ci: [KAN-137] add trivy scan

Author: lianjin

.github/workflows/trivy.yml

@@ -0,0 +1,34 @@
+name: Build & Trivy Scan
+on:
+    push:
+        branches:
+            - main
+    pull_request:
+        branches:
+            - main
+
+jobs:
+  build-and-scan:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build image
+        run: |
+          docker build -t "${DOCKER_HUB_USERNAME}/ceramicraft-user-mservice:${{ github.sha }}" server/
+
+      # scan and block if high severity vulnerabilities found
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "${{ env.DOCKER_HUB_USERNAME }}/ceramicraft-user-mservice:${{ github.sha }}"
+          format: 'table'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'          # non zero exit code if vulnerabilities found
+          ignore-unfixed: true    # ingnore unfixed vulnerabilities

server/Dockerfile

@@ -1,5 +1,5 @@
 # Use the official Go image with version 1.24
-FROM golang:1.24.0-alpine AS builder 
+FROM golang:1.24.6-alpine AS builder 
 
 # Set the working directory inside the container
 WORKDIR /app