[CI] Add Trivy workflow (#16840)

This patch adds a workflow to perform trivy check as required by our
public release policy.

---------

Co-authored-by: Nick Sarnie <[email protected]>

.github/workflows/trivy.yml

@@ -0,0 +1,37 @@
+# This workflow performs a trivy check of docker config files.
+
+name: Trivy
+
+on:
+  pull_request:
+    paths:
+      - 'devops/containers/**'
+      - 'devops/.trivyignore.yaml'
+      - '.github/workflows/trivy.yml'
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Trivy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: devops
+
+      # There is a github action, but for some reason it ignores ignore-file.
+      - name: Install Trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh
+          ./bin/trivy --version
+
+      - name: Run Trivy vulnerability scanner
+        run: ./bin/trivy config --format json --output trivy-report.json --ignorefile=devops/.trivyignore.yaml devops/containers --exit-code 1
+
+      - name: Upload report artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-report
+          path: trivy-report.json
+          retention-days: 3

devops/.trivyignore.yaml

@@ -0,0 +1,5 @@
+misconfigurations:
+  - id: AVD-DS-0001
+    statement: "We use our own containers, no uncontrolled behavior is expected when the image is updated"
+  - id: AVD-DS-0026
+    statement: "Our containers do not provide running services, but only preinstalled tools, there is not much value in adding HEALTHCHECK directives"