Add vulnerability detection Github Action to scan built docker images

[nigelgbanks]

@g7morris used Syft and Grype to scan the images for vulnerabilities in response to the log4j issue. Look into how to integrate these tools so checks are performed:

• For every push if it is a cheap operation.
• For every release.
• Perhaps also weekly just incase new vulnerabilities are discovered as the repository doesn't change that often at this point.

[nigelgbanks]

Initial thought I can integrate it with the Gradle plugin so that it can be run both locally and with github actions.

Reference for Github actions. https://github.com/marketplace/actions/anchore-container-scan

[g7morris]

@nigelgbanks Anything I can do here to help move this along?

[nigelgbanks]

#183 should cover it. It generates reports that one can download on the build page, for example https://github.com/Islandora-Devops/isle-buildkit/actions/runs/2030133280; The link to grype reports. https://github.com/Islandora-Devops/isle-buildkit/suites/5774283956/artifacts/192302600

They are markdown files like the following:

NAME               INSTALLED     FIXED-IN   VULNERABILITY        SEVERITY 
commons-io         2.6                      CVE-2021-29425       Medium    
commons-io         2.6           2.7        GHSA-gwrp-pvrq-jmwv  Medium    
flock              2.37.4-r0                CVE-2010-3262        Medium    
guava              25.1-android             CVE-2020-8908        Low       
guava              25.1-android             GHSA-5mg8-w23w-74h3  Low       
jsoup              1.12.1        1.14.2     GHSA-m72m-mhq2-9p6c  High      
jsoup              1.12.1                   CVE-2021-37714       High      
libcrypto1.1       1.1.1l-r7     1.1.1n-r0  CVE-2022-0778        High      
libldap            2.6.0-r0                 CVE-2015-3276        Medium    
libretls           3.3.4-r2      3.3.4-r3   CVE-2022-0778        High      
libssl1.1          1.1.1l-r7     1.1.1n-r0  CVE-2022-0778        High      
postgresql-common  1.0-r0                   CVE-2019-3466        High      
tomcat-jdbc        9.0.58                   CVE-2016-6325        High      
tomcat-jdbc        9.0.58                   CVE-2016-5425        High      

[nigelgbanks]

Though there isn't a weekly setup or notification system at this point. The pull request was just the first pass in generating the reports on every push so that a pull request reviewer could use that information to see if some new vulnerability has been added. Further automation can be handled post release.

[nigelgbanks]

Pull request is merged, any further improvements can be raised as new tickets.