Add dependency security check using trivy (#1163)

.woodpecker/docs.yml

@@ -15,6 +15,15 @@ pipeline:
       event: [push, pull_request]
       path: *when_path
 
+  securitycheck:
+    image: aquasec/trivy:latest
+    commands:
+      - trivy fs --exit-code 0 --skip-dirs node_modules/ --skip-dirs plugins/woodpecker-plugins/node_modules --severity UNKNOWN,LOW docs/
+      # TODO currently it is not fixable so just do not block currently
+      - trivy fs --exit-code 0 --skip-dirs node_modules/ --skip-dirs plugins/woodpecker-plugins/node_modules --severity MEDIUM,HIGH,CRITICAL docs/
+    when:
+      path: *when_path
+
   deploy-preview:
     image: woodpeckerci/plugin-surge-preview:next
     settings:

.woodpecker/test.yml

@@ -50,6 +50,15 @@ pipeline:
     image: mstruebing/editorconfig-checker
     group: test
 
+  securitycheck:
+    group: test
+    image: aquasec/trivy:latest
+    commands:
+      - trivy fs --exit-code 0 --skip-dirs web/ --skip-dirs docs/ --severity UNKNOWN,LOW .
+      - trivy fs --exit-code 1 --skip-dirs web/ --skip-dirs docs/ --severity MEDIUM,HIGH,CRITICAL .
+    when:
+      path: *when_path
+
   test:
     image: *golang_image
     group: test

.woodpecker/web.yml

@@ -1,6 +1,8 @@
 variables:
   - &node_image 'node:16-alpine'
   - &when_path
+      # related config files
+      - ".woodpecker/web.yml"
       # web source code
       - "web/**"
 
@@ -40,6 +42,15 @@ pipeline:
     when:
       path: *when_path
 
+  securitycheck:
+    group: test
+    image: aquasec/trivy:latest
+    commands:
+      - trivy fs --exit-code 0 --skip-dirs node_modules/ --severity UNKNOWN,LOW web/
+      - trivy fs --exit-code 1 --skip-dirs node_modules/ --severity MEDIUM,HIGH,CRITICAL web/
+    when:
+      path: *when_path
+
   test:
     group: test
     image: *node_image