Add Trivy container vulnerability scanning

[dpark01]

Summary

• Adds Trivy vulnerability scanning to the Docker build workflow as a separate scan job
• Scans run on every push (using the exact image tag from the build) and weekly on the latest image via schedule cron
• Manual scans supported via workflow_dispatch
• Build job is gated to skip on schedule/dispatch events — only scans existing images, keeping tags immutable
• Includes a CVSS-based Rego ignore policy (.trivy-ignore-policy.rego) for batch bioinformatics containers, shared with viral-ngs and py3-bio
• Empty .trivyignore template for per-CVE exceptions (to be triaged after first scan)
• SARIF results upload to GitHub Security tab; table output in workflow logs with exit-code: 1 (blocking)

Test plan

• Verify the scan job runs after build on this branch push
• Check GitHub Actions logs for Trivy table output and finding count
• Check the GitHub Security tab for uploaded SARIF results
• After merge, manually trigger via workflow_dispatch and verify scan-only behavior (no rebuild)
• Review initial findings and add per-CVE exceptions to .trivyignore if needed

🤖 Generated with Claude Code

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.