feat(security-actions/scan-docker-image): support trivy_db_cache as alternate

[dndx]

input which allows caching the Trivy DB to get around rate limiting issues

Trivy (ab)uses GHCR OCI as it's config update mechanism, and this is being heavily (targeted) rate limited by GitHub.

Inspired by aquasecurity/trivy#7591, this PR adds two optional arguments to the security-actions/scan-docker-image image that allows us to skip fetching fro GHCR completely:

trivy_db_cache:
    description: 'GitHub repository containing Trivy DB cache (format: owner/repo@ref). Database should be named `db.tar.gz` on the default branch.'
    required: false
trivy_db_cache_token:
    description: 'Token for accessing `trivy_db_cache`.'
    required: false

When provided, we will checkout the specific repo's branch using the PAT, look for a db.tar.gz file from it and untar it to the filesystem. We then instruct Trivy to not update it's database and instead use the local database only.

This ensures the action will always succeed because a database will always be available. https://github.com/Kong/trivy-db-mirror contains a workflow that automatically updates it's database every 6 hours, but update can also be manually triggered via Run workflow button on this page.

This PR also removed running Trivy inside the Docker container, as it appears that GitHub Actions does not support volume mounting with the docker:// method. Instead we simply download the trivy executable from the official release link and throw it into /usr/local/bin.

According to my tests, the scan image workflow now always succeeds.

Sister PR on Kong-ee: https://github.com/Kong/kong-ee/pull/10626

[github-actions]

Luacheck Report

1 files  ±0  1 suites  ±0   0s ⏱️ ±0s
4 tests ±0  4 ✅ ±0  0 💤 ±0  0 ❌ ±0 
8 runs  ±0  8 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit c0bb00e. ± Comparison against base commit 1a06695.

♻️ This comment has been updated with latest results.

[saisatishkarra]

Based on the below discussions for the mentioned Issue,

• Issue: Mitigate rate limit issues by utilizing mirror.gcr.io as default DB repository aquasecurity/trivy#7938
• Upstream related Discussions:
  • Solve once for all the TOOMANYREQUESTS issues aquasecurity/trivy#7668
  • Trivy DB rate limit issues while downloading DBs aquasecurity/trivy#7699
  • v0.57.1 aquasecurity/trivy#7951
• Conclusion: To avoid trivy rate-limiting issues and re-enable docker cis scan
  • By default, the action leverage the the updated upstream mirror.gcr.io for up-to-date CIS DB checks
  • Anyone requiring availability at all times, explicitly set trivy_db_cache: Kong/trivy-db-mirror@master and trivy_db_cache_token to clone DB mirror repository accessible internally within Kong org

[saisatishkarra]

LGTM

[pankajmouriyakong]

LGTM