Scan containers with Trivy before pushing

[johnjeffers]

Update the Deploy workflow to include trivy scans before push. The workflow will fail on any High or Critical vuln that has a mitigation path, but skips vulns with no fixes via the --ignore-unfixed flag.

Other changes:

• updates all of the existing Github and Docker Actions to the latest versions.
• updates the Dockerfile to add --no-install-recommends to the apt install so the pre-build scan does not fail.

[wied03]

just a few questions

[wied03]

Trying to think through real world edge cases here. If we had an unknown vuln at release time, or a vuln that hits right at release time, this could cause us to fail here and not publish (and in the release process, if we don't publish here soon after S3 artifacts, we have a problem).

Should we make this more of an async, scheduled workflow that doesn't inhibit a release if the scan fails? Or if we don't want to do that, might we need bigger release workflow changes that can build and push a Docker image with a draft set of artifacts before the S3 push, but that might be a heavier lift.

[johnjeffers]

IMO we should not push an image with a known vulnerability, and if that interrupts the release process, that's a good thing.