Add pipeline for build goss docker image

[dklimpel]

Checklist

• make test-all (UNIX) passes. CI will also test this
• unit and/or integration tests are included (if applicable)
• documentation is changed or added (if applicable)

Description of change

Add building own docker image and upload to ghcr.io. Realted image: https://github.com/aelsabbahy/goss-docker/blob/master/Dockerfile

Build image from

• master branch with goss version: <latest-tag>-master+<short commit sha> (semantic version)
• tag with version <tag>

Add CVE scan to github security page

Related to:

• Build own docker images for integration tests #901

[aelsabbahy]

So is this essentially a replacement for: https://github.com/aelsabbahy/goss-docker

Btw.. many thanks for the awesome work you've submitted! These are all great improvements.

[aelsabbahy]

Added a small question, and might be helpful to add some documentation to this PR (can be minimal). Otherwise, it seems ready to merge

[aelsabbahy]

Is this some thing that typically runs before or after the container is pushed to the repository?

Also, when doing a goss release, this will run against the master branch, but not the released version?

[dklimpel]

This is a small add on and runs whenever (after) an image (goss:master) is pushed into the repo. It scans the image goss:master and not the repository. This is the same image as the tagged image at the time of creating a tag. The step should not trigger a failing, but serves to keep an overview of the image. It scans not only the goss binary, but the whole image including the operating system (base image).
This gives you an overview of the status of the CVEs at the time the image was published. In my opinion, this cannot replace a regular scan of your own code.

[dklimpel]

Added a small question, and might be helpful to add some documentation to this PR (can be minimal). Otherwise, it seems ready to merge

Did you mean this kind of documentation? Or something to the GH pipeline?

[aelsabbahy]

Did you mean this kind of documentation? Or something to the GH pipeline?

Yup, this looks great!

[dklimpel]

I will have a look why it is failing. I had tested it successfully.

[dklimpel]

In my repo I have not problems and it works. But I cannot see the package in goss Repo: https://github.com/orgs/goss-org/packages?repo_name=goss

Perhaps GH needs some time to activate.

[dklimpel]

It seems that permissions have to set there for the package: https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility

[aelsabbahy]

Yeah it's set to private, but I can't set it to public due to org settings. I'll take a look at it sometime in the next couple of days.

[aelsabbahy]

https://github.com/goss-org/goss/pkgs/container/goss

Done, was pretty simple actually.