feat: add trivy image with pre-downloaded db

Signed-off-by: Jesse Suen <jesse@akuity.io>

Author: jessesuen

.github/workflows/release-trivy.yaml

@@ -0,0 +1,41 @@
+name: Release Trivy
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Image tag (e.g. 1.2.3)"
+        required: true
+        type: string
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v7
+        with:
+          context: docker/trivy
+          platforms: linux/amd64,linux/arm64
+          push: true
+          build-args: |
+            TRIVY_VERSION=${{ inputs.tag }}
+          tags: ghcr.io/${{ github.repository_owner }}/trivy:${{ inputs.tag }}

docker/trivy/Dockerfile

@@ -0,0 +1,5 @@
+ARG TRIVY_VERSION=latest
+FROM aquasec/trivy:${TRIVY_VERSION}
+
+# Download the vulnerability DB at build time
+RUN trivy image --download-db-only

docker/trivy/README.md

@@ -0,0 +1,4 @@
+# Trivy Image
+
+This is a trivy image with the database pre-downloaded, in order to avoid downloading the
+database every time a custom executes.

kargo/custom-steps/trivy-image/trivy-image.yaml

@@ -3,12 +3,13 @@ kind: CustomPromotionStep
 metadata:
   name: trivy-image
 spec:
-  image: aquasec/trivy:0.69.3
+  image: ghcr.io/jessesuen/trivy:0.69.3
   command:
   - trivy
   - image
   - --exit-code=1
   - --severity=CRITICAL
   - --disable-telemetry
+  - --skip-db-update
   - --scanners=vuln
   - ${{ config.image }}