codacy · zhamborova · May 6, 2025
diff --git a/.github/workflows/trivy-plugin-test.yml b/.github/workflows/trivy-plugin-test.yml
@@ -0,0 +1,45 @@
+name: Trivy Plugin Test
+
+permissions:
+  contents: write
+
+on:
+  push:
+    paths:
+      - 'plugins/tools/trivy/**'
+
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+          cache: true
+
+      - name: Build CLI
+        run: |
+          go build -o cli-v2 ./cli-v2.go
+          chmod +x cli-v2
+
+      - name: Run Trivy plugin tests
+        run: |
+          # Store the path to the CLI
+          CLI_PATH="$(pwd)/cli-v2"
+          # Change to test directory
+          cd plugins/tools/trivy/test
+          # Install the plugin
+          "$CLI_PATH" install
+          # Run analysis
+          "$CLI_PATH" analyze --tool trivy --format sarif --output actual.sarif
+          # Convert absolute paths to relative paths in the output
+          sed -i 's|file:///home/runner/work/codacy-cli-v2/codacy-cli-v2/|file:///|g' actual.sarif
+          # Compare with expected output
+          diff expected.sarif actual.sarif
+          # Clean up
+          rm actual.sarif 
diff --git a/plugins/tools/trivy/test/.codacy/codacy.yaml b/plugins/tools/trivy/test/.codacy/codacy.yaml
@@ -0,0 +1,3 @@
+runtimes:
+tools:
+    - trivy@0.59.1
diff --git a/plugins/tools/trivy/test/expected.sarif b/plugins/tools/trivy/test/expected.sarif
@@ -0,0 +1,24 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "fullName": "Trivy Vulnerability Scanner",
+          "informationUri": "https://github.com/aquasecurity/trivy",
+          "name": "Trivy",
+          "rules": [],
+          "version": "0.59.1"
+        }
+      },
+      "results": [],
+      "columnKind": "utf16CodeUnits",
+      "originalUriBaseIds": {
+        "ROOTPATH": {
+          "uri": "file:///plugins/tools/trivy/test/"
+        }
+      }
+    }
+  ]
+}
diff --git a/plugins/tools/trivy/test/src/Dockerfile b/plugins/tools/trivy/test/src/Dockerfile
@@ -0,0 +1,20 @@
+FROM node:12.0.0
+
+# Using an old version of npm that has known vulnerabilities
+RUN npm install -g npm@6.14.4
+
+# Copy application files
+WORKDIR /app
+COPY package*.json ./
+
+# Install dependencies with known vulnerabilities
+RUN npm install express@4.16.4
+
+# Copy source code
+COPY . .
+
+# Expose port
+EXPOSE 3000
+
+# Start the application
+CMD ["node", "app.js"] 
diff --git a/plugins/tools/trivy/test/src/package.json b/plugins/tools/trivy/test/src/package.json
@@ -0,0 +1,11 @@
+{
+  "name": "trivy-test-app",
+  "version": "1.0.0",
+  "description": "Test application for Trivy vulnerability scanning",
+  "main": "app.js",
+  "dependencies": {
+    "express": "4.16.4",
+    "lodash": "4.17.15",
+    "moment": "2.24.0"
+  }
+}