[Tool] Trivy Pipeline

Signed-off-by: AndyZiYe <[email protected]>

.github/workflows/.trivy.yaml

@@ -0,0 +1,34 @@
+# Same as '--severity'
+# Default is all severities
+severity:
+  - HIGH
+  - CRITICAL
+
+scan:
+  # Same as '--security-checks'
+  # Default depends on subcommand
+  security-checks:
+    - vuln
+
+vulnerability:
+  # Same as '--vuln-type'
+  # Default is 'os,library'
+  type:
+    - library
+
+# Same as '--format'
+format: sarif
+
+# Same as '--output'
+# Used to upload sarif to GitHub Security tab
+output: trivy-results.sarif
+
+# Same as '--ignore-unfixed'
+ignore-unfixed: false
+
+# Same as '--list-all-pkgs'
+list-all-pkgs: false
+
+# Same as '--exit-code'
+# Zero as we are only reporting for now, not enforcing
+exit-code: 0

.github/workflows/trivy-pipeline.yml

@@ -0,0 +1,29 @@
+name: TRIVY PIPELINE
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+
+    branches:
+      - trivy-test
+      - main
+
+concurrency:
+  group: ${{ github.event.number }}
+  cancel-in-progress: true
+
+jobs:
+  trivy-checker:
+    runs-on: [self-hosted, normal]
+    name: RUN
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 #0.19.0
+        env:
+          TMPDIR: ${{ github.workspace }}/trivy_temp # Required to prevent Trivy running out of space
+        with:
+          image-ref: "registry.cn-zhangjiakou.aliyuncs.com/starrocks/dev-env-centos7:3.1-latest"
+          scan-type: "image"
+          trivy-config: ".trivy.yaml"