DPSTAT-1397 updating build for trivy

[salma-tfb]

This change is 

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[skykanin]

It would be nice to fail the build if we find high or critical vulnerabilities using an action like the one below. Therefore all trivy related actions should run before we deploy the JAR to our google artifact registry and the deploy step must only be run if no high or critical vulnerabilities are found.

- name: Fail build on High/Criticial Vulnerabilities
  uses: aquasecurity/trivy-action@master
  with:
    scan-type: "fs"
    format: table
    scan-ref: .
    severity: HIGH,CRITICAL
    ignore-unfixed: true
    exit-code: 1
    # On a subsequent call to the action we know trivy is already installed so can skip this
    skip-setup-trivy: true

[skykanin]

@skykanin made 1 comment.
Reviewable status: 0 of 1 files reviewed, 1 unresolved discussion (waiting on @salma-tfb).

---

.github/workflows/build.yml line 29 at r2 (raw file):

      - name: Build with Maven
        run: mvn --batch-mode -P ssb-bip package

We should rename this maven profile to ssb-gar (for google artifact registry) as the BIP platform no longer exists.

[skykanin]

@skykanin reviewed 2 files and all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @salma-tfb).

[skykanin]

@skykanin resolved 1 discussion.
Reviewable status: complete! all files reviewed, all discussions resolved (waiting on @salma-tfb).