feature: Add support for Trivy in codacy-cli-v2

.codacy/codacy.yaml

@@ -2,3 +2,4 @@ runtimes:
     - node@22.2.0
 tools:
     - eslint@9.3.0
+    - trivy@0.47.0

.examples/code.js

@@ -0,0 +1,7 @@
+import { tryInvoke } from '@ember/utils';
+
+class FooComponent extends Component {
+  foo() {
+    tryInvoke(this.args, 'bar', ['baz']);
+  }
+}

.examples/go.mod

@@ -0,0 +1,10 @@
+module trivy-example
+
+go 1.22.3
+
+require (
+	github.com/aquasecurity/trivy v0.49.1 // MEDIUM ERROR 
+	github.com/spf13/cobra v1.8.0
+    github.com/sirupsen/logrus v1.4.2    
+    github.com/dexidp/dex v0.0.0-20200121184102-3b39c6440888 // CRITICAL ERROR - CVE-2020-26160 - Insecure JWT implementation 
+)

.gitignore

@@ -23,4 +23,7 @@ go.work.sum
 
 .idea/
 
-cli-v2
+cli-v2
+
+# ESLint config
+eslint.config.mjs

README.md

@@ -4,15 +4,15 @@ This is a POC for what could be a new CLI for us. The idea is to rely on the nat
 
 ## Overview
 
-The `codacy-cli-v2` is a command-line tool for Codacy that supports analyzing code using ESLint and uploading the results in SARIF format to Codacy. It provides two main commands: `analyze` and `upload`.
+The `codacy-cli-v2` is a command-line tool for Codacy that supports analyzing code using ESLint, Trivy, and uploading the results in SARIF format to Codacy. It provides two main commands: `analyze` and `upload`.
 
 ### Commands
 
-- **`analyze` Command**: Runs ESLint analysis on the codebase.
+- **`analyze` Command**: Runs analysis tools on the codebase.
     - `--output, -o`: Output file for the results.
-    - `--tool, -t`: Specifies the tool to run analysis with (e.g., ESLint).
+    - `--tool, -t`: Specifies the tool to run analysis with (e.g., ESLint, Trivy).
     - `--format`: Output format (use 'sarif' for SARIF format to terminal).
-    - `--fix, -f`: Automatically fixes issues when possible.
+    - `--fix, -f`: Automatically fixes issues when possible (only applicable to certain tools).
     - `--new-pr`: Creates a new GitHub PR with fixed issues.
 
 - **`upload` Command With Project Token**: Uploads a SARIF file containing analysis results to Codacy.
@@ -30,14 +30,15 @@ The `codacy-cli-v2` is a command-line tool for Codacy that supports analyzing co
 
 ### Important Concepts
 
-- **`.codacy/codacy.yaml`**: Configuration file to specify `node` and `eslint` versions for the CLI.
+- **`.codacy/codacy.yaml`**: Configuration file to specify runtimes and tools versions for the CLI.
   ```yaml
   runtimes:
       - node@22.2.0
   tools:
       - eslint@9.3.0
+      - trivy@0.50.0
 
-- **`codacy-cli-v2 install`**: Command to install the specified node and eslint versions before running analysis.
+- **`codacy-cli-v2 install`**: Command to install the specified runtimes and tools before running analysis.
 
 ## Download
 
@@ -78,18 +79,32 @@ To run ESLint and output the results to the terminal:
 codacy-cli analyze --tool eslint
 ```
 
+To run Trivy vulnerability scanner:
+
+```bash
+codacy-cli analyze --tool trivy
+```
+
 To output results in SARIF format to the terminal:
 
 ```bash
 codacy-cli analyze --tool eslint --format sarif
 ```
 
+```bash
+codacy-cli analyze --tool trivy --format sarif
+```
+
 To store the results as SARIF in a file:
 
 ```bash
 codacy-cli analyze -t eslint -o eslint.sarif
 ```
 
