Add multi-platform container builds with per-architecture scanning

Refactor ContainerPlatform to support multi-arch builds natively,
replacing MultiContainerPlatform with a unified model. Fan out security
scans per architecture since Trivy only accepts a single --platform flag.

Key changes:
- Consolidate ContainerPlatform to handle both single and multi-arch
- Add ScanIds helper for encoding/decoding per-platform scan IDs
- Fan out scans in ContainerScanServiceImpl per architecture
- Add BuildRequest.withScanId() for propagating multi-scan IDs
- Update views and email templates for per-arch scan links
- Poll all per-arch scans in ContainerStatusServiceImpl
- Extract ScanIds.populateScanBinding() to DRY scan binding logic

Co-Authored-By: Claude Opus 4.6 <[email protected]>

Author: pditommaso

src/main/groovy/io/seqera/wave/controller/ContainerController.groovy

@@ -77,6 +77,7 @@ import io.seqera.wave.service.request.ContainerRequestService
 import io.seqera.wave.service.request.ContainerStatusService
 import io.seqera.wave.service.request.TokenData
 import io.seqera.wave.service.scan.ContainerScanService
+import io.seqera.wave.service.scan.ScanIds
 import io.seqera.wave.service.validation.ValidationService
 import io.seqera.wave.service.validation.ValidationServiceImpl
 import io.seqera.wave.tower.PlatformId
@@ -404,6 +405,21 @@ class ContainerController {
         )
     }
 
+    protected String makeMultiPlatformScanId(BuildRequest build, SubmitContainerTokenRequest req) {
+        if( !scanService || !req.multiPlatform )
+            return build.scanId
+        final multiPlatform = ContainerPlatform.MULTI_PLATFORM
+        final scanMode = req.scanMode!=null ? req.scanMode : ScanMode.async
+        final scanIdByPlatform = new LinkedHashMap<String, String>()
+        for( String arch : multiPlatform.archs ) {
+            final platform = "${multiPlatform.os}/${arch}" as String
+            final id = scanService.getScanId("${build.targetImage}#${platform}", null, scanMode, req.format)
+            if( id )
+                scanIdByPlatform.put(id, platform)
+        }
+        return scanIdByPlatform ? ScanIds.encode(scanIdByPlatform) : null
+    }
+
     protected BuildTrack checkBuild(BuildRequest build, boolean dryRun) {
         final digest = registryProxyService.getImageDigest(build)
         // check for dry-run execution
@@ -424,7 +440,7 @@ class ContainerController {
         }
     }
 
-    protected BuildTrack checkMultiPlatformBuild(BuildRequest templateBuild, SubmitContainerTokenRequest req, PlatformId identity, String ip) {
+    protected BuildTrack checkMultiPlatformBuild(BuildRequest templateBuild, SubmitContainerTokenRequest req, PlatformId identity, boolean dryRun) {
         final containerSpec = templateBuild.containerFile
         final condaContent = templateBuild.condaFile
         final buildRepository = ContainerCoordinates.parse(templateBuild.targetImage).repository
@@ -433,6 +449,14 @@ class ContainerController {
         final containerId = makeMultiPlatformContainerId(containerSpec, condaContent, buildRepository, req.buildContext, req.freeze ? req.containerConfig : null)
         final targetImage = makeTargetImage(templateBuild.format, buildRepository, containerId, condaContent, req.nameStrategy)
 
+        // check for dry-run execution
+        if( dryRun ) {
+            log.debug "== Dry-run multi-platform build request for $targetImage"
+            final dryId = containerId + BuildRequest.SEP + '0'
+            final digest = registryProxyService.getImageDigest(targetImage, identity)
+            return new BuildTrack(dryId, targetImage, digest!=null, true)
+        }
+
         // check if the multi-platform image already exists
         final digest = registryProxyService.getImageDigest(targetImage, identity)
         if( digest ) {
@@ -486,8 +510,13 @@ class ContainerController {
         Boolean succeeded
         if( req.containerFile && req.multiPlatform ) {
             if( !buildService ) throw new UnsupportedBuildServiceException()
-            final build = makeBuildRequest(req, identity, ip)
-            final track = checkMultiPlatformBuild(build, req, identity, ip)
+            final build0 = makeBuildRequest(req, identity, ip)
+            // replace the single scanId with per-platform scanIds for multi-arch builds
+            final multiScanId = makeMultiPlatformScanId(build0, req)
+            final build = multiScanId != build0.scanId
+                    ? build0.withScanId(multiScanId)
+                    : build0
+            final track = checkMultiPlatformBuild(build, req, identity, req.dryRun)
             targetImage = track.targetImage
             targetContent = build.containerFile
             condaContent = build.condaFile

