feat: add CLI arguments, modular refactor, test reorganization, and security scanning

- Add CLI support with short/long options (-s/--size, -p/--profile, etc.)
- Split diskmark.sh into lib/ modules (args, validate, utils, profiles, detect, benchmark, output, update)
- Reorganize tests into 6 concurrent jobs with optimized timing (100ms/500ms)
- Integrate Trivy and Grype security scanning into docker-image.yml workflow

Author: e7d

.github/copilot-instructions.md

@@ -0,0 +1,90 @@
+# Copilot Instructions for docker-diskmark
+
+## Project Overview
+
+Docker DiskMark is a fio-based disk benchmarking tool packaged as a minimal Docker container. It provides CrystalDiskMark-like functionality for Linux systems.
+
+## Project Structure
+
+```
+diskmark.sh          # Main entry point (~100 lines)
+lib/
+├── args.sh          # CLI argument parsing + help/version
+├── validate.sh      # Input validation functions
+├── utils.sh         # Utility functions (color, size conversion, cleanup)
+├── profiles.sh      # Profile definitions (default, nvme, custom job)
+├── detect.sh        # Drive/filesystem detection
+├── benchmark.sh     # fio benchmark execution + warmup + result parsing
+├── output.sh        # Output formatting (human/JSON/YAML/XML)
+└── update.sh        # Update check functionality
+```
+
+## Clean Code Principles
+
+Follow these clean code principles when contributing:
+
+### Single Responsibility
+- Each function should do one thing and do it well
+- Keep functions small and focused (ideally < 30 lines)
+- Separate concerns: parsing, validation, execution, output
+
+### Meaningful Names
+- Use descriptive function names: `validate_size_string` not `check`
+- Use consistent naming conventions (snake_case for functions/variables)
+- Prefix validation functions with `validate_`
+- Prefix parsing functions with `parse_`
+
+### DRY (Don't Repeat Yourself)
+- Extract common patterns into reusable functions
+- Use helper functions for repeated validation logic
+- Centralize error handling and output formatting
+
+### Comments and Documentation
+- Functions should be self-documenting through clear names
+- Add comments only when explaining "why", not "what"
+- Keep help text and documentation in sync with code
+
+### Error Handling
+- Fail fast with clear error messages
+- Validate inputs early before processing
+- Use consistent exit codes (0=success, 1=error)
+
+### Code Organization
+- Group related functions together
+- Order: constants → helpers → validators → core logic → main
+- Keep configuration separate from logic
+
+## Shell Script Best Practices
+
+- Use `set -e` to exit on errors
+- Quote variables: `"$VAR"` not `$VAR`
+- Use `[[` for conditionals (bash)
+- Prefer `local` variables in functions
+- Use meaningful return codes
+- Avoid global state when possible
+
+## Testing Guidelines
+
+- All features should have corresponding tests in `.github/workflows/tests.yml`
+- Test both valid and invalid inputs
+- Test CLI arguments in all formats: `--key value`, `--key=value`, `-k value`
+- Use dry-run mode for input validation tests
+- Use minimal sizes/runtimes for actual benchmark tests
+
+## Docker Best Practices
+
+- Keep the container minimal (scratch-based)
+- Only include necessary binaries
+- Use multi-stage builds
+- Set appropriate defaults via ENV
+- Run as non-root user (65534:65534)
+
+## Output Formats
+
+The tool supports multiple output formats:
+- Human-readable (default): colored, with emojis
+- JSON: structured, machine-readable
+- YAML: structured, human-friendly
+- XML: structured, enterprise-compatible
+
+When modifying output, ensure all formats are updated consistently.

.github/workflows/docker-image.yml

@@ -17,13 +17,17 @@ permissions:
   contents: read
   packages: write
   pull-requests: write
+  security-events: write
 
 env:
   PLATFORMS: linux/amd64,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x
 
 jobs:
   build:
+    name: Build and Push Docker Image
     runs-on: ubuntu-latest
+    outputs:
+      image_tag: ${{ steps.image.outputs.tag }}
     env:
       HAS_DOCKERHUB_SECRETS: ${{ github.event_name != 'pull_request' || github.repository == github.event.pull_request.head.repo.full_name }}
     steps:
@@ -66,10 +70,17 @@ jobs:
         id: version
         run: |
           if [[ "${{ github.ref }}" == refs/tags/* ]]; then
-            echo "version=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+            VERSION="${{ github.ref_name }}"
+            VERSION="${VERSION#v}"
           else
-            echo "version=${{ github.sha }}" >> $GITHUB_OUTPUT
+            GIT_DESC=$(git describe --tags --always 2>/dev/null)
+            if [[ "$GIT_DESC" =~ ^v?([0-9]+\.[0-9]+\.[0-9]+)-([0-9]+)-g([a-f0-9]+)$ ]]; then
+              VERSION="${BASH_REMATCH[1]}-dev.${BASH_REMATCH[2]}+${BASH_REMATCH[3]}"
+            else
+              VERSION="0.0.0-dev+${GITHUB_SHA::7}"
+            fi
           fi
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
       - name: Build and push Docker image
         uses: docker/build-push-action@v5
         with:
@@ -83,6 +94,15 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
             VERSION=${{ steps.version.outputs.version }}
+      - name: Export image tag for scanning
+        id: image
+        run: |
+          IMAGE_TAG="$(echo '${{ steps.meta.outputs.tags }}' | grep 'ghcr.io' | head -n1)"
+          if [ -z "$IMAGE_TAG" ]; then
+            IMAGE_TAG="${{ vars.GHCR_IMAGE }}:pr-${{ github.event.pull_request.number }}"
+          fi
+          echo "tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
+          echo "Scanning image: $IMAGE_TAG"
       - name: Docker Scout
         id: docker-scout
         if: ${{ github.event_name == 'pull_request' }}
@@ -102,3 +122,55 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
           repository: ${{ vars.DOCKERHUB_IMAGE }}
+
+  trivy:
+    name: Trivy Security Scan
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.30.0
+        with:
+          image-ref: ${{ needs.build.outputs.image_tag }}
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH,MEDIUM
+      - name: Upload Trivy scan results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
+
+  grype:
+    name: Grype Security Scan
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run Grype vulnerability scanner
+        uses: anchore/scan-action@v6.0.0
+        id: scan
+        with:
+          image: ${{ needs.build.outputs.image_tag }}
+          fail-build: false
+          severity-cutoff: medium
+      - name: Upload Grype scan results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}