Added trivy-scan for plugins

[yashsingh74]

This PR introduces the security scanning for plugins repository. This job will run once any pull and push request changes made on the main branch.

1. Why is this pull request needed and what does it do? The CVE scanning for the plugins repository will be enabled by this PR. It will make it easier to track down the HIGH and CRITICAL CVE being used.

Test result:

[yashsingh74]

cc: @squeed @dcbw

[squeed]

I'm willing to try this; but I'm concerned about endless false positives. the CNI plugins make no HTTP or TLS requests, provide no network services, and and don't parse end-user-provided input. Dealing with the output of security scanners is, in my experience, a tiring exercise in pulling signal from noise.

CNI, as a volunteer-operated project, only has so many resources, and dealing with spurious false positives might not be a good use of that time.

Does trivy do any sort of code path analysis to determine if CVEs are applicable in the style of govulncheck?

[yashsingh74]

Yes, we are not testing any HTTP or TLS requests. But this will help to test the overall code. Also, it does make some noise but would be good to look on it as there are so many different user who will be contributing or using the plugins. Overall it will help to catch the CVEs before merging any new PRs.

[yashsingh74]

@squeed Please review the PR.

[github-advanced-security[bot]]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.