Use separate upload job for artifact deps

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

Author: ddelnano

.github/workflows/trivy_images.yaml

@@ -62,10 +62,12 @@ jobs:
           //k8s/${{ matrix.artifact }}:${{ matrix.artifact }}_image_list
 
         # Ignore images whose basename is "/${{ matrix.artifact }}" to avoid scanning the bazel built images (e.g. /vizier-, /cloud-)
-        cat ./bazel-bin/k8s/${{ matrix.artifact }}/${{ matrix.artifact }}_image_list.txt | grep -v "\/${{ matrix.artifact }}" | xargs -I{} sh -c 'trivy image {} --format=sarif --output=sarif/${{ matrix.artifact }}/$(basename {} | cut -d":" -f1).sarif'
+        deps_output_dir=sarif/${{ matrix.artifact }}_deps
+        cat ./bazel-bin/k8s/${{ matrix.artifact }}/${{ matrix.artifact }}_image_list.txt | grep -v "\/${{ matrix.artifact }}" | xargs -I{} sh -c 'trivy image {} --format=sarif --output=${deps_output_dir}/$(basename {} | cut -d":" -f1).sarif'
       # yamllint enable rule:line-length
     - run: |
-        for f in "sarif/${{ matrix.artifact }}/"*; do
+        # Loop through all ${artifact} and ${artifact}_deps sarif files
+        for f in "sarif/${{ matrix.artifact }}"*/*; do
           jq '.runs[].tool.driver.name = "trivy-images"' < "$f" > tmp
           # The runAutomationDetails's object must contain a unique category as required by the CodeQL SARIF uploader
           # The id value will be interpreted like so: "${category}/${run_id}"
@@ -75,3 +77,9 @@ jobs:
     - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841  # v3.28.13
       with:
         sarif_file: sarif/${{ matrix.artifact }}
+    # TODO(ddelnano): Remove this check once the operator dependency images are supported. This requires rendering helm templates
+    # and requires some additional work.
+    - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841  # v3.28.13
+      if: ${{ matrix.artifact != 'operator' }}
+      with:
+        sarif_file: sarif/${{ matrix.artifact }}_deps