Add Trivy vulnerability scan workflow with Devin API integration

[devin-ai-integration]

Summary

Adds a new GitHub Actions workflow (.github/workflows/trivy-scan.yml) that automatically scans for security vulnerabilities on pushes to master/main and triggers a Devin session to fix them when vulnerabilities are detected.

The workflow:

1. Runs Trivy filesystem scan for CRITICAL, HIGH, and MEDIUM severity vulnerabilities
2. Parses the JSON output to extract vulnerability details
3. If vulnerabilities are found, calls the Devin API v1 to create a session with a detailed prompt instructing Devin to update dependencies and create a fix PR
4. Uploads scan results as artifacts for reference

Updates since last revision

• Fixed deprecated actions/cache@v2 → actions/cache@v4 in .github/workflows/gradle.yml to resolve CI failure caused by GitHub's deprecation of cache v1/v2

Review & Testing Checklist for Human

• Add the DEVIN_API_TOKEN secret to repository settings (Settings > Secrets and variables > Actions) before merging - the workflow will fail without it
• Review the jq parsing logic (lines 39, 48-67) for edge cases - if Trivy returns an empty or malformed JSON, the parsing could behave unexpectedly
• Verify the Devin prompt (lines 80-110) aligns with your expectations for how Devin should handle vulnerability fixes
• Consider whether you want the workflow to fail (exit 1) when the Devin API call fails, or if it should just warn

Recommended test plan:

1. Add the DEVIN_API_TOKEN secret to the repository
2. Merge this PR to master
3. The workflow should automatically run and detect the known outdated dependencies (Spring Boot 2.6.3, jjwt 0.11.2, SQLite JDBC 3.36.0.3)
4. Check the Actions tab to verify the workflow runs successfully
5. Verify a Devin session is created (link will be in the workflow logs)

Notes

• The workflow uses idempotent: true in the Devin API call to prevent duplicate sessions if the workflow is re-run
• Only triggers on master/main branch pushes (not on PRs or other branches)
• Get your Devin API token from: https://app.devin.ai/settings/api-keys

Link to Devin run: https://app.devin.ai/sessions/7768e799d6fe43e7b9f5b2c4eca4f0e5
Requested by: Marcel Schwager (marcel.schwager@codeium.com) / @marcelschwager-ux

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring