chore(debs): add sec scans with trivy

* fix(deps): update golang.org/x/* dependencies to fix CVEs

Updates golang.org/x/* packages to their latest versions:
- golang.org/x/net v0.38.0 → v0.50.0 (fixes 2 MEDIUM CVEs)
- golang.org/x/oauth2 v0.27.0 → v0.35.0
- golang.org/x/sys v0.31.0 → v0.41.0
- golang.org/x/text v0.23.0 → v0.34.0

Also updated related packages (sync, term, tools) to maintain compatibility.

This addresses 2 MEDIUM severity CVEs identified in Docker Hub security scan.

Testing:
- All unit tests pass
- Build compiles successfully

* fix(go): upgrade to Go 1.25 to fix stdlib CVEs

Updates Go version from 1.24.0 to 1.25 to address critical vulnerabilities:
- Fixes 2 CRITICAL severity CVEs in golang stdlib
- Fixes 7 HIGH severity CVEs in golang stdlib
- Fixes 12 MEDIUM severity CVEs in golang stdlib

Changes:
- go.mod: Update go directive to 1.25
- Dockerfile: Update base image to golang:1.25
- CI workflows already use go-version-file, so they'll pick up the new version automatically

This addresses the most severe vulnerabilities identified in Docker Hub security scan.

Testing:
- All unit tests pass with Go 1.25
- Build compiles successfully

* feat(security): add Trivy scanning and enhanced Dependabot

Implements comprehensive security scanning infrastructure:

Security Scanning:
- Add Trivy security scan job to CI pipeline (fails on HIGH/CRITICAL)
- Create daily scheduled scan workflow for published images
- Upload scan results to GitHub Security tab (SARIF format)
- Auto-create issues when vulnerabilities are detected

Trivy Configuration:
- Add .trivy.yaml with severity levels (CRITICAL, HIGH)
- Create .trivyignore for managing false positives
- Add .trivycache/ to .gitignore

Dependabot Enhancements:
- Add gomod package ecosystem (weekly scans)
- Add docker package ecosystem (base image updates)
- Group related updates (K8s, OpenTelemetry, golang.org/x/*)
- Add consistent labels to all ecosystems

This prevents future CVE accumulation and provides early warning
when new vulnerabilities are disclosed in our dependencies or
published Docker images.

* docs(security): add documentation and build hardening

Documentation Updates:
- Update SECURITY.md with CVE remediation process and timelines
- Document vulnerability scanning workflow (PR scans + daily scans)
- Add instructions for updating base image digests
- Explain false positive management with .trivyignore
- Add security badge to README.md linking to GitHub Security tab

Build Hardening:
- Pin distroless base image by SHA256 digest for reproducibility
- Add OCI image labels (source, description, license, vendor, docs)
- Add SBOM generation to release workflow (SPDX + CycloneDX)
- Attach SBOMs to GitHub releases for supply chain transparency

These changes complete the CVE remediation infrastructure by
documenting processes and hardening the container build for
reproducibility and supply chain security.

* fix(docker): remove SHA256 digest pinning from base image

Remove SHA256 digest from distroless base image to simplify maintenance
while retaining nonroot tag for security. The digest pinning was causing
maintenance overhead without significant security benefit given the
existing tag-based approach and automated dependency updates.

* fix(ci): update golangci-lint to support Go 1.25

Use latest version of golangci-lint instead of v2.1.0 which was
built with Go 1.24 and doesn't support Go 1.25.

This fixes the CI error:
'the Go language version (go1.24) used to build golangci-lint
is lower than the targeted Go version (1.25)'

* fix(codacy): explicitly disable markdown file analysis

Add comprehensive markdown exclusion patterns and disable all
markdown-related analysis engines (markdownlint, remark-lint, prose)
to prevent Codacy from analyzing .md files.

* fix(codacy): remove redundant prose engine configuration

The prose engine is not a standard Codacy engine and was causing
configuration warnings. Markdown analysis is already disabled via
markdownlint and remark-lint engines.

Author: AbdelrhmanHamouda

.codacy.yml

@@ -1,4 +1,18 @@
+---
 exclude_paths:
   - "**/zz_generated.deepcopy.go"
   - "test/utils/**"
   - "**/*.md"
+  - "**.md"
+  - "*.md"
+  - "docs/**"
+  - "README.md"
+  - "SECURITY.md"
+  - "CONTRIBUTING.md"
+  - "LICENSE"
+
+engines:
+  markdownlint:
+    enabled: false
+  remark-lint:
+    enabled: false

.github/dependabot.yml

@@ -5,12 +5,47 @@
 
 version: 2
 updates:
-  - package-ecosystem: "gradle" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  # Go module dependencies
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      kubernetes:
+        patterns:
+          - "k8s.io/*"
+          - "sigs.k8s.io/*"
+      opentelemetry:
+        patterns:
+          - "go.opentelemetry.io/*"
+      golang-x:
+        patterns:
+          - "golang.org/x/*"
+    labels:
+      - "dependencies"
+      - "go"
+
+  # Docker base images
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "docker"
+
+  - package-ecosystem: "gradle"
+    directory: "/"
     schedule:
       interval: "weekly"
+    labels:
+      - "dependencies"
+      - "gradle"
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+    labels:
+      - "dependencies"
+      - "github-actions"

.github/workflows/ci.yaml

@@ -11,7 +11,9 @@ on:
     types: [opened, synchronize, reopened, ready_for_review]
 
 # Sets default read-only permissions for the workflow.
-permissions: read-all
+permissions:
+  contents: read
+  security-events: write # Required for uploading SARIF to GitHub Security tab
 
 jobs:
   # ============================================
@@ -39,7 +41,7 @@ jobs:
       - name: 🔍 Run linter
         uses: golangci/golangci-lint-action@v8
         with:
-          version: v2.1.0
+          version: latest # Use latest to support Go 1.25
 
       - name: 🛠️ Build
         run: make build
@@ -195,3 +197,57 @@ jobs:
           path: |
             site/
           retention-days: 7
+
+  # ============================================
+  # Security Scanning with Trivy
+  # ============================================
+  security-scan:
+    name: 🔒 Security scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: 📂 Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+
+      - name: 🔧 Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: 🛠️ Install ko
+        uses: ko-build/setup-ko@v0.7
+
+      - name: 🐳 Build operator image with ko
+        env:
+          KO_DOCKER_REPO: lotest/locust-k8s-operator
+        run: |
+          CHART_VERSION=$(grep '^appVersion:' charts/locust-k8s-operator/Chart.yaml | awk '{print $2}' | tr -d '"')
+          ko build ./cmd --local --bare --tags=${CHART_VERSION}
+          echo "IMAGE_TAG=${CHART_VERSION}" >> $GITHUB_ENV
+
+      - name: 🔍 Run Trivy security scan
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          image-ref: lotest/locust-k8s-operator:${{ env.IMAGE_TAG }}
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH
+          exit-code: 1 # Fail the build if vulnerabilities are found
+
+      - name: 📊 Upload Trivy results to GitHub Security tab
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif
+          category: trivy-container-scan
+
+      - name: 📦 Upload Trivy scan artifacts on failure
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-scan-results
+          path: trivy-results.sarif
+          retention-days: 7

.github/workflows/release.yaml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     permissions:
-      contents: read
+      contents: write # Required for uploading release assets
     env:
       DOCKER_IMAGE: lotest/locust-k8s-operator
     steps:
@@ -46,6 +46,37 @@ jobs:
             --bare \
             --tags=${{ github.ref_name }},latest
 
+      - name: 🔍 Install Trivy
+        run: |
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+          echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update
+          sudo apt-get install trivy
+
+      - name: 📋 Generate SBOM (SPDX format)
+        run: |
+          trivy image \
+            --format spdx-json \
+            --output sbom-spdx.json \
+            ${{ env.DOCKER_IMAGE }}:${{ github.ref_name }}
+
+      - name: 📋 Generate SBOM (CycloneDX format)
+        run: |
+          trivy image \
+            --format cyclonedx \
+            --output sbom-cyclonedx.json \
+            ${{ env.DOCKER_IMAGE }}:${{ github.ref_name }}
+
+      - name: 📦 Upload SBOMs to release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            sbom-spdx.json
+            sbom-cyclonedx.json
+          fail_on_unmatched_files: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   helm-chart-release:
     name: 🌊 Publish Helm chart
     runs-on: ubuntu-latest

