ci: add trivy image scanning (#1663)

* add trivy image scanning

* implement as partial workflow

* support both the frontend and backend Dockerfiles for scanning

* fix docker build context location

.github/workflows/partial-trivy-backend-container-scanning.yml

@@ -0,0 +1,31 @@
+name: Trivy Backend Container Scanning
+
+on:
+  workflow_call:
+
+jobs:
+  build:
+    name: Build and Scan Backend Container
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Build Dockerfile
+        run: |
+          docker build -t mealie .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          ignore-unfixed: true
+          image-ref: "mealie"
+          format: "sarif"
+          output: "trivy-results.sarif"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results.sarif"

.github/workflows/partial-trivy-frontend-container-scanning.yml

@@ -0,0 +1,31 @@
+name: Trivy Frontend Container Scanning
+
+on:
+  workflow_call:
+
+jobs:
+  build:
+    name: Build and Scan Frontend Container
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Build Dockerfile
+        run: |
+          docker build -t mealie ./frontend/
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          ignore-unfixed: true
+          image-ref: "mealie"
+          format: "sarif"
+          output: "trivy-results.sarif"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results.sarif"

.github/workflows/pull-requests.yml

@@ -13,3 +13,11 @@ jobs:
   frontend-tests:
     name: "Frontend and End-to-End Tests"
     uses: ./.github/workflows/partial-frontend.yml
+
+  backend-container-scanning:
+    name: "Trivy Backend Container Scanning"
+    uses: ./.github/workflows/partial-trivy-backend-container-scanning.yml
+
+  frontend-container-scanning:
+    name: "Trivy Frontend Container Scanning"
+    uses: ./.github/workflows/partial-trivy-frontend-container-scanning.yml