ci: Adding Trivy

[sscheib]

SUMMARY

ISSUE TYPE

• Bugfix Pull Request
• Continuous Integration (CI) Pull Request
• Docs Pull Request
• Feature Pull Request
• Test Pull Request

ADDITIONAL INFORMATION

[github-actions[bot]]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.
• ⚠️ 1 packages with OpenSSF Scorecard issues.

See the Details below.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	692973e3d937129bcbf40652eb9f2f61becf3332	:green_circle: 7.2	Details Check Score Reason Code-Review :green_circle: 10 all changesets reviewed Maintained :green_circle: 7 9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7 CII-Best-Practices :warning: 0 no effort to earn an OpenSSF best practices badge detected License :green_circle: 10 license file detected Binary-Artifacts :green_circle: 10 no binaries found in the repo Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Token-Permissions :warning: 0 detected GitHub workflow tokens with excessive permissions Fuzzing :warning: 0 project is not fuzzed Signed-Releases :warning: -1 no releases found Branch-Protection :warning: -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy :green_circle: 9 security policy file detected Pinned-Dependencies :warning: 4 dependency not pinned by hash detected -- score normalized to 4 Packaging :green_circle: 10 packaging workflow detected SAST :green_circle: 10 SAST tool is run on all commits Vulnerabilities :green_circle: 9 1 existing vulnerabilities detected
actions/actions/upload-artifact	834a144ee995460fba8ed112a2fc961b36a5ec5a	:green_circle: 6.7	Details Check Score Reason Code-Review :green_circle: 9 Found 10/11 approved changesets -- score normalized to 9 Maintained :green_circle: 6 7 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 6 CII-Best-Practices :warning: 0 no effort to earn an OpenSSF best practices badge detected License :green_circle: 10 license file detected Signed-Releases :warning: -1 no releases found Branch-Protection :warning: -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Packaging :warning: -1 packaging workflow not detected Binary-Artifacts :green_circle: 10 no binaries found in the repo Token-Permissions :warning: 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies :warning: 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing :warning: 0 project is not fuzzed Security-Policy :green_circle: 9 security policy file detected SAST :green_circle: 9 SAST tool detected but not run on all commits Vulnerabilities :green_circle: 10 0 existing vulnerabilities detected
actions/aquasecurity/trivy-action	6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8	:warning: 5.7	Details Check Score Reason Maintained :green_circle: 10 6 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Code-Review :green_circle: 8 Found 26/30 approved changesets -- score normalized to 8 CII-Best-Practices :warning: 0 no effort to earn an OpenSSF best practices badge detected License :green_circle: 10 license file detected Binary-Artifacts :green_circle: 10 no binaries found in the repo Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Packaging :warning: -1 packaging workflow not detected Token-Permissions :warning: 0 detected GitHub workflow tokens with excessive permissions Branch-Protection :warning: -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities :green_circle: 10 0 existing vulnerabilities detected Signed-Releases :warning: -1 no releases found Fuzzing :warning: 0 project is not fuzzed Pinned-Dependencies :warning: 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy :warning: 0 security policy file not detected SAST :warning: 0 SAST tool is not run on all commits -- score normalized to 0
actions/github/codeql-action/upload-sarif	eb055d739abdc2e8de2e5f4ba1a8b246daa779aa	Unknown	Unknown
actions/step-security/harden-runner	5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde	:green_circle: 8.8	Details Check Score Reason Binary-Artifacts :green_circle: 10 no binaries found in the repo Branch-Protection :warning: -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests :green_circle: 10 14 out of 14 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices :warning: 0 no effort to earn an OpenSSF best practices badge detected Code-Review :green_circle: 10 all changesets reviewed Contributors :green_circle: 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Dependency-Update-Tool :green_circle: 10 update tool detected Fuzzing :warning: 0 project is not fuzzed License :green_circle: 10 license file detected Maintained :green_circle: 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Packaging :warning: -1 packaging workflow not detected Pinned-Dependencies :green_circle: 7 dependency not pinned by hash detected -- score normalized to 7 SAST :green_circle: 9 SAST tool detected but not run on all commits Security-Policy :green_circle: 10 security policy file detected Signed-Releases :warning: -1 no releases found Token-Permissions :green_circle: 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities :green_circle: 10 0 existing vulnerabilities detected

Scanned Manifest Files

.github/workflows/trivy.yml

• actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
• actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a
• aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
• github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa
• step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde

[github-advanced-security[bot]]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.