trivy security analysis #397

	---
	# Separate action to allow us to initiate occasionally and manually
	name: trivy security analysis

	on:
	push:
	branches: [main]
	schedule:
	- cron: 44 13 * * 4
	workflow_dispatch:
	inputs:
	ref:
	description: Branch, tag, or commit SHA to run against
	required: false
	default: main

	jobs:
	trivy:
	name: Run Trivy against OSS container
	runs-on: ubuntu-18.04
	steps:
	- name: Checkout code
	uses: actions/checkout@v3
	with:
	ref: ${{ github.event.inputs.ref \|\| 'main' }}

	- name: Build an image from Dockerfile
	run: \|
	make image-artifacts -e VERSION=0.0.0 -e BLD_NUM=999 -e OSS=true
	tools/build-container-from-archive.sh dist/couchbase-observability-stack-image_0.0.0-999.tgz

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: couchbase/observability-stack:0.0.0-999
	format: template
	template: '@/contrib/sarif.tpl'
	output: trivy-results.sarif
	severity: CRITICAL,HIGH

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v1
	with:
	sarif_file: trivy-results.sarif

Provide feedback