feature: Add support for Trivy in codacy-cli-v2

[andrzej-janczak]

Implemented with Cursor AI

Tested only locally

[Copilot]

Pull Request Overview

This PR adds support for the Trivy vulnerability scanner to codacy-cli-v2.

• Implements Trivy scan execution and JSON-to-SARIF conversion logic in a new tools module.
• Updates configuration, runtime, installation, and CLI analysis commands to integrate Trivy.
• Revises the documentation and sample configuration files to reflect the new functionality.

Reviewed Changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
utils/file.go	Added a CopyFile utility function used when relocating binaries.
utils/extract.go	Added ExtractZip to support zip archive extraction using archiver.
tools/trivyRunner.go	Implements functions to run Trivy scans and convert JSON output.
config/trivy-utils.go	Introduces installation logic and helper methods for Trivy.
config/runtime.go	Updates runtime info population to include Trivy.
cmd/install.go	Extends the installation command to download and install Trivy.
cmd/init.go	Updates the default configuration template to include Trivy.
cmd/analyze.go	Adds Trivy as a tool option for the analysis command.
README.md	Updates documentation to provide instructions for Trivy usage.
.examples/code.js	Introduces a new code example (note: contains a hardcoded token).
.codacy/codacy.yaml	Adds Trivy as a supported tool in the configuration file.

Files not reviewed (1)

• .examples/go.mod: Language not supported

Comments suppressed due to low confidence (1)

cmd/init.go:77

• The default Trivy version in init.go (0.50.0) does not match the version specified in .codacy/codacy.yaml (0.46.0). Please ensure the default versions are consistent across configuration files.

trivyVersion := "0.50.0" // Use the latest stable version

[Copilot]

The error returned by f.Open() is ignored, which could lead to unhandled errors if opening the stream fails. Consider checking and handling the error properly.

Suggested change

	stream, _ := f.Open()
	stream, err := f.Open()
	if err != nil {
	return err
	}

[machadoit]

As impressive as it is that it just work 👌 We probably need to create some 'tool' abstraction, as this seems a bit all over the place. The if about 'sarif or file output' seems to proliferate a lot.

[machadoit]

As a reference, the tool will automatically look for a trivy.yaml, which if everything is enabled on Codacy, and the sarif format passed, should be something like

format: sarif
severity:
  - LOW
  - MEDIUM
  - HIGH
  - CRITICAL

scan:
  scanners:
    - vuln
    - secret

[machadoit]

Replaced by #47