feat: Add automatic container image security scanning using Trivy

[haroon0x]

What this PR does / why we need it:

Implements automatic container image vulnerability scanning using Trivy in the CI/CD pipeline. Every image built by the project will now be scanned for security vulnerabilities before being pushed to the registry.

This addresses the need for regular, automated security scanning rather than relying on manual scans before releases.
Fixes #2095

Changes

Modified: .github/workflows/template-publish-image/action.yaml

• Added scan-image input parameter (default: true) to enable/disable scanning
• Added "Build Image for Scanning" step - builds single-arch image locally for Trivy
• Added "Run Trivy Vulnerability Scanner" step - scans for CRITICAL and HIGH severity vulnerabilities
• Added "Upload Trivy Scan Results" step - uploads SARIF results to GitHub Security tab

How it works

Build (amd64) → Trivy Scan → Upload SARIF → Multi-arch Build → Push

Configuration

Setting	Value	Reason
Severity	CRITICAL,HIGH	Focus on actionable vulnerabilities
ignore-unfixed	true	Skip vulnerabilities without available fixes
Format	sarif	GitHub Code Scanning integration
Scan arch	linux/amd64	Speed optimization (vulns are consistent across architectures)

Note: This implementation is non-blocking by default - scan results are uploaded for visibility but do not fail the build. This can be changed to a blocking gate by adding exit-code: '1' to the Trivy action configuration.

Checklist:

• Docs included if any changes are user facing

[google-oss-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign johnugeorge for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

🎉 Welcome to the Kubeflow Katib repo! 🎉

Thanks for opening your first PR! We're excited to have you onboard 🚀

Next steps:

• Our team will review your PR soon! cc @kubeflow/wg-automl-leads
• Check out the Contributing Guide and the Kubeflow Contributor Guide
• Join the Kubeflow Slack channels: https://www.kubeflow.org/docs/about/community/#kubeflow-slack-channels
• Join the AutoML & Training WG meetings: https://bit.ly/2PWVCkV

Feel free to ask questions in the comments. Thanks again for contributing! 🙏

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[andreyvelich]

We are no longer using Trivy for scanning
/close

[google-oss-prow]

@andreyvelich: Closed this PR.

Details

In response to this:

We are no longer using Trivy for scanning
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.