feat: add support for trivy on lock files

Author: puehringer

.github/actions/build-node-python/action.yml

@@ -59,6 +59,10 @@ inputs:
     description: "run node bundle"
     default: "false"
     required: false
+  enable_trivy:
+    description: "Enable trivy scans on lock files"
+    default: "false"  # Enable this by default?
+    required: false
   chromatic_enable:
     description: "Enable Chromatic tests"
     required: false
@@ -287,6 +291,35 @@ runs:
         UV_SYSTEM_PYTHON: 1  # In case uv pip is used, install into the system python environment https://docs.astral.sh/uv/guides/integration/github/#using-uv-pip
         UV_HTTP_TIMEOUT: 300  # https://docs.astral.sh/uv/reference/environment/#uv_http_timeout
 
+    # Trivy
+    - name: Run Trivy vulnerability scanner on uv.lock
+      if: inputs.enable_trivy == 'true' && inputs.enable_python == 'true'
+      uses: aquasecurity/[email protected]
+      with:
+        scan-type: "fs"
+        scan-ref: "uv.lock"
+        format: "table"
+        exit-code: "1"
+        scaners: "vuln"
+        severity: "HIGH,CRITICAL"
+        ignore-unfixed: false
+        # The cache update takes quite long, so let's try to disable it for now: https://github.com/aquasecurity/trivy-action#cache
+        cache: "false"
+      continue-on-error: false
+    - name: Run Trivy vulnerability scanner on yarn.lock
+      if: inputs.enable_trivy == 'true' && inputs.enable_node == 'true'
+      uses: aquasecurity/[email protected]
+      with:
+        scan-type: "fs"
+        scan-ref: "yarn.lock"
+        format: "table"
+        exit-code: "1"
+        scaners: "vuln"
+        severity: "HIGH,CRITICAL"
+        ignore-unfixed: false
+        # The cache update takes quite long, so let's try to disable it for now: https://github.com/aquasecurity/trivy-action#cache
+        cache: "false"
+      continue-on-error: false
     # Node
     - name: Save yarn cache
       uses: actions/cache/save@v4