cicd: setup trivy scan and call gh-pages URL with results

[d-koppenhagen]

In order to demo and also scan the used dockerfile, we could make use of https://github.com/aquasecurity/trivy-action

[Morl99]

Unfortunately, using the actions artifacts does not seem to work, since the only way to download them is by using a zip file, and the explorer does not support zip files. See https://github.com/actions/upload-artifact?tab=readme-ov-file#zip-archives for documentation on this. Do you have any other ideas @d-koppenhagen or do we want to revert the changes from #527 and close this issue as won't fix?

[d-koppenhagen]

Ahhh... I remember, I stumbled over this.
Unfortunately there seems to be no way to get the raw artifacts.

I think we have three options:

1. upload the artifacts somewhere else.. wehrte? Probably a service where it's stored only temporarily is good enough (1d?)
2. accept this technical limit
3. add a UI feature which accepts a zip file and unzips it

[d-koppenhagen]

Candidates for (1):

• https://filebin.net/
• https://tmpfiles.org/ (60min limited)

[Morl99]

I don't really like the idea of using an external service for this. How about we use a special branch and publish the artifacts there and then use a raw URL to load them. This is basically what the github pages branch does. We would need to build a step that checks out the branch and adds the file and then commit/pushes. We could use a timestamp as a folder, that way we can write a cleanup job if we ever need it.

This can be done with a combination of the checkout and the add and commit actions.

[d-koppenhagen]

This sound like a good idea to me!
Something like job-artifacts? We could also use the job id, then we can trace back the results to where they have been created.

[b-d-e]

Hi! Thanks for this project, it's looks really useful. I just wanted to check in on this feature discussion - are there still plans to implement it?

The dream use case would be to run a trivy scan in a CI pipeline, and then produce a statically hosted github pages site with the results displayed in the trivy vulnerability explorer, without having to import from a json.