ci: add govulncheck (#3114)

Signed-off-by: Sertac Ozercan <[email protected]>

.github/workflows/scan-vulns.yaml

@@ -0,0 +1,74 @@
+name: scan_vulns
+on:
+  push:
+    paths-ignore:
+      - ".github/workflows/website.yaml"
+      - "docs/**"
+      - "library/**"
+      - "demo/**"
+      - "deprecated/**"
+      - "example/**"
+      - "website/**"
+      - "**.md"
+      - "!cmd/build/helmify/static/README.md"
+  pull_request:
+    paths-ignore:
+      - ".github/workflows/website.yaml"
+      - "docs/**"
+      - "library/**"
+      - "demo/**"
+      - "deprecated/**"
+      - "example/**"
+      - "website/**"
+      - "**.md"
+      - "!cmd/build/helmify/static/README.md"
+
+permissions: read-all
+
+jobs:
+  govulncheck:
+    name: "Run govulncheck"
+    runs-on: ubuntu-22.04
+    timeout-minutes: 15
+    steps:
+      - uses: golang/govulncheck-action@7da72f730e37eeaad891fcff0a532d27ed737cd4 # v1.0.1
+
+  scan_vulnerabilities:
+    name: "[Trivy] Scan for vulnerabilities"
+    runs-on: ubuntu-22.04
+    timeout-minutes: 15
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+
+      - name: Download trivy
+        run: |
+          pushd $(mktemp -d)
+          wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
+          tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
+          echo "$(pwd)" >> $GITHUB_PATH
+        env:
+          TRIVY_VERSION: "0.46.0"
+
+      - name: Run trivy on git repository
+        run: |
+          trivy fs --format table --ignore-unfixed --skip-dirs website --scanners vuln .
+
+      - name: Build docker images
+        run: |
+          make docker-buildx \
+            IMG=gatekeeper-e2e:latest
+
+          make docker-buildx-crds \
+            CRD_IMG=gatekeeper-crds:latest
+
+      - name: Run trivy on images
+        run: |
+          for img in "gatekeeper-e2e:latest" "gatekeeper-crds:latest"; do
+              trivy image --ignore-unfixed --vuln-type="os,library" "${img}"
+          done

.github/workflows/workflow.yaml

@@ -307,43 +307,3 @@ jobs:
         name: generatorexpansion-logs
         path: |
           logs-*.json
-
-  scan_vulnerabilities:
-    name: "[Trivy] Scan for vulnerabilities"
-    runs-on: ubuntu-22.04
-    timeout-minutes: 15
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
-        with:
-          egress-policy: audit
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
-
-      - name: Download trivy
-        run: |
-          pushd $(mktemp -d)
-          wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
-          tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
-          echo "$(pwd)" >> $GITHUB_PATH
-        env:
-          TRIVY_VERSION: "0.41.0"
-
-      - name: Run trivy on git repository
-        run: |
-          trivy fs --format table --ignore-unfixed --skip-dirs website --scanners vuln .
-
-      - name: Build docker images
-        run: |
-          make docker-buildx \
-            IMG=gatekeeper-e2e:latest
-
-          make docker-buildx-crds \
-            CRD_IMG=gatekeeper-crds:latest
-
-      - name: Run trivy on images
-        run: |
-          for img in "gatekeeper-e2e:latest" "gatekeeper-crds:latest"; do
-              trivy image --ignore-unfixed --vuln-type="os,library" "${img}"
-          done