feat: add trivy scan step (#979)

.github/workflows/main.yml

@@ -92,3 +92,6 @@ jobs:
 
       - name: Build Images
         run: make images
+
+      - name: Scan Images
+        run: make scan

Makefile

@@ -57,6 +57,33 @@ push-dev-images:
 push-prod-images: export GORDO_PROD_MODE:="true"
 push-prod-images: push-builder push-server push-client push-workflow-generator
 
+############### Scan docker images ####################
+
+scan:
+	@images="${MODEL_BUILDER_IMG_NAME} ${MODEL_SERVER_IMG_NAME} ${CLIENT_IMG_NAME}"; \
+	uname_S=$(shell uname -s 2>/dev/null || echo not); \
+	trivy=$(shell which trivy); \
+	if [ -z "$$trivy" ]; then \
+		if [ "$$uname_S" = "Darwin" ]; then \
+			machine="macOS"; \
+		elif [ "$$uname_S"  = "Linux" ]; then \
+			machine="Linux"; \
+		else \
+			echo "Unable to determine platform '$$uname_S'"; exit 1; \
+		fi; \
+		TRIVY_VERSION=$(shell curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/'); \
+		echo "Downloading trivy.."; \
+		[ -n "$$TRIVY_VERSION" ] && [ -n "$$machine" ] && curl -Ls "https://github.com/aquasecurity/trivy/releases/download/v$${TRIVY_VERSION}/trivy_$${TRIVY_VERSION}_$${machine}-64bit.tar.gz" | tar zx --wildcards '*trivy' || { echo "Download or extract failed for '$${machine}' version '$${TRIVY_VERSION}'."; exit 1; }; \
+		trivy="./trivy"; \
+	else \
+		TRIVY_VERSION=$(shell trivy -v 2>/dev/null | head -1 | cut -d ' ' -f 2); \
+	fi; \
+	echo "Trivy version is $${TRIVY_VERSION} and platform is $${uname_S}"; \
+	for i in $$images; do \
+		echo "Scanning image - '$$i'"; \
+		$$trivy --clear-cache && $$trivy --exit-code 1 -severity HIGH,CRITICAL --light --no-progress --ignore-unfixed "$$i"; \
+	done; \
+
 # Make the python source distribution
 sdist:
 # Ensure the dist directory is empty/non-existant before sdist