added trivy scanning

.github/workflows/trivy-image-scan-test.yml

@@ -0,0 +1,6 @@
+on: [push]
+jobs:
+  test_build_docker:
+    uses: ./.github/workflows/trivy-image-scan.yml
+    with:
+      image: 'forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/build/test:latest'

.github/workflows/trivy-image-scan.yml

@@ -0,0 +1,23 @@
+name: Run Trivy Image Scanner
+
+on:
+  workflow_call:
+    inputs:
+      image:
+        description: 'The image to test'
+        required: true
+        type: string
+
+jobs:
+  build-go:
+    runs-on: docker
+    container:
+      image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/pipeline-container/trivy:0.56.2
+    steps:
+      - name: Clone Repository
+        uses: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/checkout@main
+      - name: Run trivy image scan
+        run: |
+          set -e
+          TRIVY_INSECURE=true trivy image --scanners license,vuln,secret ${{ inputs.image }}
+          TRIVY_INSECURE=true trivy image --image-config-scanners secret,misconfig ${{ inputs.image }}

README.md

@@ -0,0 +1,21 @@
+# Run Trivy Image Scanner GitHub Action
+
+This GitHub Action scans Docker images for vulnerabilities, secrets, licenses, and misconfigurations using [Trivy](https://github.com/aquasecurity/trivy).
+
+## Inputs
+
+| Input Name | Description           | Required | Type   |
+|------------|-----------------------|----------|--------|
+| `image`    | The Docker image to scan. | Yes      | string |
+
+## Usage
+
+This action can be used in other workflows with `workflow_call`. Here’s an example:
+
+```yaml
+jobs:
+  scan:
+    uses:DevFW-CICD/vulnerability-scan/.github/workflows/trivy-image-scan.yml@main
+    with:
+      image: 'my-registry.com/project/image:latest'
+```