_update_available"`
+	PreviousTotalCVEs     int    `json:"previous_total_cves"`
+	CVEsFixed             int    `json:"cves_fixed"`
+	Error                 string `json:"error,omitempty"`
+}
diff --git a/pkg/security/security-exporter.go b/pkg/security/security-exporter.go
@@ -1,10 +1,12 @@
 package security
 
 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
 	"log/slog"
 	"net/http"
+	"time"
 )
 
 type securityExporter struct {
@@ -14,6 +16,8 @@ type securityExporter struct {
 
 const (
 	totalNumberOfPackageUpdatesPath = "/total_number_of_packages_with_update"
+	scanPath                        = "/scan"
+	scanTimeout                     = 6 * time.Minute
 )
 
 func (s *securityExporter) GetNumberOfPackageUpdates() (*TotalNumberOfPackagesWithUpdateResponse, error) {
@@ -53,6 +57,30 @@ func (s *securityExporter) GetNumberOfPackageUpdates() (*TotalNumberOfPackagesWi
 // nolint: revive
 type SecurityExporter interface {
 	GetNumberOfPackageUpdates() (*TotalNumberOfPackagesWithUpdateResponse, error)
+	TriggerScan() (*ScanResponse, error)
+}
+
+func (s *securityExporter) TriggerScan() (*ScanResponse, error) {
+	client := &http.Client{Timeout: scanTimeout}
+
+	resp, err := client.Post(fmt.Sprintf("%s%s", s.hostURL, scanPath), "application/json", bytes.NewReader(nil))
+	if err != nil {
+		slog.Error("failed to trigger scan on security exporter", slog.Any("error", err))
+		return nil, err
+	}
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			slog.Error("failed to close response body", slog.Any("error", err))
+		}
+	}()
+
+	scanResp := &ScanResponse{}
+	if err := json.NewDecoder(resp.Body).Decode(scanResp); err != nil {
+		slog.Error("failed to decode scan response", slog.Any("error", err))
+		return nil, err
+	}
+
+	return scanResp, nil
 }
 
 func NewSecurityExporter(hostURL string) SecurityExporter {
