Merge pull request #2472 from ShubhamPalriwala/scan-with-trivy

Scan Kyverno images on build

.github/workflows/build.yaml

@@ -113,6 +113,16 @@ jobs:
         run: |
           make docker-build-kyverno
 
+      - name: Trivy Scan Image
+        uses: aquasecurity/trivy-action@master
+        with: 
+          image-ref: 'ghcr.io/kyverno/kyverno:latest'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
   build-kyverno-cli:
     runs-on: ubuntu-latest
     needs: pre-checks

.github/workflows/release.yaml

@@ -84,6 +84,16 @@ jobs:
         run: |
           make docker-publish-kyverno
 
+      - name: Trivy Scan Image
+        uses: aquasecurity/trivy-action@master
+        with: 
+          image-ref: 'ghcr.io/kyverno/kyverno:latest'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
   release-kyverno-cli:
     runs-on: ubuntu-latest
     steps: