add trivy image vuln scanning to release workflow and on cron job (Az…

…ure#157)

.github/workflows/release.yaml

@@ -67,3 +67,13 @@ jobs:
           TAG="${{ secrets.AZURE_REGISTRY_SERVER }}/public/aks/aks-app-routing-operator:$VERSION"
           az acr login -n ${{ secrets.AZURE_REGISTRY_SERVER }}
           docker buildx build --platform "amd64,arm64" --tag "${TAG}" --output type=registry .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
+        with:
+          image-ref: '${{ secrets.AZURE_REGISTRY_SERVER }}/aks/aks-app-routing-operator:${{ inputs.version }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH,MEDIUM'

.github/workflows/trivy.yml

@@ -0,0 +1,30 @@
+name: Trivy Container Image Vulnerability Scan
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * *' # daily
+
+permissions:
+    contents: read
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+
+      - name: Get latest release
+        id: changelog
+        uses: mindsers/changelog-reader-action@b97ce03a10d9bdbb07beb491c76a5a01d78cd3ef # v2.2.2
+        with:
+          validation_level: warn
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
+        with:
+          image-ref: '${{ secrets.AZURE_REGISTRY_SERVER }}/aks/aks-app-routing-operator:${{ steps.changelog.outputs.version }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH,MEDIUM'