Add a GitHub Workflow for the Trivy security scanner (gravitational#2…

…3084)

* Add a GitHub Workflow for the Trivy security scanner

* Add initial ignore statements for Trivy

This accepts all the current latent findings in the repository, while still
enabling Trivy to flag new findings.

.github/workflows/trivy.yaml

@@ -0,0 +1,17 @@
+name: Trivy
+
+on:
+  push:
+    branches:
+      - master
+      - branch/*
+  pull_request:
+  merge_group:
+
+jobs:
+  trivy:
+    uses: gravitational/shared-workflows/.github/workflows/trivy.yaml@main
+    permissions:
+      actions: read
+      contents: read
+      security-events: write

.trivyignore

@@ -0,0 +1,23 @@
+# Dockerfiles and Kubernetes YAMLs don't support inline ignores with Trivy, so
+# we have to set a global ignore for these for now.
+AVD-DS-0002
+AVD-KSV-0109
+AVD-KSV-0110
+DS001
+DS013
+DS026
+KSV001
+KSV003
+KSV009
+KSV011
+KSV012
+KSV013
+KSV014
+KSV015
+KSV016
+KSV018
+KSV020
+KSV021
+KSV030
+KSV047
+KSV106

assets/loadtest/cluster/main.tf

@@ -14,6 +14,12 @@ data "google_compute_network" "default" {
 }
 
 
+#trivy:ignore:AVD-GCP-0047
+#trivy:ignore:AVD-GCP-0049
+#trivy:ignore:AVD-GCP-0051
+#trivy:ignore:AVD-GCP-0056
+#trivy:ignore:AVD-GCP-0059
+#trivy:ignore:AVD-GCP-0061
 resource "google_container_cluster" "loadtest" {
   name     = var.cluster_name
   location = var.region
@@ -25,6 +31,13 @@ resource "google_container_cluster" "loadtest" {
   initial_node_count       = 1
 }
 
+#trivy:ignore:AVD-GCP-0048
+#trivy:ignore:AVD-GCP-0049
+#trivy:ignore:AVD-GCP-0050
+#trivy:ignore:AVD-GCP-0054
+#trivy:ignore:AVD-GCP-0057
+#trivy:ignore:AVD-GCP-0058
+#trivy:ignore:AVD-GCP-0063
 resource "google_container_node_pool" "loadtest" {
   name     = var.cluster_name
   cluster  = google_container_cluster.loadtest.name