ci: upload scan results to security agent

.github/workflows/ddn-workspace-testing.yaml

@@ -6,6 +6,7 @@ on:
     branches: [main]
     paths:
       - registry/**
+      - .github/workflows/ddn-workspace-testing.yaml
   workflow_dispatch:
     inputs:
       connectors:
@@ -342,7 +343,26 @@ jobs:
 
           echo "✅ Basic functionality tests passed"
 
+      - name: Run Trivy vulnerability scanner (json output)
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          image-ref: "ddn-workspace:test"
+          format: json
+          output: trivy-results.json
+          scanners: vuln
 
+      - name: Upload Trivy scan results to PromptQL Security Agent
+        uses: hasura/security-agent-tools/upload-file@v1
+        with:
+          file_path: trivy-results.json
+          security_agent_api_key: ${{ secrets.SECURITY_AGENT_API_KEY }}
+          tags: |
+            service=ddn-native-workspace
+            source_code_path=ddn-workspace
+            docker_file_path=ddn-workspace/Dockerfile
+            scanner=trivy
+            image_name=ddn-workspace:test
+            product_domain=hasura-ddn-workspace
 
       - name: Save DDN Workspace image
         run: |
@@ -356,6 +376,17 @@ jobs:
           path: ddn-workspace.tar.gz
           retention-days: 1
 
+      - name: Fail build on High/Critical Vulnerabilities
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          skip-setup-trivy: true # setup was already done by the previous call to this action above
+          image-ref: "ddn-workspace:test"
+          format: table
+          severity: "CRITICAL,HIGH"
+          scanners: vuln
+          ignore-unfixed: true
+          exit-code: 1
+
   test-connectors:
     needs: [setup-connector-tests, build-ddn-workspace]
     runs-on: ubuntu-latest
@@ -462,28 +493,3 @@ jobs:
           fi
 
           echo "🎉 All DDN workspace tests completed successfully!"
-
-      - name: Run Trivy vulnerability scan
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: "ddn-workspace:test"
-          format: "sarif"
-          output: "trivy-results.sarif"
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: "trivy-results.sarif"
-
-      - name: Print Trivy vulnerability scan results
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: "ddn-workspace:test"
-          format: "table"
-          exit-code: 0
-          ignore-unfixed: true
-          vuln-type: "os,library"
-          severity: "CRITICAL,HIGH"
-
-