ci(trivy): Add trivy scan for all container images

.gitlab-ci.yml

@@ -5,6 +5,7 @@ include:
 stages:
   - lint
   - build
+  - test
   - changelog
   - release
 

images/.utils/gitlab-ci.yaml

@@ -67,3 +67,51 @@ container-build-dev:
         compare_to: main
   tags:
     - hetzner
+
+stages:
+  - test
+
+container-trivy-scan:
+  stage: test
+  extends: .container-matrix
+  image:
+    name: docker.io/aquasec/trivy:0.37.3
+    entrypoint: []
+  services:
+    - name: docker:dind
+      entrypoint: ["env", "-u", "DOCKER_HOST"]
+      command: ["dockerd-entrypoint.sh"]
+  variables:
+    DOCKER_HOST: tcp://docker:2375/
+    DOCKER_DRIVER: overlay2
+    # See https://github.com/docker-library/docker/pull/166
+    DOCKER_TLS_CERTDIR: ""
+    IMAGE: "quay.io/shivering-isles/${IMAGE}:${CI_COMMIT_SHORT_SHA}"
+    TRIVY_NO_PROGRESS: "true"
+    TRIVY_CACHE_DIR: ".trivycache/"
+  allow_failure: true
+  script:
+    # Image report
+    - trivy image --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE
+    # Filesystem report
+    - trivy filesystem --scanners config,vuln --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json .
+    # Combine report
+    - apk update && apk add jq
+    - jq -s 'add' gl-codeclimate-image.json gl-codeclimate-fs.json > gl-codeclimate.json
+  cache:
+    paths:
+      - .trivycache/
+  artifacts:
+    paths:
+      - gl-codeclimate.json
+    reports:
+      codequality: gl-codeclimate.json
+  rules:
+    - if: '$CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push"'
+      changes:
+        paths:
+          - images/${IMAGE}/**/*
+          - images/.utils/*
+        compare_to: main
+  tags:
+    - hetzner