Add automated security scanning workflows

.github/dependabot.yaml

@@ -7,6 +7,8 @@ updates:
       time: "06:00"
       timezone: "America/Chicago"
     labels: []
+    commit-message:
+      prefix: "ci"
     groups:
       github-actions:
         patterns:
@@ -19,8 +21,15 @@ updates:
       time: "06:00"
       timezone: "America/Chicago"
     labels: []
+    commit-message:
+      prefix: "chore"
     open-pull-requests-limit: 15
     groups:
       x:
         patterns:
           - "golang.org/x/*"
+    ignore:
+      # Ignore patch updates for all dependencies to reduce PR noise
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-patch

.github/workflows/scorecard.yml

@@ -0,0 +1,46 @@
+name: OpenSSF Scorecard
+
+on:
+  branch_protection_rule:
+  schedule:
+    # Run weekly on Wednesdays at 7:27 UTC
+    - cron: "27 7 * * 3"
+  push:
+    branches:
+      - main
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Run analysis
+        uses: ossf/[email protected]
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_results: true
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif

.github/workflows/security.yaml

@@ -0,0 +1,113 @@
+name: security
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  schedule:
+    # Run every day at 10:00 UTC (6:00 AM ET / 3:00 AM PT)
+    - cron: "0 10 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  codeql:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: go
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:go"
+
+  trivy:
+    name: Trivy Docker Image Scan
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+
+      - name: Build binary for linux/amd64
+        run: |
+          TAG=$(git describe --always)
+          mkdir -p bin
+          CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
+            -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=${TAG}" \
+            -o bin/code-marketplace-linux-amd64 \
+            ./cmd/marketplace/main.go
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image
+        id: build
+        run: |
+          docker buildx build \
+            --platform linux/amd64 \
+            --tag code-marketplace:scan \
+            --load \
+            --build-arg TARGETARCH=amd64 \
+            .
+          echo "image=code-marketplace:scan" >> "$GITHUB_OUTPUT"
+
+      - name: Run Trivy vulnerability scanner (table output for logs)
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ${{ steps.build.outputs.image }}
+          format: "table"
+          severity: "LOW,MEDIUM,HIGH,CRITICAL"
+
+      - name: Run Trivy vulnerability scanner (SARIF output for GitHub)
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ${{ steps.build.outputs.image }}
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "LOW,MEDIUM,HIGH,CRITICAL"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-results.sarif"
+          category: "Trivy"
+
+      - name: Upload Trivy scan results as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-results
+          path: trivy-results.sarif
+          retention-days: 7

CHANGELOG.md

@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+### Added
+
+- Automated security scanning workflows for improved supply chain security:
+  - CodeQL analysis for Go code vulnerability scanning
+  - Trivy scanning for Go dependencies and Docker images
+  - OpenSSF Scorecard for security best practices assessment
+  - Results uploaded to GitHub Security tab for centralized monitoring
+
+### Changed
+
+- Enhanced Dependabot configuration with commit message prefixes and patch update
+  filtering to reduce PR noise while maintaining security update coverage.
 - Update the Kubernetes Deployment `spec.strategy.type` field to be of type `Recreate`
   in order to properly handle upgrades/restarts as the default deployment creates a PVC
   of type `ReadWriteOnce` and could only be assigned to one replica.