feat: Add Trivy scans to images (trustyai-explainability#346)

* feat: Add Trivy scans to images

* Fix format and action name

* Revert to table format

* fix: Reuse built container for scans

* fix: Fix typo

Author: ruivieira

.github/workflows/build-and-push.yaml

@@ -23,6 +23,9 @@ jobs:
   # Ensure that tests pass before publishing a new image.
   build-and-push-ci:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps: # Assign context variable for various action contexts (tag, main, CI)
       - name: Assigning CI context
         if: github.head_ref != '' && github.head_ref != 'main' && !startsWith(github.ref, 'refs/tags/v')
@@ -169,3 +172,19 @@ jobs:
                   sourcePath: ''
                   uri: https://api.github.com/repos/trustyai-explainability/trustyai-service-operator-ci/tarball/operator-${{ env.TAG }}
             ```
+      - name: Trivy scan
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'image'
+          image-ref: "${{ env.IMAGE_NAME }}:${{ env.TAG }}"
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'MEDIUM,HIGH,CRITICAL'
+          exit-code: '0'
+          ignore-unfixed: false
+          vuln-type: 'os,library'
+
+      - name: Update Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'