feat: add security scan workflow for Docker images (#68)

Author: mcanouil

.github/workflows/security-scan.yml

@@ -0,0 +1,87 @@
+name: "Security: Docker Image Scan"
+
+on:
+  workflow_dispatch:
+  workflow_run:
+    workflows: ["Build: Docker Images"]
+    types:
+      - completed
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event_name }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  security-events: write
+  packages: read
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    name: Scan - Quarto ${{ matrix.QUARTO_VERSION }}
+    if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }}
+    strategy:
+      matrix:
+        include:
+          - QUARTO_VERSION: release
+            IMAGE_TAG: release
+          - QUARTO_VERSION: prerelease
+            IMAGE_TAG: prerelease
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Login to Docker registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Pull Docker image
+        env:
+          IMAGE_TAG: ${{ matrix.IMAGE_TAG }}
+        run: |
+          docker pull ghcr.io/${GITHUB_REPOSITORY}:${IMAGE_TAG}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ghcr.io/${{ github.repository }}:${{ matrix.IMAGE_TAG }}
+          format: sarif
+          output: trivy-results-${{ matrix.QUARTO_VERSION }}.sarif
+          severity: CRITICAL,HIGH,MEDIUM
+          scanners: vuln,secret,config
+          list-all-pkgs: true
+
+      - name: Upload Trivy results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-results-${{ matrix.QUARTO_VERSION }}.sarif
+          category: trivy-${{ matrix.QUARTO_VERSION }}
+
+      - name: Upload scan results as artifact
+        uses: actions/upload-artifact@v5
+        if: always()
+        with:
+          name: trivy-results-${{ matrix.QUARTO_VERSION }}
+          path: trivy-results-${{ matrix.QUARTO_VERSION }}.sarif
+          retention-days: 30
+
+      - name: Generate summary
+        if: always()
+        env:
+          QUARTO_VERSION: ${{ matrix.QUARTO_VERSION }}
+          IMAGE_TAG: ${{ matrix.IMAGE_TAG }}
+        run: |
+          (
+            echo "## Security Scan Results: ${QUARTO_VERSION}"
+            echo ""
+            echo "**Image:** \`ghcr.io/${GITHUB_REPOSITORY}:${IMAGE_TAG}\`"
+            echo ""
+            echo "**Scan Date:** $(date -u '+%Y-%m-%d %H:%M:%S UTC')"
+            echo ""
+            echo "Results have been uploaded to the [Security tab](https://github.com/${GITHUB_REPOSITORY}/security/code-scanning)."
+          ) >>${GITHUB_STEP_SUMMARY}