feat: add CLI arguments, modular refactor, test reorganization, and security scanning

- Add CLI support with short/long options (-s/--size, -p/--profile, etc.)
- Split diskmark.sh into lib/ modules (args, validate, utils, profiles, detect, benchmark, output, update)
- Reorganize tests into 6 concurrent jobs with optimized timing (100ms/500ms)
- Add security.yml workflow with Trivy and Grype vulnerability scanners

Author: e7d

.github/copilot-instructions.md

@@ -0,0 +1,90 @@
+# Copilot Instructions for docker-diskmark
+
+## Project Overview
+
+Docker DiskMark is a fio-based disk benchmarking tool packaged as a minimal Docker container. It provides CrystalDiskMark-like functionality for Linux systems.
+
+## Project Structure
+
+```
+diskmark.sh          # Main entry point (~100 lines)
+lib/
+├── args.sh          # CLI argument parsing + help/version
+├── validate.sh      # Input validation functions
+├── utils.sh         # Utility functions (color, size conversion, cleanup)
+├── profiles.sh      # Profile definitions (default, nvme, custom job)
+├── detect.sh        # Drive/filesystem detection
+├── benchmark.sh     # fio benchmark execution + warmup + result parsing
+├── output.sh        # Output formatting (human/JSON/YAML/XML)
+└── update.sh        # Update check functionality
+```
+
+## Clean Code Principles
+
+Follow these clean code principles when contributing:
+
+### Single Responsibility
+- Each function should do one thing and do it well
+- Keep functions small and focused (ideally < 30 lines)
+- Separate concerns: parsing, validation, execution, output
+
+### Meaningful Names
+- Use descriptive function names: `validate_size_string` not `check`
+- Use consistent naming conventions (snake_case for functions/variables)
+- Prefix validation functions with `validate_`
+- Prefix parsing functions with `parse_`
+
+### DRY (Don't Repeat Yourself)
+- Extract common patterns into reusable functions
+- Use helper functions for repeated validation logic
+- Centralize error handling and output formatting
+
+### Comments and Documentation
+- Functions should be self-documenting through clear names
+- Add comments only when explaining "why", not "what"
+- Keep help text and documentation in sync with code
+
+### Error Handling
+- Fail fast with clear error messages
+- Validate inputs early before processing
+- Use consistent exit codes (0=success, 1=error)
+
+### Code Organization
+- Group related functions together
+- Order: constants → helpers → validators → core logic → main
+- Keep configuration separate from logic
+
+## Shell Script Best Practices
+
+- Use `set -e` to exit on errors
+- Quote variables: `"$VAR"` not `$VAR`
+- Use `[[` for conditionals (bash)
+- Prefer `local` variables in functions
+- Use meaningful return codes
+- Avoid global state when possible
+
+## Testing Guidelines
+
+- All features should have corresponding tests in `.github/workflows/tests.yml`
+- Test both valid and invalid inputs
+- Test CLI arguments in all formats: `--key value`, `--key=value`, `-k value`
+- Use dry-run mode for input validation tests
+- Use minimal sizes/runtimes for actual benchmark tests
+
+## Docker Best Practices
+
+- Keep the container minimal (scratch-based)
+- Only include necessary binaries
+- Use multi-stage builds
+- Set appropriate defaults via ENV
+- Run as non-root user (65534:65534)
+
+## Output Formats
+
+The tool supports multiple output formats:
+- Human-readable (default): colored, with emojis
+- JSON: structured, machine-readable
+- YAML: structured, human-friendly
+- XML: structured, enterprise-compatible
+
+When modifying output, ensure all formats are updated consistently.

.github/workflows/docker-image.yml

@@ -66,10 +66,17 @@ jobs:
         id: version
         run: |
           if [[ "${{ github.ref }}" == refs/tags/* ]]; then
-            echo "version=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+            VERSION="${{ github.ref_name }}"
+            VERSION="${VERSION#v}"
           else
-            echo "version=${{ github.sha }}" >> $GITHUB_OUTPUT
+            GIT_DESC=$(git describe --tags --always 2>/dev/null)
+            if [[ "$GIT_DESC" =~ ^v?([0-9]+\.[0-9]+\.[0-9]+)-([0-9]+)-g([a-f0-9]+)$ ]]; then
+              VERSION="${BASH_REMATCH[1]}-dev.${BASH_REMATCH[2]}+${BASH_REMATCH[3]}"
+            else
+              VERSION="0.0.0-dev+${GITHUB_SHA::7}"
+            fi
           fi
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
       - name: Build and push Docker image
         uses: docker/build-push-action@v5
         with:

.github/workflows/security.yml

@@ -0,0 +1,65 @@
+name: Security Scan
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: "0 6 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  trivy:
+    name: Trivy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build image
+        run: docker build -t diskmark:scan .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: diskmark:scan
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH,MEDIUM
+
+      - name: Upload Trivy scan results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
+
+  grype:
+    name: Grype
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build image
+        run: docker build -t diskmark:scan .
+
+      - name: Run Grype vulnerability scanner
+        uses: anchore/scan-action@v6
+        id: scan
+        with:
+          image: diskmark:scan
+          fail-build: false
+          severity-cutoff: medium
+
+      - name: Upload Grype scan results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}