chore(deps): Bump aquasecurity/trivy-action from 0.28.0 to 0.35.0 #3

	name: CodeQL

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	schedule:
	- cron: "17 4 * * 1"

	permissions:
	contents: read

	jobs:
	analyze-python:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- name: Set up Python
	uses: actions/setup-python@v5
	with:
	python-version: "3.12"

	- name: Install
	run: pip install -e ".[dev,redis,a2a]" bandit

	- name: Bandit SAST scan
	run: bandit -r airlock -c pyproject.toml -f json -o bandit-results.json \|\| true

	- name: Report findings
	run: \|
	python -c "
	import json, sys
	with open('bandit-results.json') as f:
	data = json.load(f)
	results = data.get('results', [])
	if not results:
	print('No security issues found.')
	sys.exit(0)
	high = [r for r in results if r['issue_severity'] == 'HIGH']
	med = [r for r in results if r['issue_severity'] == 'MEDIUM']
	low = [r for r in results if r['issue_severity'] == 'LOW']
	print(f'Found {len(high)} HIGH, {len(med)} MEDIUM, {len(low)} LOW severity issues')
	for r in high + med:
	print(f\" {r['issue_severity']}: {r['issue_text']}\")
	print(f\" {r['filename']}:{r['line_number']}\")
	if high:
	print('FAIL: HIGH severity issues found')
	sys.exit(1)
	"

	analyze-javascript:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- uses: actions/setup-node@v4
	with:
	node-version: "20"
	cache: npm

	- name: Install
	run: npm ci

	- name: Build
	run: npm run build:js

	- name: Audit npm dependencies
	run: npm audit --omit=dev \|\| true

Provide feedback