Replace custom Clair scan with Trivy Github Workflows (#4541)

We have had ci/clair-scan for a while, but I don't think it has proven
useful as we scarcely look at the results, and vulnerabilities are
usually reported by Antrea users and third-parties. The way we run Clair
is also probably outdated, as this code has not been updated recently.

Since we recently added a Makefile target to run Trivy scans, we replace
our "custom" Clair scan code, as well as our Github workflow running
scans, with new Github workflows using the standard
aquasecurity/trivy-action Github action.

We have 2 Github worfklows running Trivy on the Antrea Ubuntu-based
image. The first one runs daily (or on demand) and generates reports
(which are then uploaded as artifacts) for the latest Antrea image as
well as the image for the latest Antrea released version. The second one
runs whenever a Pull Request is created to release a new Antrea version.

Signed-off-by: Antonin Bas <abas@vmware.com>

.github/workflows/trivy_scan.yml

@@ -0,0 +1,71 @@
+name: Scan Antrea Docker image for vulnerabilities every day
+
+on:
+  schedule:
+    # every day at 10am
+    - cron: '0 10 * * *'
+  workflow_dispatch:
+
+jobs:
+  build:
+    if: github.repository == 'antrea-io/antrea'
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-go@v3
+      with:
+        go-version-file: 'go.mod'
+    - name: Find greatest Antrea version
+      id: find-antrea-greatest-version
+      run: |
+        VERSION=$(git ls-remote --tags --ref https://github.com/antrea-io/antrea.git | \
+          grep -v rc | \
+          awk '{print $2}' | awk -F/ '{print $3}' | \
+          sort --version-sort -r | head -n 1)
+        echo "antrea_version=$VERSION" >> $GITHUB_OUTPUT
+    - name: Pull Antrea Docker images
+      id: pull
+      run: |
+        docker pull antrea/antrea-ubuntu:latest
+        docker pull antrea/antrea-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}
+    - name: Run Trivy vulnerability scanner on latest Antrea Docker image
+      if: ${{ always() && steps.pull.conclusion == 'success' }}
+      uses: aquasecurity/trivy-action@0.8.0
+      # we cannot use .trivy.yml as we need to override some config parameters
+      # and that is not supported by aquasecurity/trivy-action
+      with:
+        scan-type: 'image'
+        image-ref: 'antrea/antrea-ubuntu:latest'
+        exit-code: '1'
+        ignore-unfixed: true
+        severity: 'CRITICAL,HIGH'
+        # whereabouts project doesn't upgrade dependencies frequently
+        skip-files: '/opt/cni/bin/whereabouts'
+        format: 'table'
+        output: 'trivy.latest.txt'
+    - name: Run Trivy vulnerability scanner on Antrea Docker image for latest released version
+      if: ${{ always() && steps.pull.conclusion == 'success' }}
+      uses: aquasecurity/trivy-action@0.8.0
+      with:
+        scan-type: 'image'
+        image-ref: 'antrea/antrea-ubuntu:${{ steps.find-antrea-greatest-version.outputs.antrea_version }}'
+        exit-code: '1'
+        ignore-unfixed: true
+        severity: 'CRITICAL,HIGH'
+        skip-files: '/opt/cni/bin/whereabouts'
+        format: 'table'
+        output: 'trivy.${{ steps.find-antrea-greatest-version.outputs.antrea_version }}.txt'
+    - name: Upload Trivy scan reports
+      if: ${{ always() && steps.pull.conclusion == 'success' }}
+      uses: actions/upload-artifact@v3
+      with:
+        name: trivy-scan-reports
+        path: trivy.*.txt
+        retention-days: 90 # max value
+  skip:
+    if: github.repository != 'antrea-io/antrea'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Skip
+        run: |
+          echo "Skipping image scan because workflow cannot be run from fork"

.github/workflows/trivy_scan_before_release.yml

@@ -0,0 +1,25 @@
+name: Scan Antrea Docker image for vulnerabilities before release
+
+on:
+  pull_request:
+    branches:
+      - release-*
+
+jobs:
+  build:
+    if: startsWith(github.event.pull_request.title, 'Release ')
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-go@v3
+      with:
+        go-version-file: 'go.mod'
+    - name: Build Antrea Docker image
+      run: |
+        ./hack/build-antrea-linux-all.sh --pull
+    - name: Run Trivy vulnerability scanner on Antrea Docker image
+      uses: aquasecurity/trivy-action@0.8.0
+      with:
+        scan-type: 'image'
+        image-ref: 'antrea/antrea-ubuntu:latest'
+        trivy-config: '.trivy.yml'

.trivy.yml

@@ -0,0 +1,9 @@
+# fail in case of vulnerabilities
+exit-code: 1
+
+severity:
+  - HIGH
+  - CRITICAL
+
+vulnerability:
+  ignore-unfixed: true

Makefile

@@ -65,7 +65,7 @@ check-%:
 
 .PHONY: trivy-scan
 trivy-scan: .trivy-bin check-TRIVY_TARGET_IMAGE
-	$(CURDIR)/.trivy-bin/trivy image --exit-code 1 --severity CRITICAL,HIGH --ignore-unfixed $(TRIVY_TARGET_IMAGE)
+	$(CURDIR)/.trivy-bin/trivy image -c .trivy.yml $(TRIVY_TARGET_IMAGE)
 
 .PHONY: antrea-agent
 antrea-agent: