export trivy report as codequality

Description

Container Scanning (with container_scanning report) integration in GitLab UI is an Ultimate only feature.

Trivy can also output codequality report for Code Quality. While not security focused, it has an integration in pipelines view even in Free tier.

Implementation ideas

docker-trivy:
  script: |
    # redacted for readability

    # Generate a report in the GitLab format
    trivy convert --format template --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json reports/docker-trivy-${basename}.native.json
    # Generate a report in the Code Climate format
    trivy convert --format template --template "@/contrib/gitlab-codequality.tpl" --output reports/docker-trivy-${basename}.codeclimate.json reports/docker-trivy-${basename}.native.json

    # console output
    trivy convert --format table reports/docker-trivy-${basename}.native.json
    
    exit $exit_code
  artifacts:
    reports:
      container_scanning: "reports/docker-trivy-*.gitlab.json"
      codequality: "reports/docker-trivy-*.codeclimate.json"

Maybe not enable the reports: codequality by default as it would lead to duplicated findings in Ultimate groups