add trivy workflow to scan repo as IaC

[hossnys]

due to https://github.com/threefoldtech/tf_operations/issues/2163

• added Trivy workflow to run with any commit or PR on development branch .

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[PeterNashaat]

• Noticed that the workflow didn't seem to produce any results in the Security tab, nor I found the trivy-results.sarif file anywhere. It looks like the current setup is configured to scan Infrastructure as Code (IaC) configurations not Dockerfiles or container images. The scan-type: 'config' setting tells Trivy to focus on configuration files instead of container images.

• Using scan-type: 'config' does scan Dockerfles for misconfigurations, like security best practice, but not for the vulns found in software packages within Docker images. If you want to scan Docker images for vulnerabilities, you should use scan-type: 'image'. :-

(config) Scans : This type checks for issues like running as the root user or missing security configurations in Docker files.
(image) Scans : This type find vulns in the software packages included in Dcoker images.

Trivy Configuration Scanning
Trivy Container Image Scanning

[hossnys]

• Noticed that the workflow didn't seem to produce any results in the Security tab, nor I found the trivy-results.sarif file anywhere. It looks like the current setup is configured to scan Infrastructure as Code (IaC) configurations not Dockerfiles or container images. The scan-type: 'config' setting tells Trivy to focus on configuration files instead of container images.

• according to this part the workflow is configured to work against development branch , so as the PR is not merged yet so the code is not there to be triggered by a push on development branch , I tested it on a fork on my GH account here .
• for trivy-results.sarif file it's included in every result like here :
  

* Using scan-type: 'config' does scan Dockerfles for misconfigurations, like security best practice, but not for the vulns found in software packages within Docker images. If you want to scan Docker images for vulnerabilities, you should use scan-type: 'image'. :-

(config) Scans : This type checks for issues like running as the root user or missing security configurations in Docker files. (image) Scans : This type find vulns in the software packages included in Dcoker images.

Trivy Configuration Scanning Trivy Container Image Scanning

according to this type of IaC scan this was approved by Thabet to go ahead with it , and we can improve it later on with the current and new comming images .

[xmonader]

I can only provide ideas, if it can be enabled on all branches it would be great :) the end goal is to have security scanning, but you guys know the best how to implement that 😊