ci: security checks

.github/workflows/bandit.yaml

@@ -0,0 +1,30 @@
+name: Bandit Scan
+
+on: [push]
+
+jobs:
+ bandit:
+   name: Run Bandit Scan
+   runs-on: ubuntu-latest
+
+   steps:
+   - name: Checkout code
+     uses: actions/checkout@v4
+
+   - name: Set up Python
+     uses: actions/setup-python@v5
+     with:
+       python-version: 3.12
+
+   - name: Install Bandit
+     run: pip install bandit
+
+   - name: Run Bandit Scan
+     run: bandit -ll -ii -r . -f json -o bandit-report.json
+
+   - name: Upload Artifact
+     uses: actions/upload-artifact@v4
+     if: always()
+     with:
+        name: bandit-findings.json
+        path: bandit-report.json

.github/workflows/build-docker.yaml

@@ -24,6 +24,8 @@ jobs:
     permissions: # Permissions granted to the 'GITHUB_TOKEN'
       contents: read
       packages: write
+      pull-requests: write
+
     outputs:
       imageid: ${{ steps.build.outputs.imageid }}
     steps:
@@ -57,6 +59,25 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+      - name: Docker Scout
+        id: docker-scout
+        uses: docker/scout-action@v1
+        with:
+          command: cves
+          image: ${{ steps.meta.outputs.tags }}
+          only-severities: critical,high
+          write-comment: true
+          github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
+          sarif-file: sarif.output.json
+          summary: true
+
+      - name: Upload SARIF result
+        id: upload-sarif
+        if: ${{ github.event_name != 'pull_request_target' }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: sarif.output.json
+
   deploy:
     # Only on manual trigger or push to main
     if: github.repository_owner == 'one-zero-eight' && (github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref == 'refs/heads/main'))