ci: integrate automated Trivy security scanning in CI workflows

- Add explicit permissions for contents, packages, and security-events to the Docker GitHub Actions workflow
- Integrate Trivy vulnerability scanning and results upload into the Docker workflow
- Add a dedicated GitHub Actions workflow for Trivy security scanning of both repository files and Docker images, with scheduled, push, and pull request triggers
- Ensure Trivy SARIF results are uploaded to the GitHub Security tab after scans

Signed-off-by: appleboy <appleboy.tw@gmail.com>

.github/workflows/docker.yml

@@ -10,6 +10,11 @@ on:
     branches:
       - "master"
 
+permissions:
+  contents: read
+  packages: write
+  security-events: write
+
 jobs:
   build-docker:
     runs-on: ubuntu-latest
@@ -60,7 +65,33 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
 
+      - name: Build image for scanning
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64
+          file: docker/Dockerfile
+          push: false
+          load: true
+          tags: ${{ github.repository }}:scan
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "${{ github.repository }}:scan"
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH"
+          exit-code: "1"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: "trivy-results.sarif"
+
       - name: Build and push
+        if: success()
         uses: docker/build-push-action@v6
         with:
           context: .