ci: add container scanning workflow using trivy

[Copilot]

Adds automated container vulnerability scanning for the agent and squid container images using Trivy.

Workflow: .github/workflows/container-scan.yml

• Triggers: Push/PR to main (path-filtered to containers/**), weekly schedule, manual dispatch
• Scans: Both agent and squid images in parallel jobs
• Output: Table format for console visibility + SARIF upload to GitHub Security tab
• Severity: CRITICAL and HIGH only
• Actions: SHA-pinned where possible, follows existing repo patterns

- name: Run Trivy vulnerability scanner
  uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # v0.30.0
  with:
    image-ref: 'awf-agent:${{ github.sha }}'
    format: 'sarif'
    output: 'trivy-agent-results.sarif'
    severity: 'CRITICAL,HIGH'

- name: Upload to GitHub Security tab
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: 'trivy-agent-results.sarif'
    category: 'container-agent'

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/github/codeql-action/git/ref/tags/v3.28.0
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

add container scanning to this repo

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

Test Coverage Report

Metric	Coverage	Covered/Total
Lines	71.29%	991/1390
Statements	71.39%	1016/1423
Functions	69.42%	109/157
Branches	66.33%	337/508

Coverage Thresholds

The project has the following coverage thresholds configured:

• Lines: 38%
• Statements: 38%
• Functions: 35%
• Branches: 30%

---

Coverage report generated by `npm run test:coverage`

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.