Add Trivy vulnerability scanning to CI workflow

- Scan pushed Docker image for vulnerabilities
- Upload scan results to Security Agent
- Fail build on HIGH/CRITICAL vulnerabilities

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: shahidhk

.github/workflows/ndc-python-lambda-connector.yaml

@@ -121,6 +121,45 @@ jobs:
           tags: ${{ steps.docker-metadata.outputs.tags }}
           labels: ${{ steps.docker-metadata.outputs.labels }}
 
+      - name: Get image tag for scanning
+        id: get-image-tag
+        run: |
+          IMAGE_TAG="${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${GITHUB_REF#refs/tags/}"
+          echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
+
+      - name: Run Trivy vulnerability scanner (json output)
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          image-ref: ${{ steps.get-image-tag.outputs.image_tag }}
+          format: json
+          output: trivy-results.json
+          scanners: vuln
+
+      - name: Upload Trivy scan results to Security Agent
+        uses: hasura/security-agent-tools/upload-file@v1
+        with:
+          file_path: trivy-results.json
+          security_agent_api_key: ${{ secrets.SECURITY_AGENT_API_KEY }}
+          tags: |
+            service=ndc-python-lambda
+            source_code_path=ndc-python-lambda
+            docker_file_path=Dockerfile
+            scanner=trivy
+            image_name=${{ steps.get-image-tag.outputs.image_tag }}
+            product_domain=hasura-ddn
+            team=platform
+
+      - name: Fail build on High/Critical Vulnerabilities
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          skip-setup-trivy: true
+          image-ref: ${{ steps.get-image-tag.outputs.image_tag }}
+          format: table
+          severity: CRITICAL,HIGH
+          scanners: vuln
+          ignore-unfixed: true
+          exit-code: 1
+
   release-connector:
     name: Release connector
     runs-on: ubuntu-latest