ci: scan vulnerability

Signed-off-by: Kentaro Hayashi <[email protected]>

Author: kenhys

.github/workflows/scan-images.yml

@@ -0,0 +1,59 @@
+name: Scan image vulnerability
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+  schedule:
+    # Sunday, 18:00 JST
+    - cron:  '0 9 * * 0'
+
+concurrency:
+  group: ${{ github.head_ref || github.sha }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  setup:
+    name: Scan image with grype security vulnerability scanner
+    strategy:
+      fail-fast: false
+    runs-on: ubuntu-latest
+    steps:
+      - name: Pull latest grype container image
+        run: |
+          docker pull anchore/grype:latest
+  debian:
+    needs: setup
+    name: Scan debian image with grype
+    strategy:
+      fail-fast: false
+    runs-on: ubuntu-latest
+    steps:
+      - name: Pull and scan upstream trixie image
+        run: |
+          docker pull debian:trixie
+          docker run --rm anchore/grype:latest debian:trixie >> $GITHUB_STEP_SUMMARY
+  ruby:
+    needs: setup
+    name: Scan image with grype
+    strategy:
+      fail-fast: false
+    runs-on: ubuntu-latest
+    steps:
+      - name: Pull and scan upstream Ruby image
+        run: |
+          docker pull ruby:3.4-slim
+          docker run --rm anchore/grype:latest ruby:3.4-slim >> $GITHUB_STEP_SUMMARY
+  fluentd:
+    needs: setup
+    name: Scan Fluentd image with grype
+    strategy:
+      fail-fast: false
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Pull and scan Fluentd image
+        run: |
+          # v1.19.1-debian-amd64
+          IMAGE=$(make echo-all-images | cut -d' ' -f1|cut -d',' -f3)
+          docker run --rm anchore/grype:latest fluent/fluentd:$IMAGE >> $GITHUB_STEP_SUMMARY