.github/workflows/security-scan-scheduled.yaml

@@ -0,0 +1,131 @@
+# Daily security scan of published Docker images
+name: 🔒 Daily Security Scan
+
+on:
+  schedule:
+    # Run daily at 6 AM UTC
+    - cron: '0 6 * * *'
+  workflow_dispatch: # Allow manual trigger
+
+permissions:
+  contents: read
+  security-events: write
+  issues: write # Required for creating issues on vulnerabilities
+
+jobs:
+  scan-published-image:
+    name: 🔍 Scan published image
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: 📂 Checkout
+        uses: actions/checkout@v4
+
+      - name: 🔍 Run Trivy scan on latest image
+        uses: aquasecurity/trivy-action@0.29.0
+        id: trivy-scan
+        with:
+          image-ref: lotest/locust-k8s-operator:latest
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH
+          exit-code: 0 # Don't fail, we'll create an issue instead
+
+      - name: 📊 Upload Trivy results to GitHub Security tab
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif
+          category: trivy-daily-scan
+
+      - name: 🔍 Check for vulnerabilities
+        id: check-vulns
+        run: |
+          # Check if SARIF file contains vulnerabilities
+          if grep -q '"level": "error"' trivy-results.sarif || grep -q '"level": "warning"' trivy-results.sarif; then
+            echo "vulnerabilities_found=true" >> $GITHUB_OUTPUT
+          else
+            echo "vulnerabilities_found=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: 🚨 Create issue for vulnerabilities
+        if: steps.check-vulns.outputs.vulnerabilities_found == 'true'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const sarif = JSON.parse(fs.readFileSync('trivy-results.sarif', 'utf8'));
+
+            let vulnerabilities = [];
+            for (const run of sarif.runs) {
+              for (const result of run.results || []) {
+                const severity = result.level === 'error' ? 'CRITICAL/HIGH' : 'MEDIUM';
+                const ruleId = result.ruleId || 'Unknown';
+                const message = result.message?.text || 'No description';
+                vulnerabilities.push(`- **${ruleId}** (${severity}): ${message}`);
+              }
+            }
+
+            if (vulnerabilities.length === 0) {
+              console.log('No vulnerabilities found in SARIF');
+              return;
+            }
+
+            const issueTitle = `🚨 Security vulnerabilities found in latest Docker image`;
+            const issueBody = `## Security Scan Alert
+
+            Daily security scan detected vulnerabilities in \`lotest/locust-k8s-operator:latest\`.
+
+            ### Vulnerabilities Found:
+            ${vulnerabilities.slice(0, 20).join('\n')}
+            ${vulnerabilities.length > 20 ? `\n\n... and ${vulnerabilities.length - 20} more` : ''}
+
+            ### Next Steps:
+            1. Review the full scan results in the [Security tab](${context.payload.repository.html_url}/security/code-scanning)
+            2. Update dependencies or Go version as needed
+            3. Rebuild and push a new image
+
+            **Scan Date:** ${new Date().toISOString().split('T')[0]}
+            **Image:** lotest/locust-k8s-operator:latest
+            `;
+
+            // Check if an open issue already exists
+            const issues = await github.rest.issues.listForRepo({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'open',
+              labels: 'security,automated'
+            });
+
+            const existingIssue = issues.data.find(issue =>
+              issue.title.includes('Security vulnerabilities found')
+            );
+
+            if (existingIssue) {
+              // Update existing issue
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: existingIssue.number,
+                body: `## New Scan Results\n\n${issueBody}`
+              });
+              console.log(`Updated existing issue #${existingIssue.number}`);
+            } else {
+              // Create new issue
+              await github.rest.issues.create({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                title: issueTitle,
+                body: issueBody,
+                labels: ['security', 'automated']
+              });
+              console.log('Created new security issue');
+            }
+
+      - name: 📦 Upload scan results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-daily-scan-${{ github.run_number }}
+          path: trivy-results.sarif
+          retention-days: 30

.gitignore

@@ -41,6 +41,9 @@ Thumbs.db
 .docs-venv
 .cache
 
+# Trivy security scanner
+.trivycache/
+
 # Agentic flows
 specs/
 .windsurf/

.trivy.yaml

@@ -0,0 +1,35 @@
+# Trivy security scanner configuration
+# Documentation: https://aquasecurity.github.io/trivy/latest/docs/configuration/
+
+# Severity levels to report
+severity:
+  - CRITICAL
+  - HIGH
+
+# Vulnerability types to scan
+vuln-type:
+  - os
+  - library
+
+# Output format (can be overridden in CLI)
+format: table
+
+# Exit with error if vulnerabilities are found
+exit-code: 1
+
+# Timeout for scanning
+timeout: 5m0s
+
+# Skip files and directories
+skip-dirs:
+  - .git
+  - .github
+  - docs
+  - test
+  - bin
+
+# Ignore unfixed vulnerabilities (set to false to see all)
+ignore-unfixed: false
+
+# Cache directory
+cache-dir: .trivycache/

.trivyignore

@@ -0,0 +1,8 @@
+# Trivy ignore file for false positives
+# Documentation: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#by-finding-ids
+
+# To ignore a specific CVE, add it below with a justification comment:
+# Example:
+# CVE-2024-1234 # False positive: not used in our codebase, expires 2025-06-01
+
+# Currently no vulnerabilities are ignored