replace FOSSA with Trivy (#4024)

* replace FOSSA with Trivy

.github/workflows/license.yaml

@@ -0,0 +1,53 @@
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+env:
+  TRIVY_VERSION: 0.44.1
+
+name: License scan
+
+jobs:
+  license:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+
+      - name: Install Go deps
+        run: go mod download
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          cache: yarn
+          cache-dependency-path: web/yarn.lock
+
+      - name: Install Node.js deps
+        working-directory: web
+        run: yarn install
+
+      - name: Install trivy
+        run: |
+          wget "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.deb"
+          sudo dpkg -i "trivy_${TRIVY_VERSION}_Linux-64bit.deb"
+
+      - name: Create license report artifact
+        run: trivy fs --scanners license --skip-dirs ".github" --skip-files "package-lock.json,bin/scan-images/package-lock.json" . | tee license-report.txt
+
+      - name: Upload license report artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: license-report
+          path: license-report.txt
+
+      - name: Check for unknown licenses
+        run: |
+          trivy fs --scanners license --skip-dirs ".github" --skip-files "package-lock.json,bin/scan-images/package-lock.json" --exit-code 1 --severity UNKNOWN . || echo "::warning::Unknown licenses found, please verify"
+
+      - name: Check for forbidden licenses and fail
+        run: trivy fs --scanners license  --skip-dirs ".github" --skip-files "package-lock.json,bin/scan-images/package-lock.json" --exit-code 1 --severity CRITICAL,HIGH .

README.md

@@ -1,6 +1,5 @@
 [![Develop on Okteto](https://okteto.com/develop-okteto.svg)](https://replicated.okteto.dev/deploy?repository=https://github.com/replicatedhq/kots)
 [![go.dev reference](https://img.shields.io/badge/go.dev-reference-007d9c?logo=go&logoColor=white&style=flat-square)](https://pkg.go.dev/github.com/replicatedhq/kots)
-[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B5995%2Fgithub.com%2Freplicatedhq%2Fkots.svg?type=small)](https://app.fossa.com/projects/custom%2B5995%2Fgithub.com%2Freplicatedhq%2Fkots?ref=badge_small)
 
 # Kubernetes Off-The-Shelf (KOTS) Software
 Replicated KOTS is the collective set of tools that enable the distribution and management of Kubernetes Off-The-Shelf (KOTS) software. The Kots CLI (a Kubectl plugin) is a general purpose, client-side binary for configuring and building dynamic Kubernetes manifests. The Kots CLI also serves as the bootstrapper for the in-cluster Kubernetes application Admin Console [kotsadm](https://github.com/replicatedhq/kots/tree/main/kotsadm) which can be used to automate the core Kots CLI tasks for managing applications (license verification, configuration, updates, image renaming, version controlling changes, and deployment) as well as additional KOTS tasks (running preflight checks and performing support bundle analysis).