Add container image scanning to build workflow

[jawnsy]

First check

• [X] I am a contributor to the Prefect codebase

Description

To help the security team monitor risks in the images we publish, we should add a step to our build pipeline that scans images and uploads results to CodeQL. We use Trivy to do this elsewhere.

I can take this on, but require some help identifying a tag we can use (we need a single image tag generated during the build that we can pass to trivy, but there are a number of conditionals in docker-builds.yaml so I'm unclear which tag to use)

I believe this requires a few things:

1. Add load: true to build-push-action, to load the image from BuildKit into the system docker
2. Scan the image using the trivy action (ask me on Slack and I can share an example)
3. Configure the workflow with the security-events: write permission, required for CodeQL
4. Upload results to CodeQL
5. We may want to consider adding a schedule job so that the image build runs weekly, even if there is no merge activity to the repository for some reason (given our development velocity in this repository, this is likely unnecessary)

Impact

We'll have container scan reports uploaded to our Security tab in our GitHub repository. Our security team monitors the vulnerabilities listed there to triage them.

Additional context

No response

[zanieb]

Sweet thanks for the excellent ticket. There are two different base image types, we'll probably want scanning for both. Do we only want to scan releases or should we scan development images too?

For releases, we can do the following tags:

• prefect:2-latest
• prefect:2-latest-conda

This would only cover Python 3.10, but I presume their images are consistent across Python versions.

For development, we aren't publishing a latest tag so we could use the SHA for the Python 3.10 images but I'm down to just enable a latest tag and do:

• prefect-dev:latest
• prefect-dev:latest-conda