ci: add scans with trivy & gitleaks

.github/workflows/gitleaks.yml

@@ -0,0 +1,39 @@
+name: Gitleaks Scan
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  gitleaks:
+    name: Gitleaks OSS Scan
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Download Gitleaks 8.27.0
+        run: |
+          curl -sSL -o gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.27.0/gitleaks_8.27.0_linux_x64.tar.gz
+          echo "ba75459d765ebc9e940c0123a2d41a29e87be674b5ecaaacd5f82f26009255d5  gitleaks.tar.gz" | sha256sum -c -
+
+      - name: Extract and install Gitleaks
+        run: |
+          tar -xzf gitleaks.tar.gz
+          sudo mv gitleaks /usr/local/bin/
+          gitleaks version
+
+      - name: Run Gitleaks
+        run: |
+          gitleaks detect --source . \
+            --report-path=gitleaks-report.sarif \
+            --redact \
+            --exit-code 1
+
+      - name: Upload SARIF report
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: gitleaks-report.sarif

.github/workflows/trivy.yml

@@ -0,0 +1,33 @@
+name: Trivy Scan
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  trivy-scan:
+    name: Trivy - Docker Image & Code Scan
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker (optional, ensures clean setup)
+        run: docker system prune -af
+
+      - name: Build Docker image locally
+        run: docker build -t gistsapp/api:${{ github.sha }} .
+
+      - name: Run Trivy image scan
+        id: trivy_image
+        continue-on-error: true
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'gistsapp/api:${{ github.sha }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'