Add trivy scanning to PR reports

Signed-off-by: Derek Nola <derek.nola@suse.com>

.github/workflows/e2e.yaml

@@ -119,3 +119,31 @@ jobs:
         . ./tests/docker/test-helpers
         . ./tests/docker/test-run-${{ matrix.dtest }}
         echo "Did test-run-${{ matrix.dtest }} pass $?"
+  trivy:
+    needs: build
+    name: Trivy Scan Image
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 1
+    - name: "Download k3s image"
+      uses: actions/download-artifact@v4
+      with:
+        name: k3s
+        path: ./dist/artifacts
+    - name: Load k3s image
+      run: docker image load -i ./dist/artifacts/k3s-image.tar
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@0.20.0
+      with:
+        image-ref: 'rancher/k3s'
+        format: 'table'
+        severity: "HIGH,CRITICAL"
+        output: "trivy-report.txt"
+    - name: Add Trivy Report to PR
+      run: |
+        gh pr comment ${{ github.event.number }} --path trivy-report.txt
+