security scans

.github/workflows/build_and_test.yml

@@ -25,6 +25,7 @@ jobs:
 
       - name: Build image and bundle
         env:
+          DOCKER_BUILDKIT: '1'
           PULL_CACHE: yes
           AGENT_VERSION: latest
         run: |

.github/workflows/security-scans.yml

@@ -0,0 +1,47 @@
+name: Security Scans
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  trivy-fs-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Run trivy filesystem scan
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          skip-dirs: 'scripts,tests,test-services'
+          format: 'table'
+          exit-code: '1'
+          severity: 'CRITICAL,HIGH'
+          ignore-unfixed: true
+
+  trivy-image-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Build agent image
+        run: make image
+        env:
+          DOCKER_BUILDKIT: '1'
+          AGENT_VERSION: latest
+          PULL_CACHE: yes
+      - name: Run trivy image scan
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'image'
+          image-ref: 'quay.io/signalfx/signalfx-agent-dev:latest'
+          format: 'table'
+          exit-code: '1'
+          severity: 'CRITICAL,HIGH'
+          ignore-unfixed: true