CI: Add Trivy GitHub Action (grafana#88987)

* CI: Add Trivy GitHub Action

Signed-off-by: Dave Henderson <[email protected]>

* Remove obsolete Snyk workflow

Signed-off-by: Dave Henderson <[email protected]>

---------

Signed-off-by: Dave Henderson <[email protected]>

Author: hairyhenderson

.github/CODEOWNERS

@@ -241,6 +241,7 @@
 /Makefile @grafana/grafana-release-guild
 /scripts/build/ @grafana/grafana-release-guild
 /scripts/list-release-artifacts.sh @grafana/grafana-release-guild
+/.trivyignore @grafana/grafana-backend-services-squad
 
 # OSS Plugin Partnerships backend code
 /pkg/tsdb/cloudwatch/ @grafana/aws-datasources
@@ -686,7 +687,6 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/stale.yml @grafana/grafana-release-guild
 /.github/workflows/update-changelog.yml @grafana/grafana-release-guild
 /.github/workflows/update-make-docs.yml @grafana/docs-tooling
-/.github/workflows/snyk.yml @grafana/security-team
 /.github/workflows/scripts/kinds/verify-kinds.go @grafana/platform-cat
 /.github/workflows/publish-kinds-next.yml @grafana/platform-cat
 /.github/workflows/publish-kinds-release.yml @grafana/platform-cat
@@ -701,6 +701,7 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/pr-go-workspace-check.yml @grafana/grafana-app-platform-squad
 /.github/workflows/run-scenes-e2e.yml @grafana/dashboards-squad
 /.github/workflows/go_lint.yml @grafana/grafana-backend-services-squad
+/.github/workflows/trivy-scan.yml @grafana/grafana-backend-services-squad
 
 # Generated files not requiring owner approval
 /packages/grafana-data/src/types/featureToggles.gen.ts @grafanabot

.github/workflows/snyk.yml

@@ -0,0 +1,47 @@
+name: Trivy Scan
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  trivy-scan:
+    runs-on: ubuntu-22.04
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run Trivy vulnerability scanner (table output)
+      uses: aquasecurity/[email protected]
+      with:
+        # scan the filesystem, rather than building a Docker image prior - the
+        # downside is we won't catch dependencies that are only installed in the
+        # image, but the upside is we'll only catch vulnerabilities that are
+        # explicitly in the our dependencies
+        scan-type: 'fs'
+        scanners: 'vuln'
+        format: 'table'
+        exit-code: 1
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH'
+        trivyignores: .trivyignore
+    - name: Run Trivy vulnerability scanner (SARIF)
+      uses: aquasecurity/[email protected]
+      with:
+        scan-type: 'fs'
+        scanners: 'vuln'
+        # Note: The SARIF format ignores severity and uploads all vulns for
+        # later triage. The table-format step above is used to fail the build
+        # if there are any critical or high vulnerabilities.
+        # See https://github.com/aquasecurity/trivy-action/issues/95
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        trivyignores: .trivyignore
+      if: always() && github.repository == 'grafana/grafana'
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: 'trivy-results.sarif'
+      if: always() && github.repository == 'grafana/grafana'

.github/workflows/trivy-scan.yml

@@ -0,0 +1 @@
+# See https://aquasecurity.github.io/trivy/v0.48/docs/configuration/filtering/#trivyignore