+```bash
+codacy-cli analyze -t trivy -o trivy.sarif
+```
+
 ## Upload Results
 
 To upload a SARIF file to Codacy:

cmd/analyze.go

@@ -202,8 +202,10 @@ var analyzeCmd = &cobra.Command{
 		switch toolToAnalyze {
 		case "eslint":
 			// nothing
+		case "trivy":
+			// nothing
 		case "":
-			log.Fatal("You need to specify a tool to run analysis with, e.g., '--tool eslint'", toolToAnalyze)
+			log.Fatal("You need to specify a tool to run analysis with, e.g., '--tool eslint' or '--tool trivy'")
 		default:
 			log.Fatal("Trying to run unsupported tool: ", toolToAnalyze)
 		}
@@ -215,19 +217,30 @@ var analyzeCmd = &cobra.Command{
 			failIfThereArePendingChanges()
 		}
 
-		eslint := config.Config.Tools()["eslint"]
-		eslintInstallationDirectory := eslint.Info()["installDir"]
-		nodeRuntime := config.Config.Runtimes()["node"]
-		nodeBinary := nodeRuntime.Info()["node"]
-
 		log.Printf("Running %s...\n", toolToAnalyze)
 		if outputFile != "" {
 			log.Println("Output will be available at", outputFile)
 		} else if outputFormat == "sarif" {
 			log.Println("Output will be in SARIF format")
 		}
 
-		tools.RunEslint(workDirectory, eslintInstallationDirectory, nodeBinary, args, autoFix, outputFile, outputFormat)
+		switch toolToAnalyze {
+		case "eslint":
+			eslint := config.Config.Tools()["eslint"]
+			eslintInstallationDirectory := eslint.Info()["installDir"]
+			nodeRuntime := config.Config.Runtimes()["node"]
+			nodeBinary := nodeRuntime.Info()["node"]
+
+			tools.RunEslint(workDirectory, eslintInstallationDirectory, nodeBinary, args, autoFix, outputFile, outputFormat)
+		case "trivy":
+			trivy := config.Config.Tools()["trivy"]
+			trivyBinary := trivy.Info()["trivy"]
+
+			err := tools.RunTrivy(workDirectory, trivyBinary, args, outputFile, outputFormat)
+			if err != nil {
+				log.Printf("Error running Trivy: %v", err)
+			}
+		}
 
 		if doNewPr {
 			utils.CreatePr(false)

cmd/init.go

@@ -72,20 +72,23 @@ func createConfigurationFile(tools []tools.Tool) error {
 
 func configFileTemplate(tools []tools.Tool) string {
 
-	// Default version
+	// Default versions
 	eslintVersion := "9.3.0"
+	trivyVersion := "0.50.0" // Use the latest stable version
 
 	for _, tool := range tools {
 		if tool.Uuid == "f8b29663-2cb2-498d-b923-a10c6a8c05cd" {
 			eslintVersion = tool.Version
 		}
+		// If Codacy API provides UUID for Trivy, you would check it here
 	}
 
 	return fmt.Sprintf(`runtimes:
     - node@22.2.0
 tools:
     - eslint@%s
-`, eslintVersion)
+    - trivy@%s
+`, eslintVersion, trivyVersion)
 }
 
 func buildRepositoryConfigurationFiles(token string) error {

cmd/install.go

@@ -52,6 +52,12 @@ func fetchTools(config *cfg.ConfigType) {
 				fmt.Println(err.Error())
 				log.Fatal(err)
 			}
+		case "trivy":
+			err := cfg.InstallTrivy(tool)
+			if err != nil {
+				fmt.Println(err.Error())
+				log.Fatal(err)
+			}
 		default:
 			log.Fatal("Unknown tool:", tool.Name())
 		}

config/runtime.go

@@ -32,6 +32,8 @@ func (r *Runtime) populateInfo() {
 		r.info = genInfoNode(r)
 	case "eslint":
 		r.info = genInfoEslint(r)
+	case "trivy":
+		r.info = genInfoTrivy(r)
 	}
 }