ci: add security scan with trivy

.github/workflows/security-scan.yml

@@ -0,0 +1,48 @@
+name: Security scan
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+  schedule:
+    - cron: '0 9 * * *' # Same time as CI Cron
+
+jobs:
+  trivy-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout newrelic-php-agent code
+        uses: actions/checkout@v4
+        with:
+          path: php-agent
+      - name: Run Trivy in table mode
+        # Table output is only useful when running on a pull request or push.
+        if: contains(fromJSON('["push", "pull_request"]'), github.event_name)
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: fs
+          scan-ref: ./php-agent
+          trivy-config: ./php-agent/trivy.yaml
+          trivyignores: ./php-agent/.trivyignore
+          format: table
+          exit-code: 1
+
+      - name: Run Trivy in report mode
+        # Only generate sarif when running nightly on the dev branch.
+        if: ${{ github.event_name == 'schedule' }}
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: fs
+          scan-ref: ./php-agent
+          trivy-config: ./php-agent/trivy.yaml
+          trivyignores: ./php-agent/.trivyignore
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        # Only upload sarif when running nightly on the dev branch.
+        if: ${{ github.event_name == 'schedule' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif

.trivyignore

@@ -0,0 +1,2 @@
+# Ignore missing HEALTHCHECK in Dockerfile - devenv service from files/Dockerfile doesn't need it:
+AVD-DS-0026

trivy.yaml

@@ -0,0 +1,18 @@
+db:
+  repository:
+    - mirror.gcr.io/aquasec/trivy-db:2
+
+scan:
+  scanners: 
+    - vuln
+    - misconfig
+  skip-dirs: vendor
+
+severities:
+  - CRITICAL
+  - HIGH
+  - MEDIUM
+  - LOW
+
+vulnerability:
+  ignore-unfixed: true