src/main/groovy/io/seqera/wave/controller/ViewController.groovy

@@ -56,6 +56,7 @@ import io.seqera.wave.service.persistence.WaveBuildRecord
 import io.seqera.wave.service.persistence.WaveScanRecord
 import io.seqera.wave.service.scan.ContainerScanService
 import io.seqera.wave.service.scan.ScanEntry
+import io.seqera.wave.service.scan.ScanIds
 import io.seqera.wave.service.scan.ScanType
 import io.seqera.wave.service.scan.ScanVulnerability
 import io.seqera.wave.util.JacksonHelper
@@ -137,8 +138,7 @@ class ViewController {
         binding.mirror_digest = result.digest ?: '-'
         binding.mirror_user = result.userName ?: '-'
         binding.put('server_url', serverUrl)
-        binding.scan_url = result.scanId && result.succeeded() ? "$serverUrl/view/scans/${result.scanId}" : null
-        binding.scan_id = result.scanId
+        ScanIds.populateScanBinding(binding, result.scanId, result.succeeded(), serverUrl)
         return binding
     }
 
@@ -254,8 +254,7 @@ class ViewController {
         binding.build_condafile = result.condaFile
         binding.build_digest = result.digest ?: '-'
         binding.put('server_url', serverUrl)
-        binding.scan_url = result.scanId && result.succeeded() ? "$serverUrl/view/scans/${result.scanId}" : null
-        binding.scan_id = result.scanId
+        ScanIds.populateScanBinding(binding, result.scanId, result.succeeded(), serverUrl)
         // inspect uri
         binding.inspect_url = result.succeeded() ? "$serverUrl/view/inspect?image=${result.targetImage}&platform=${result.platform}" : null
         // configure build logs when available
@@ -314,8 +313,7 @@ class ViewController {
         binding.build_url = data.buildId ? "$serverUrl/view/builds/${data.buildId}" : null
         binding.fusion_version = data.fusionVersion ?: '-'
 
-        binding.scan_id = data.scanId
-        binding.scan_url = data.scanId ? "$serverUrl/view/scans/${data.scanId}" : null
+        ScanIds.populateScanBinding(binding, data.scanId, true, serverUrl)
 
         binding.mirror_id = data.mirror ? data.buildId : null
         binding.mirror_url =  data.mirror ? "$serverUrl/view/mirrors/${data.buildId}" : null

src/main/groovy/io/seqera/wave/core/ContainerPlatform.groovy

@@ -18,31 +18,59 @@
 
 package io.seqera.wave.core
 
-import groovy.transform.Canonical
 import groovy.transform.CompileStatic
+import groovy.transform.EqualsAndHashCode
 import io.seqera.wave.exception.BadRequestException
 /**
  * Model a container platform
  * @author Paolo Di Tommaso <[email protected]>
  */
-@Canonical
+@EqualsAndHashCode
 @CompileStatic
 class ContainerPlatform {
 
-    public static final ContainerPlatform DEFAULT = new ContainerPlatform(DEFAULT_OS, DEFAULT_ARCH)
-
     public static final List<String> ARM64 = ['arm64', 'aarch64']
     private static final List<String> V8 = ['8','v8']
     public static final List<String> AMD64 = ['amd64', 'x86_64', 'x86-64']
     public static final List<String> ALLOWED_ARCH = AMD64 + ARM64 + ['arm']
     public static final String DEFAULT_ARCH = 'amd64'
     public static final String DEFAULT_OS = 'linux'
 
+    public static final ContainerPlatform DEFAULT = new ContainerPlatform(DEFAULT_OS, DEFAULT_ARCH)
+
+    /**
+     * A composite platform representing linux/amd64 + linux/arm64 multi-arch builds
+     */
+    public static final ContainerPlatform MULTI_PLATFORM = new ContainerPlatform('linux', ['amd64', 'arm64'])
+
     final String os
     final String arch
     final String variant
+    final List<String> archs
+
+    ContainerPlatform(String os, String arch, String variant=null) {
+        this.os = os
+        this.arch = arch
+        this.variant = variant
+        this.archs = List.of(arch)
+    }
+
+    private ContainerPlatform(String os, List<String> archs) {
+        assert archs.size() >= 2, "Multi-arch platform requires at least 2 architectures"
+        this.os = os
+        this.arch = archs[0]
+        this.variant = null
+        this.archs = List.copyOf(archs)
+    }
+
+    boolean isMultiArch() {
+        return archs.size() > 1
+    }
 
     String toString() {
+        if( isMultiArch() ) {
+            return archs.collect { "${os}/${it}" }.join(',')
+        }
         def result = os + "/" + arch
         if( variant )
             result += "/" + variant
@@ -88,6 +116,16 @@ class ContainerPlatform {
         if( !value )
             throw new BadRequestException("Missing container platform attribute")
 
