adds trivy for image scanning

Signed-off-by: GitHub <noreply@github.com>

.github/workflows/trivy.yml

@@ -0,0 +1,29 @@
+name: trivy vulnerability scanner
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Build an image from Dockerfile
+        run: |
+          make build.docker
+      
+      - uses: cachix/install-nix-action@v13
+      with:
+        nix_path: nixpkgs=channel:nixos-unstable
+      - uses: workflow/nix-shell-action@v1
+        env:
+        with:
+          packages: trivy
+          script: |
+            make build.docker
+            ./scripts/run-trivy.sh 
+            

scripts/run-trivy.sh

@@ -0,0 +1,3 @@
+#! /bin/bash
+
+trivy image --exit-code 1 us.gcr.io/k8s-artifacts-prod/external-dns/external-dns:$(git describe --tags --always --dirty)