Integrated results of scanners in cve-scan workflow with Github CodeQL

[tricky42]

Is your feature request related to a problem? Please describe.

Describe the solution you'd like All scanners used in our cve-scan GHA workflow support sarif format and therefore can be integrated into CodeQL. We have to configure each scanner to output in sarif format and upload the results to Github.

Describe alternatives you've considered Just use simple CLI output which displays the same data, but doesnt make it as easy as CodeQL to track changes and look at findings.

Additional context I already looked into the need config changes for Trivy and Dockle. Only the format / template / output config options are relevant.

Trivy, I checked sarif template file to .github directory and used this in configuration, as there were problems with the embedded template. We need to check if this is still needed

      - name: Run Trivy vulnerability scanner (sarif report)
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: '${{ env.IMAGE }}'
          format: 'template'
          template: '@.github/trivy/sarif.tpl'
          output: 'sarif-results/trivy-results.sarif'
          vuln-type: 'os,library'

Dockle sarif output wasn't imported successfully back then, but we should test with new version

      - name: Run Dockle scanner (sarif report)
        run: |
          dockle -f sarif -o sarif-results/dockle-results.sarif ${{ env.IMAGE }}