+        // handle comma-separated multi-platform values e.g. "linux/amd64,linux/arm64"
+        if( value.contains(',') ) {
+            final parts = value.tokenize(',').collect { it.trim() }
+            final platforms = parts.collect { of(it) }
+            // all platforms must share the same OS
+            final os = platforms[0].os
+            final archs = platforms.collect { it.arch }
+            return new ContainerPlatform(os, archs)
+        }
+
         final items= value.tokenize('/')
         if( items.size()==1 )
             items.add(0, DEFAULT_OS)

src/main/groovy/io/seqera/wave/core/MultiContainerPlatform.groovy

@@ -231,7 +231,7 @@ class ProxyClient {
             copyHeaders(headers, builder)
             if( authorize ) {
                 // add authorisation header
-                final header = loginService.getAuthorization(image, registry.auth, credentials)
+                final header = getAuthHeader()
                 if( header )
                     builder.setHeader("Authorization", header)
             }
@@ -285,10 +285,10 @@ class ProxyClient {
         // https://zetcode.com/java/httpclient/
         final builder = HttpRequest.newBuilder(uri)
                 .method("HEAD", HttpRequest.BodyPublishers.noBody())
-        // copy headers 
+        // copy headers
         copyHeaders(headers, builder)
         // add authorisation header
-        final header = loginService.getAuthorization(image, registry.auth, credentials)
+        final header = getAuthHeader()
         if( header )
             builder.setHeader("Authorization", header)
         // build the request
@@ -375,7 +375,7 @@ class ProxyClient {
         // copy headers
         copyHeaders(headers, request)
         // add authorisation header
-        final header = loginService.getAuthorization(image, registry.auth, credentials)
+        final header = getAuthHeader()
         if( header )
             request.header("Authorization", header)
 
@@ -395,7 +395,7 @@ class ProxyClient {
             result.add("${entry.key}: $entry.value")
         }
         // add authorisation header
-        final header = loginService.getAuthorization(image, registry.auth, credentials)
+        final header = getAuthHeader()
         if( header ) {
             result.add('-H')
             result.add("Authorization: $header")

src/main/groovy/io/seqera/wave/proxy/ProxyClient.groovy

@@ -154,11 +154,6 @@ class BuildRequest {
      */
     final boolean noEmail
 
-    /**
-     * When {@code true}, this is a multi-platform composite build (linux/amd64 + linux/arm64)
-     */
-    final boolean multiPlatform
-
     BuildRequest(
             String containerId,
             String containerFile,
@@ -201,7 +196,6 @@ class BuildRequest {
         this.compression = compression
         this.buildTemplate = buildTemplate
         this.noEmail = noEmail
-        this.multiPlatform = false
         // NOTE: this is meant to be updated - automatically - when the request is submitted
         this.buildId = computeBuildId(containerId)
     }
@@ -231,13 +225,38 @@ class BuildRequest {
         this.buildId = opts.buildId ?: computeBuildId(containerId)
         this.buildTemplate = opts.buildTemplate
         this.noEmail = opts.noEmail as boolean
-        this.multiPlatform = opts.multiPlatform as boolean
     }
 
     static BuildRequest of(Map opts) {
         new BuildRequest(opts)
     }
 
+    BuildRequest withScanId(String scanId) {
+        return BuildRequest.of(
+                containerId: this.containerId,
+                containerFile: this.containerFile,
+                condaFile: this.condaFile,
+                workspace: this.workspace,
+                targetImage: this.targetImage,
+                identity: this.identity,
+                platform: this.platform,
+                cacheRepository: this.cacheRepository,
+                startTime: this.startTime,
+                ip: this.ip,
+                configJson: this.configJson,
+                offsetId: this.offsetId,
+                containerConfig: this.containerConfig,
+                scanId: scanId,
+                buildContext: this.buildContext,
+                format: this.format,
+                maxDuration: this.maxDuration,
+                compression: this.compression,
+                buildId: this.buildId,
+                buildTemplate: this.buildTemplate,
+                noEmail: this.noEmail
+        )
+    }
+
     @Override
     String toString() {
         return "BuildRequest[containerId=$containerId; targetImage=$targetImage; identity=$identity; dockerFile=${trunc(containerFile)}; condaFile=${trunc(condaFile)}; buildId=$buildId, maxDuration=$maxDuration]"

src/main/groovy/io/seqera/wave/service/builder/BuildRequest.groovy

@@ -118,7 +118,7 @@ class ManifestAssembler {
                 ]
             }
         ]
-        return JsonOutput.prettyPrint(JsonOutput.toJson(index))
+        return JsonOutput.toJson(index)
     }
 
     protected void pushManifest(String targetImage, String indexJson, PlatformId identity) {

src/main/groovy/io/seqera/wave/service/builder/ManifestAssembler.groovy

@@ -61,8 +61,11 @@ class MultiBuildRequest {
             PlatformId identity,
             Duration maxDuration
     ) {
+        assert containerId, "Argument 'containerId' cannot be empty"
         assert targetImage, "Argument 'targetImage' cannot be empty"
         assert buildId, "Argument 'buildId' cannot be empty"
+        assert amd64TargetImage, "Argument 'amd64TargetImage' cannot be empty"
+        assert arm64TargetImage, "Argument 'arm64TargetImage' cannot be empty"
 
         final multiBuildId = ID_PREFIX + LongRndKey.rndHex()
         return new MultiBuildRequest(