Add trivy action (#8)

* Add trivy.yml
* Setup trivy jobs for workflows
* Update Alpine to 3.12.0
 
Signed-off-by: Prakhar Gurunani <[email protected]>

Author: FirePing32

.github/workflows/build.yml

@@ -48,4 +48,18 @@ jobs:
         run: |
           make buildx.image
           make buildx.push
-
+        
+  trivy:
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'openebs/linux-utils:ci'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'

.github/workflows/pull_request.yml

@@ -36,5 +36,14 @@ jobs:
 
       - name: Build Image
         env:
-          IMG_RESULT: cache
+          IMG_RESULT: load
         run: make buildx.image
+        
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'openebs/linux-utils:ci'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'

.github/workflows/release.yml

@@ -46,3 +46,23 @@ jobs:
         run: |
           make buildx.image
           make buildx.push
+
+  trivy:
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        
+      - name: Set Tag
+        run: |
+          echo "::set-env name=TAG::${GITHUB_REF#refs/*/v}"
+          echo "::set-env name=RELEASE_TAG::${TAG}"
+        
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: openebs/linux-utils:${{ env.RELEASE_TAG }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.10.3
+FROM alpine:3.12.0
 RUN apk add --no-cache util-linux
 
 ARG DBUILD_DATE