Create trivy.yml GitHub action workflow for Trivy scan

[cruizen]

No description provided.

[cruizen]

@Sanket36 This action fails because it is unable to download the base image from artifactory

ERROR: failed to solve: DeadlineExceeded: DeadlineExceeded: DeadlineExceeded: artifactory.platform9.horse/docker-local/pf9-py39-baseimg-alpine:stable: failed to do request: Head "https://artifactory.platform9.horse/v2/docker-local/pf9-py39-baseimg-alpine/manifests/stable": dial tcp 52.27.199.157:443: i/o timeout
Error: Process completed with exit code 1.

[cruizen]

Since the artifactory images are on pf9 VPN, we have to hold the Trivy GitHub actions for repositories (Docker images) that use pf9-py39-base-image or pf9-py39-build-image as base image - unless we can make the images in artifactory public! (or even move them to qyay.io?)

[cruizen]

Since the artifactory images are on pf9 VPN, we have to hold the Trivy GitHub actions for repositories (Docker images) that use pf9-py39-base-image or pf9-py39-build-image as base image - unless we can make the images in artifactory public! (or even move them to qyay.io?)

cc: @hsri-pf9

[hsri-pf9]

We have two options either we can skip trivy scans for repos that use pf9 artifactory images or make it public. There is already present trivy scan in the main

vouch/.github/workflows/security-scan.yml

Line 88 in c260919

trivy_scan:

this always runs trivy fs on the filesystem so it does not depend on building/pulling the base Docker image. But if we want to add image scan job like this PR then we will hit VPN problem and either have to skip or make the image public