implement trivy scan (#98)

.github/workflows/build-dev.yaml

@@ -5,7 +5,6 @@ on:
 
   pull_request:
 
-
 jobs:
   build-container:
     runs-on: ubuntu-latest
@@ -19,8 +18,17 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v3
         with:
-          go-version: '^1.17'
+          go-version: "^1.17"
 
       - name: Test build
-        run: make test build
+        run: make manifests generate fmt vet build
 
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.6.2
+        with:
+          scan-type: "fs"
+          ignore-unfixed: true
+          format: "table"
+          exit-code: "1"
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"

.github/workflows/trivy-scan.yaml

@@ -0,0 +1,34 @@
+name: Trivy Scan
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "17 17 * * *"
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    permissions:
+      contents: read
+      security-events: write
+    name: Scan
+    runs-on: "ubuntu-18.04"
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.6.2
+        with:
+          image-ref: "ghcr.io/${{ github.repository }}/controller:latest"
+          format: "template"
+          template: "@/contrib/sarif.tpl"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results.sarif"