8241 trivy ignore file action (#8345)

* Create .trivyignore

Adding original trivy ignore file. Working to resolve/document more of the findings, especially around go.mod. Will add a github action as well.

* Adding default trivy scan for testing

* Update trivy_scan.yml

Making it manual + daily for now

* Update trivy_scan.yml

updating name

* Renamed + configured Trivy scan

.github/workflows/trivy_scan.yml

@@ -0,0 +1,29 @@
+name: Trivy vulnerability scan
+on:
+  workflow_dispatch:
+  schedule:
+  - cron: '0 4 * * *' # Nightly 4AM UTC
+jobs:
+  build:
+    name: Trivy
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL'
+          skip-dirs: 'website/,tools/,infrastructure/,test/,orbit/pkg/insecure/'
+          trivyignores: '.trivyignore'
+          security-checks: 'vuln'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'

.trivyignore

@@ -0,0 +1,14 @@
+# These AWS SDK CVEs do not impact Fleet as we do not use S3 client-side crypto features
+
+CVE-2020-8911
+CVE-2020-8912
+GHSA-7f33-f4f5-xwgw
+GHSA-f5pg-7wfw-84q9
+
+# Vulnerable code in trim is not used in Fleet
+
+CVE-2020-7753
+
+# We feel like the risk of DoS using this technique, which requires being logged in, is low probability and low impact, as such we will not update glob-parent only for this CVE
+
+CVE-2020-28469