ci: Add trivy workflow (#279)

Signed-off-by: Dave Henderson <dave.henderson@grafana.com>

.github/workflows/trivy-scan.yml

@@ -0,0 +1,43 @@
+name: Trivy Scan
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  trivy-scan:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run Trivy vulnerability scanner (table output)
+      uses: aquasecurity/trivy-action@0.24.0
+      with:
+        scan-type: 'fs'
+        scanners: 'vuln'
+        format: 'table'
+        exit-code: 1
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH'
+        trivyignores: .trivyignore
+    - name: Run Trivy vulnerability scanner (SARIF)
+      uses: aquasecurity/trivy-action@0.24.0
+      with:
+        scan-type: 'fs'
+        scanners: 'vuln'
+        # Note: The SARIF format ignores severity and uploads all vulns for
+        # later triage. The table-format step above is used to fail the build
+        # if there are any critical or high vulnerabilities.
+        # See https://github.com/aquasecurity/trivy-action/issues/95
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        trivyignores: .trivyignore
+      if: always() && github.repository == 'grafana/certmagic-gcs'
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: 'trivy-results.sarif'
+      if: always() && github.repository == 'grafana/certmagic-gcs'

.golangci.yml

@@ -21,10 +21,10 @@ linters:
   enable:
     - asciicheck
     - bodyclose
+    - copyloopvar
     - dupl
     - errcheck
     - exhaustive
-    - exportloopref
     - gocognit
     - goconst
     - gocritic