[trivy] Add scan and enforcement of "CRITICAL" vulns at build time

Tool: gitpod/catfood.gitpod.cloud

Author: geropl

.github/workflows/build.yml

@@ -303,9 +303,31 @@ jobs:
           GITHUB_EMAIL: [email protected]
           VERSION: ${{ needs.configuration.outputs.version }}
 
+  trivy-scan:
+    name: "Scan Images for Vulnerabilities"
+    needs:
+      - configuration
+      - build-gitpod
+      - create-runner
+    runs-on: ${{ needs.create-runner.outputs.label }}
+    container:
+      image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:main-gha.30393
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Environment
+        uses: ./.github/actions/setup-environment
+        with:
+          identity_provider: ${{ github.ref == 'refs/heads/main' && secrets.CORE_DEV_PROVIDER || secrets.DEV_PREVIEW_PROVIDER }}
+          service_account: ${{ github.ref == 'refs/heads/main' && secrets.CORE_DEV_SA || secrets.DEV_PREVIEW_SA }}
+          leeway_segment_key: ${{ secrets.LEEWAY_SEGMENT_KEY }}
+      - name: Scan Images for Vulnerabilities
+        shell: bash
+        run: |
+          ./scripts/trivy/trivy-scan-images.sh ${{ needs.configuration.outputs.version }} CRITICAL
+
   install-app:
     runs-on: ${{ needs.create-runner.outputs.label }}
-    needs: [ configuration, build-gitpod, create-runner ]
+    needs: [ configuration, build-gitpod, trivy-scan, create-runner ]
     if: ${{ needs.configuration.outputs.is_main_branch == 'true' }}
     strategy:
       fail-fast: false
@@ -343,6 +365,7 @@ jobs:
       - configuration
       - build-previewctl
       - build-gitpod
+      - trivy-scan
       - infrastructure
       - create-runner
     runs-on: ${{ needs.create-runner.outputs.label }}
@@ -490,6 +513,7 @@ jobs:
       - build-previewctl
       - infrastructure
       - build-gitpod
+      - trivy-scan
       - install-app
       - install
       - monitoring