add trivy scan (#4)

.github/workflows/main.yaml

@@ -42,7 +42,6 @@ jobs:
           sudo rm -rf /usr/local/share/boost
           sudo rm -rf /opt/ghc
           sudo rm -rf "$AGENT_TOOLSDIRECTORY"
-          sudo docker image prune --all --force
           df -h
       - name: build image
         if: env.SKIP == '0'
@@ -56,6 +55,22 @@ jobs:
           docker tag "$img:$tag" "$img:latest"
           echo "img=$img" >> "$GITHUB_ENV"
           echo "tag=$tag" >> "$GITHUB_ENV"
+      - name: run trivy
+        if: env.SKIP == '0'
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "${{ env.img }}:${{ env.tag }}"
+          format: 'github'
+          output: 'dependency-results.sbom.json'
+          github-pat: "${{ secrets.GITHUB_TOKEN }}"
+          severity: 'MEDIUM,CRITICAL,HIGH'
+          scanners: "vuln"
+      - name: upload trivy report
+        if: env.SKIP == '0' && !cancelled()
+        uses: actions/upload-artifact@v4
+        with:
+          name: 'trivy-sbom-report-${{ matrix.package }}'
+          path: 'dependency-results.sbom.json'
       - name: push image
         if: env.SKIP == '0' && github.ref == 'refs/heads/main'
         run: |