fix: Ajout des permissions nécessaires au workflow Trivy

Corrections apportées au workflow de scan de vulnérabilités :

- Ajout des permissions au niveau du workflow (security-events: write)
- Ajout des permissions au niveau du job trivy-scan
- Ajout de continue-on-error pour l'upload SARIF (évite l'échec du workflow)
- Amélioration de la robustesse du job de résumé
- Meilleure gestion des cas où les artifacts ne sont pas disponibles

Ces changements permettent au workflow de fonctionner correctement même si
l'upload SARIF échoue (par exemple si GitHub Advanced Security n'est pas activé).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: claude

.github/workflows/trivy-scan.yml

@@ -18,10 +18,18 @@ on:
   # Permet de lancer manuellement le scan
   workflow_dispatch:
 
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
 jobs:
   trivy-scan:
     name: Scan Docker Images
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
 
     strategy:
       matrix:
@@ -49,6 +57,7 @@ jobs:
       - name: Upload Trivy results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         if: always()
+        continue-on-error: true
         with:
           sarif_file: 'trivy-results-${{ matrix.image.name }}.sarif'
           category: trivy-${{ matrix.image.name }}
@@ -90,10 +99,13 @@ jobs:
     runs-on: ubuntu-latest
     needs: trivy-scan
     if: always()
+    permissions:
+      contents: read
 
     steps:
       - name: Download all artifacts
         uses: actions/download-artifact@v4
+        continue-on-error: true
 
       - name: Generate summary
         run: |
@@ -102,15 +114,18 @@ jobs:
           echo "Scan completed at: $(date -u)" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
 
-          for report in trivy-report-*/trivy-report-*.txt; do
-            if [ -f "$report" ]; then
-              image_name=$(basename "$report" .txt | sed 's/trivy-report-//')
-              echo "## 📦 Image: $image_name" >> $GITHUB_STEP_SUMMARY
-              echo '```' >> $GITHUB_STEP_SUMMARY
-              head -50 "$report" >> $GITHUB_STEP_SUMMARY
-              echo '```' >> $GITHUB_STEP_SUMMARY
-              echo "" >> $GITHUB_STEP_SUMMARY
-            fi
-          done
-
-          echo "✅ Full reports available in artifacts" >> $GITHUB_STEP_SUMMARY
+          if ls trivy-report-*/trivy-report-*.txt 1> /dev/null 2>&1; then
+            for report in trivy-report-*/trivy-report-*.txt; do
+              if [ -f "$report" ]; then
+                image_name=$(basename "$report" .txt | sed 's/trivy-report-//')
+                echo "## 📦 Image: $image_name" >> $GITHUB_STEP_SUMMARY
+                echo '```' >> $GITHUB_STEP_SUMMARY
+                head -50 "$report" >> $GITHUB_STEP_SUMMARY
+                echo '```' >> $GITHUB_STEP_SUMMARY
+                echo "" >> $GITHUB_STEP_SUMMARY
+              fi
+            done
+            echo "✅ Full reports available in artifacts" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "⚠️ No report files found. Check the scan job logs for details." >> $GITHUB_STEP_SUMMARY
+          fi