feat: switch to resource results (#27)

Author: owenrumney

.github/workflows/lint.yml

@@ -19,6 +19,14 @@ jobs:
         with:
           go-version-file: go.mod
 
+      - name: Check formatting
+        run: |
+          make format
+          if ! git diff --exit-code; then
+            echo "Files are not formatted correctly. Run 'make format' locally and commit changes."
+            exit 1
+          fi
+
       - uses: golangci/golangci-lint-action@v6
         with:
           version: v1.64.2

.github/workflows/test.yml

@@ -0,0 +1,22 @@
+name: Test
+
+on:
+  pull_request:
+    paths:
+      - '**/*.go'
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  golangci:
+    name: test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - run: make test

Makefile

@@ -57,18 +57,18 @@ install-plugin: add-plugin-manifest
 	go build -ldflags "-s -w -X github.com/aquasecurity/trivy-mcp/pkg/version.TrivyVersion=$${trivy_version}" -o ~/.trivy/plugins/mcp/trivy-mcp ./cmd/trivy-mcp/main.go;
 	@echo "Plugin installed successfully."
 
-# Install plugin with Aqua support
-.PHONY: install-plugin-aqua
-install-plugin-aqua:
-	$(MAKE) install-plugin BUILDTAGS=aqua
-
 .PHONY: run
 run:
 	@trivy_version=$$(cat go.mod | grep 'github.com/aquasecurity/trivy v' | awk '{ print $$2}') ;\
 	echo Current trivy version: $$trivy_version ;\
 	go build  -ldflags "-s -w -X github.com/aquasecurity/trivy-mcp/pkg/version.TrivyVersion=$${trivy_version}" -o trivy-mcp ./cmd/trivy-mcp/main.go;
 	@./trivy-mcp help
 
+.PHONY: format
+format:
+	@echo "Running gofmt..."
+	@gofmt -w -s -d .  
+
 .PHONY: lint
 lint:
 	@which golangci-lint || go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.64.2

pkg/tools/scan/scan.go

@@ -2,7 +2,6 @@ package scan
 
 import (
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"os"
@@ -15,7 +14,6 @@ import (
 	"github.com/aquasecurity/trivy-mcp/pkg/flag"
 	"github.com/aquasecurity/trivy/pkg/commands"
 	"github.com/aquasecurity/trivy/pkg/log"
-	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/mark3labs/mcp-go/mcp"
 
 	_ "modernc.org/sqlite" // sqlite driver for RPM DB and Java DB
@@ -33,7 +31,7 @@ func NewScanTools(opts flag.Options, trivyTempDir string) *ScanTools {
 		trivyBinary:     opts.TrivyBinary,
 		debug:           opts.Debug,
 		useAquaPlatform: opts.UseAquaPlatform,
-		trivyTempDir:    filepath.Join(os.TempDir(), "trivy"),
+		trivyTempDir:    trivyTempDir,
 	}
 }
 
@@ -162,54 +160,30 @@ func (t *ScanTools) ScanWithTrivyHandler(ctx context.Context, request mcp.CallTo
 		return result, nil
 	}
 
-	f, err := os.Open(resultsFilePath)
-	if err != nil {
-		logger.Error("Failed to open scan results file", log.Err(err))
-		return nil, errors.New("failed to open scan results file")
-	}
-
 	defer func() {
-		if err := f.Close(); err != nil {
-			logger.Error("Failed to close scan results file", log.Err(err))
-		}
 		if err := os.Remove(resultsFilePath); err != nil {
-			logger.Error("Failed to remove scan results file", log.Err(err))
+			logger.Error("Failed to remove results file", log.Err(err))
 		}
-		logger.Debug("Scan results file removed", log.String("file", resultsFilePath))
 	}()
 
-	var r types.Report
-	if err = json.NewDecoder(f).Decode(&r); err != nil {
-		logger.Error("Failed to decode scan results", log.Err(err))
-		return nil, fmt.Errorf("failed to decode scan results: %w", err)
-	}
-
-	var totalCount int
-	for _, result := range r.Results {
-		totalCount += len(result.Vulnerabilities) + len(result.Misconfigurations) + len(result.Licenses) + len(result.Secrets)
-	}
-
-	if totalCount == 0 {
-		return mcp.NewToolResultText("No vulnerabilities found\n"), nil
-	}
-
-	var output string
-
-	// 100 is an arbitrary number, but it seems to be a good threshold for the amount of data to display
-	// we can tune this, but we need to be careful about the context window size and not overloading the results
-	if totalCount > 100 {
-		output, err = executeTemplate(summaryTemplate, r.Results)
-	} else {
-		output, err = executeTemplate(resultTemplate, r.Results)
-	}
+	content, err := os.ReadFile(resultsFilePath)
 	if err != nil {
-		logger.Error("Failed to format results", log.Err(err))
-		return nil, fmt.Errorf("failed to format results: %w", err)
+		logger.Error("Failed to read scan results file", log.Err(err))
+		return nil, errors.New("failed to read scan results file")
 	}
 
-	return mcp.NewToolResultText(output), nil
+	return mcp.NewToolResultResource(
+		"The embedded resource is a human readable JSON format and found at the filepath that can be further processed.",
+		mcp.TextResourceContents{
+			URI:  resultsFilePath,
+			Text: string(content),
+		},
+	), nil
 }
 
+// processSBOMResult processes the SBOM result and returns a tool result
+// we don't clean up the results file here because we want to keep it to be available for the LLM to provide a link
+// when the MCP server is closed, the trivy mcp cache should be cleaned up
 func (*ScanTools) processSBOMResult(resultsFilePath string, logger *log.Logger, filename string) (*mcp.CallToolResult, error) {
 	log.Debug("Scan results file", log.String("file", resultsFilePath))
 

pkg/tools/scan/scan_args.go

@@ -23,7 +23,7 @@ var (
 	availableSeverities = []string{"CRITICAL", "HIGH", "MEDIUM", "LOW", "UNKNOWN"}
 	defaultSeverity     = "CRITICAL"
 
-	availableOutputFormats = []string{"json", "table", "template", "cyclonedx", "spdx", "spdx-json"}
+	availableOutputFormats = []string{"json", "cyclonedx", "spdx", "spdx-json"}
 	defaultOutputFormat    = "json"
 )
 
@@ -59,7 +59,9 @@ var severityArray = mcp.WithArray("severities",
 
 var outputFormatString = mcp.WithString("outputFormat",
 	mcp.Required(),
-	mcp.Description("The format of the output. When generating an SBOM report you can use either cyclonedx or spdx. For sbom, prefer cyclonedx. If the user requests spdx, use spdx rather than spdx-json."),
+	mcp.Description(`The format of the output which should normally be json. \n
+	When generating an SBOM report you can use either cyclonedx or spdx. For sbom, prefer cyclonedx. \n
+	If the user requests spdx, use spdx rather than spdx-json.`),
 	mcp.Enum(availableOutputFormats...),
 	mcp.DefaultString(defaultOutputFormat),
 )

pkg/tools/scan/templates.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/aquasecurity/trivy-mcp/pkg/flag"
+	"github.com/aquasecurity/trivy-mcp/pkg/version"
 	"github.com/mark3labs/mcp-go/mcp"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -19,7 +20,7 @@ func TestVersionHandler(t *testing.T) {
 		{
 			name:        "Trivy Binary Not Specified",
 			trivyBinary: "",
-			expected:    "v0.62.0",
+			expected:    version.TrivyVersion,
 		},
 	}