Add Trivy vulnerability scanning to Docker publish workflow

Author: dash14

.github/workflows/docker-publish.yml

@@ -12,6 +12,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      security-events: write
 
     steps:
       - name: Checkout
@@ -41,6 +42,29 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Build image for scanning
+        uses: docker/build-push-action@v6
+        with:
+          context: docker
+          load: true
+          tags: ghcr.io/${{ github.repository }}:scan
+
+      - name: Scan image with Trivy
+        id: trivy-scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ github.repository }}:scan
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH
+          exit-code: '1'
+
+      - name: Upload Trivy scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always() && steps.trivy-scan.conclusion != 'skipped'
+        with:
+          sarif_file: trivy-results.sarif
+
       - name: Build and push
         uses: docker/build-push-action@v6
         with: