github: Add Trivy snap scanning

Signed-off-by: hamistao <[email protected]>

.github/workflows/tests.yml

@@ -509,6 +509,49 @@ jobs:
           sha: ${{ env.head_sha }}
           ref: refs/heads/main
 
+  trivy-snap:
+    name: Trivy vulnerability scanner - Snap
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        version:
+          - latest
+        risk:
+          - edge
+    permissions:
+      security-events: write # for uploading SARIF results to the security tab
+    if: ${{ ( github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' ) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: main # All snap scanner results are placed on the main branch
+
+      - name: Setup Trivy vulnerability scanner
+        run: |
+          mkdir -p sarifs
+          VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print  substr($NF, 1, length($NF)-1)}');
+          wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz
+          tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz
+
+      - name: Run Trivy vulnerability scanner on the snap
+        run: |
+          snap download lxd --channel=${{ matrix.version }}/${{ matrix.risk }}
+          unsquashfs ./lxd*.snap
+          ./trivy rootfs ./squashfs-root/ --format sarif > ${{ matrix.version }}-${{ matrix.risk }}.sarif
+
+      - name: Get HEAD sha
+        run: |
+          SHA="$(git rev-parse HEAD)"
+          echo "head_sha=$SHA" >> "$GITHUB_ENV"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "${{ matrix.version }}-${{ matrix.risk }}.sarif"
+          sha: ${{ env.head_sha }}
+          ref: refs/heads/main
+
   client:
     name: Client
     strategy: