ci: add trivy image scan workflow (#1579)

Signed-off-by: Anish Ramasekar <[email protected]>

Author: aramase

.github/workflows/scan-vulns.yaml

@@ -28,3 +28,52 @@ jobs:
           go-version: "1.23"
           check-latest: true
       - uses: golang/govulncheck-action@3a32958c2706f7048305d5a2e53633d7e37e97d0 # v1.0.2
+
+  scan_vulnerabilities:
+    name: "[Trivy] Scan for vulnerabilities"
+    runs-on: ubuntu-22.04
+    timeout-minutes: 15
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      - name: Download trivy
+        run: |
+          pushd $(mktemp -d)
+          wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
+          tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
+          echo "$(pwd)" >> $GITHUB_PATH
+        env:
+          TRIVY_VERSION: "0.57.0"
+
+      - name: Download trivy db
+        run: |
+          trivy image \
+            --download-db-only \
+            --db-repository=ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db,docker.io/aquasec/trivy-db
+
+      - name: Run trivy on git repository
+        run: |
+          trivy fs --format table --ignore-unfixed --skip-dirs website --scanners vuln .
+
+      - name: Build docker images
+        run: |
+          make docker-build
+        env:
+          REGISTRY: e2e
+          IMAGE_VERSION: test
+          ALL_LINUX_ARCH: amd64 # build amd64 only to speed up PR gate
+          OUTPUT_TYPE: type=docker
+
+      - name: Run trivy on images
+        run: |
+          exit_code=0
+          for img in "e2e/proxy:test" "e2e/proxy-init:test" "e2e/webhook:test"; do
+              trivy image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL --ignore-unfixed --pkg-types="os,library" "${img}" || exit_code=1
+          done
+          exit $exit_code

.pipelines/nightly.yaml

@@ -13,12 +13,6 @@ schedules:
 pool: staging-pool-amd64-mariner-2
 
 jobs:
-  - job: scan_images
-    timeoutInMinutes: 30
-    workspace:
-      clean: all
-    steps:
-      - template: templates/scan-images.yaml
   - job: verify_deployment_yaml
     timeoutInMinutes: 30
     workspace:
@@ -62,7 +56,6 @@ jobs:
   - job:
     timeoutInMinutes: 60
     dependsOn:
-      - scan_images
       - verify_deployment_yaml
     workspace:
       clean: all
@@ -97,7 +90,6 @@ jobs:
   - template: templates/upgrade.yaml
     parameters:
       dependsOn:
-        - scan_images
         - verify_deployment_yaml
       matrix:
         upgrade_aks_windows:
@@ -112,7 +104,6 @@ jobs:
       - ImageOverride -equals azcu-agent-amd64-mariner-2-cgv2-img
     timeoutInMinutes: 60
     dependsOn:
-      - scan_images
       - verify_deployment_yaml
     workspace:
       clean: all

.pipelines/pr.yaml

@@ -18,12 +18,6 @@ pr:
 pool: staging-pool-amd64-mariner-2
 
 jobs:
-  - job: scan_images
-    timeoutInMinutes: 30
-    workspace:
-      clean: all
-    steps:
-      - template: templates/scan-images.yaml
   - job: lint
     timeoutInMinutes: 30
     workspace:
@@ -65,7 +59,6 @@ jobs:
     timeoutInMinutes: 60
     dependsOn:
     - lint
-    - scan_images
     - shellcheck
     workspace:
       clean: all
@@ -112,7 +105,6 @@ jobs:
       - ImageOverride -equals azcu-agent-amd64-mariner-2-cgv2-img
     dependsOn:
     - lint
-    - scan_images
     - shellcheck
     workspace:
       clean: all