Merge branch 'main' into issue-212

Author: davidcollom

.github/workflows/build-test.yaml

@@ -32,6 +32,29 @@ jobs:
           args: --timeout 10m --verbose --issues-exit-code=0
           only-new-issues: true
 
+  code-scan:
+    name: Code Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/[email protected]
+        continue-on-error: true
+        with:
+          scan-type: "fs"
+          ignore-unfixed: true
+          exit-code: "1"
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH,MEDIUM"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-results.sarif"
+
   govulncheck:
     runs-on: ubuntu-latest
     name: Run govulncheck
@@ -103,27 +126,35 @@ jobs:
         uses: docker/setup-buildx-action@v3
         with:
           platforms: ${{ matrix.platform }}
+          driver: docker-container
+          use: true
 
       - name: Build Images
         uses: docker/build-push-action@v6
         with:
           context: .
           platforms: ${{ matrix.platform }}
-          load: true
           push: false
           tags: quay.io/jetstack/version-checker:${{github.sha}}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          # https://github.com/docker/buildx/issues/1714
+          # Whilst trivy says it supports .tar etc, it wouldn't work in gha or locally on my machine.
+          outputs: |-
+            type=oci,tar=false,compression=uncompressed,dest=./.oci-image
           attests: |-
-            type=sbom,generator=image
+            type=sbom
             type=provenance,mode=max
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/[email protected]
         with:
-          image-ref: "quay.io/jetstack/version-checker:${{github.sha}}"
+          input: ./.oci-image
           format: "table"
           exit-code: "1"
           ignore-unfixed: true
           vuln-type: "os,library"
           severity: "CRITICAL,HIGH"
+
+      - name: "Cleanup OCI Image from FS"
+        run: rm -rf ./.oci-image

.github/workflows/release.yaml

@@ -189,6 +189,9 @@ jobs:
           tags: quay.io/jetstack/version-checker:${{github.ref_name}}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          attests: |-
+            type=sbom
+            type=provenance,mode=max
 
   github-release:
     name: Create/Update GitHub Release