ci: add Trivy security scan workflow

Add GitHub Actions workflow for Trivy scanning with two jobs:
- Filesystem vulnerability scan (CRITICAL, HIGH) on Cargo dependencies
- Config/IaC misconfiguration scan (CRITICAL, HIGH, MEDIUM) on workflows

Results are uploaded as SARIF to GitHub Security tab. External vendored
code is excluded via skip-dirs. Runs on push/PR to main and weekly cron.

Co-authored-by: Claude Opus 4 (Anthropic) <noreply@anthropic.com>
Signed-off-by: Stanislaw Grams <stanislaw.grams@intel.com>

Author: 2 people

.github/workflows/trivy.yml

@@ -0,0 +1,78 @@
+name: Trivy Security Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Run weekly to catch newly disclosed vulnerabilities
+    - cron: "0 6 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  vulnerability-scan:
+    name: Vulnerability Scan (fs)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          submodules: recursive
+
+      - name: Apply patch
+        shell: bash
+        run: ./sh_script/pre-build.sh
+
+      - name: Run Trivy filesystem scan
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          format: sarif
+          output: trivy-fs-results.sarif
+          severity: CRITICAL,HIGH
+          # Skip test key material
+          skip-dirs: test_key
+
+      - name: Upload Trivy SARIF to GitHub Security
+        uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
+        if: always()
+        with:
+          sarif_file: trivy-fs-results.sarif
+          category: trivy-fs
+
+  config-scan:
+    name: Config & IaC Scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          submodules: recursive
+
+      - name: Run Trivy config scan
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        with:
+          scan-type: config
+          scan-ref: .
+          format: sarif
+          output: trivy-config-results.sarif
+          severity: CRITICAL,HIGH,MEDIUM
+          # Skip test key material
+          skip-dirs: test_key
+
+      - name: Upload Trivy config SARIF to GitHub Security
+        uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
+        if: always()
+        with:
+          sarif_file: trivy-config-results.sarif
+          category: trivy-config