feat: generate and upload trivy SBOM into codacy

[franciscoovazevedo]

No description provided.

[codacy-production]

Not up to standards ⛔

🔴 Issues 2 medium · 1 minor

Alerts:
⚠ 2 issues (≤ 1 issue of at least medium severity)

Results:
3 new issues

Category	Results
Documentation	1 minor
Complexity	2 medium

View in Codacy

🟢 Metrics 73 complexity · 7 duplication

Metric	Results
Complexity	73
Duplication	7

View in Codacy

🟢 Coverage 82.05% diff coverage · +1.90% coverage variation

Metric	Results
Coverage variation	✅ +1.90% coverage variation (-0.50%)
Diff coverage	✅ 82.05% diff coverage (50.00%)

View coverage diff in Codacy

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (9b6cc83)	5997	1310	21.84%
Head commit (36cd083)	6191 (+194)	1470 (+160)	23.74% (+1.90%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#200)	195	160	82.05%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[Copilot]

Pull request overview

Adds a new CLI command to generate (via Trivy) and upload an SPDX JSON SBOM to Codacy, reusing .codacy/cli-config.yaml metadata when available.

Changes:

• Extend .codacy/cli-config.yaml parsing to include provider/org/repository and expose a GetCliConfig() accessor.
• Add upload-sbom command to generate/read an SBOM and upload it to Codacy’s image SBOM endpoint.
• Add unit tests for image ref parsing and SBOM upload behaviors; skip codacy.yaml validation for upload-sbom.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File	Description
config/config.go	Extends CLI config model and adds GetCliConfig() for full YAML parsing.
cmd/validation.go	Skips codacy.yaml validation for the new upload-sbom command.
cmd/upload_sbom.go	Implements SBOM generation (Trivy) and multipart upload to Codacy.
cmd/upload_sbom_test.go	Adds tests for parsing and SBOM upload flow (but currently includes an external network call).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

config/config.go:447

• There are multiple trailing blank lines at the end of the file. Consider removing the extra newlines to keep the file clean (and avoid noisy diffs if/when gofmt is applied).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.