Highlights in this release:
Untrusted users can publish fake docker images on the node via docker executor to pollute images used by other jobs running on same node. This release fixes this vulnerability by always pull the image when runs the job. Also the container image build step now do not allow to create images on docker daemon. Images should either be push to registry, or save as a local OCI layout.
OCI layout is now used as the exchange media between different image processing steps, such as image build, image pull/push, and image scanner. This enables a safer and more streamlined multi-arch image publish workflows, for instance to build image as OCI layout, scan OCI layout for vulnerabilities, and push OCI layout to registry if there are no severe vulnerabilities found, etc.
Various trivy steps to scan dependencies, binaries, or docker images for security vulnerabilities, license violations, or secret exposures. Trivy database cache to speed up scanning. A single step to scan all platforms in a OCI layout, which is result of either a build image step, or a image pull step. Check this tutorial for more details.
The cache step is now able to upload cache to any parent project, and can load cache along the project hierarchy. This makes it possible to share cache in a project tree to reduce disk space as well as increase cache usage efficiency. Also upload strategy is added for cache step to upload cache either when cache not hit, or when certain files in cache path are changed.