Add Trivy filesystem scan to GitHub Actions

.github/workflows/trivy.yml

@@ -0,0 +1,37 @@
+name: trivy
+
+on:
+  pull_request:
+    branches:
+      - develop
+      - main
+  push:
+    branches:
+      - develop
+      - main
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  trivy-fs-scan:
+    name: trivy-fs-scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Run Trivy filesystem scan
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH
+          limit-severities-for-sarif: true
+          exit-code: '1'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif

docs/security/code-security.md

@@ -7,6 +7,7 @@ BandScope treats GitHub Code Security as part of bootstrap governance.
 ## Required controls
 
 - CodeQL or equivalent code scanning workflow
+- Trivy filesystem vulnerability scan
 - dependency review on pull requests
 - security audit workflow for npm, Python, and Rust dependencies in scope
 - Dependabot alerts and security updates

docs/security/github-required-checks.md

@@ -10,6 +10,7 @@ These are the merge-gate status checks that should be required on protected bran
 - `dependency-review`
 - `security-audit`
 - `CodeQL`
+- `trivy-fs-scan`
 - `sbom`
 - `release-preflight`
 - `gate / build / windows`
@@ -24,6 +25,7 @@ These are the merge-gate status checks that should be required on protected bran
 - `dependency-review`
 - `security-audit`
 - `CodeQL`
+- `trivy-fs-scan`
 - `sbom`
 - `release-preflight`
 - `gate / build / windows`