FREYA-1889: Add 'trivy' actions

[i-oden]

📋 Summary

This PR adds the github action trivy. Taken from the pathogens portal repo and slightly altered.

🛠️ Changes Made

• New actions: trivy-branch and trivy-scheduled, just as in pathogens-portal.
• Started with copying the workflows from the pathogens-portal repo, but altered them
• I've added exit-code and if: always() -- the action will fail if it detects a vulnerability but it will always publish the results to the security tab
• For trivy-scheduled.yaml I kept the scan on main anyway (discussion on slack), but removed some unnecessary steps.

🔍 Notes for Reviewers

As discussed on slack, I looked at only scanning latest instead of main. However we don't publish any tag called latest if I've understood correctly, so I decided to go for main anyway instead of altering the publishing.

✅ Checklist

• PR title follows the pattern: FREYA-XXXX: Clear and short description
• Jira / Github issue is linked in description
• Assignee is selected
• Code and content adhere to conventions
• Automated checks pass
• Reviewer is selected when the PR is marked as ready for review

🔗 Jira Issue

Closes: FREYA-1889

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[Ziip-dev]

Good work! We just need to agree on failing the action or not as mentioned here before approving :)

[i-oden]

Good work! We just need to agree on failing the action or not as mentioned here before approving :)

Fixed ✅

[i-oden]

@Ziip-dev Could you have a look at this when you have some time? 🙏🏻

[Ziip-dev]

@Ziip-dev Could you have a look at this when you have some time? 🙏🏻

Oups I had forgotten this one sorry, thanks for the reminder!

[i-oden]

@Ziip-dev Could you have a look at this when you have some time? 🙏🏻

Oups I had forgotten this one sorry, thanks for the reminder!

No worries!

[Ziip-dev]

Nice work :)
Some minor changes, the rest is more open questions and trails for improvement that I would like to have the team's opinion on

[Ziip-dev]

Not sure this one is necessary as we can't push to main

[Ziip-dev]

Sorry I saw your comment about this after publishing the review, but I'm curious why then as I missed the discussion :)

[Ziip-dev]

What is ignore-unfixed for initially? And why is it commented out here?
Genuine question, I'm not that familiar with actions so if you can briefly explain to me :) (asking because it's set as true in the old portal repo)

[Ziip-dev]

We don't need the checkout action here?

[Ziip-dev]

Although we still have one year before deprecation, since we have a warning already and the v4 has been released:

Suggested change

	uses: github/codeql-action/upload-sarif@v3
	uses: github/codeql-action/upload-sarif@v4

[Ziip-dev]

Suggested change

	uses: github/codeql-action/upload-sarif@v3
	uses: github/codeql-action/upload-sarif@v4

[Ziip-dev]

No issue here, just an idea: could we benefit from trivy built-in cache step to reduce runtime? This would avoid downloading the entire db on every run

[Ziip-dev]

Would adding the misconfig scanner be beneficial?

[Ziip-dev]

Another open question :)
Are we interested in broader severity coverage? Like MEDIUM severity at least? Or do we want to ignore everything below HIGH severity

[Ziip-dev]

So this workflow scans the built Docker image via image-ref, which is good, but never the repository file system.
Is it intended and why?