Merge pull request #6 from madrisan/trivy_scan

ci: github/workflows: add trivy scan

Author: madrisan

.github/workflows/build-checks.yml

@@ -37,3 +37,18 @@ jobs:
       # step 4: run test
       - name: Run the tests
         run: make test
+
+      # step 5: trivy scan
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'