add trivy and dockle scanning

Signed-off-by: Neil South <[email protected]>

.github/workflows/ci.yml

@@ -441,6 +441,27 @@ jobs:
         with:
           image-name: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
 
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        if: ${{ (matrix.os == 'ubuntu-latest') }}
+        with:
+          image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL'
+          fail-build: true
+
+      - uses: goodwithtech/dockle-action@main
+        if: ${{ (matrix.os == 'ubuntu-latest') }}
+        with:
+          image: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
+          format: 'list'
+          exit-code: '1'
+          exit-level: 'warn'
+          ignore: 'CIS-DI-0001,DKL-DI-0006'
+
       - name: Anchore container scan
         id: anchore-scan
         uses: anchore/[email protected]
@@ -450,7 +471,7 @@ jobs:
           fail-build: true
           severity-cutoff: critical
 
-      - name: Upload Anchore scan SARIF report
+      - name: Upload scan SARIF report
         uses: github/codeql-action/upload-sarif@v2
         if: ${{ (matrix.os == 'ubuntu-latest') }}
         with: