add image scanning on pull_request

[zhzhuang-zju]

What type of PR is this?
/kind cleanup

What this PR does / why we need it:
add image scanning on pull_request to protect against security vulnerabilities
Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:
Refer to https://github.com/karmada-io/karmada/actions/runs/7112047275/job/19361222115

Does this PR introduce a user-facing change?:

NONE

[karmada-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign garrybest after the PR has been reviewed.
You can assign the PR to them by writing /assign @garrybest in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (0e501b6) 51.82% compared to head (29d3790) 51.89%.
Report is 1 commits behind head on master.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4384      +/-   ##
==========================================
+ Coverage   51.82%   51.89%   +0.07%     
==========================================
  Files         244      246       +2     
  Lines       24234    24328      +94     
==========================================
+ Hits        12560    12626      +66     
- Misses      10993    11016      +23     
- Partials      681      686       +5     

Flag	Coverage Δ
unittests	51.89% <ø> (+0.07%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[RainbowMango]

@liangyuanpeng Can you help to take a look?

[zhzhuang-zju]

@liangyuanpeng Can you help to take a look?

Hi~If interested, you can also review pr #4184 together, which also integrates trivy to ci, but for security scanning of older images.

[zhzhuang-zju]

[liangyuanpeng]

Interesting,I will add this to my list ASAP :)

[liangyuanpeng]

I can understand what this PR hopes to do, but I think scheduled execution may be enough, and I think the value added by scanning container images on the PR may be very small, even if it does not hinder the PR but does take up some github action CI time.

Could you please add that scheduled scan image is not sufficient? Remind me if i missed something,Thanks.
@zhzhuang-zju

[zhzhuang-zju]

@liangyuanpeng @RainbowMango
Hi~ On the basis of the original image scanning, I tried to add some vulnerability analysis. By comparing the vulnerabilities scanned in the PR with those scanned in the Baseline branch, the following content can be analyzed:

• the vulnerabilities fixed by PR
  refer to https://github.com/zhzhuang-zju/karmada/actions/runs/7582306257/job/20651617732?pr=3
  
• the vulnerabilities introduced by this PR
  refer to https://github.com/zhzhuang-zju/karmada/actions/runs/7582111908/job/20651024425
  

The CI failure is because a merge of #4567 is required first.

[XiShanYongYe-Chang]

This effect looks great.