Revert "Revert "Merge pull request #25 from kc3hack/feat/trivy-code-scanning""

This reverts commit 86c36ce.

Author: Inlet-back

.github/workflows/backend.yml

@@ -46,11 +46,8 @@ jobs:
       - name: Run Lint (Ruff)
         run: poetry run ruff check .
 
-      # Decision: Lightweight security check with pip-audit (pinned in pyproject.toml)
-      # Reason: Fast vulnerability check (seconds) without blocking PR
-      - name: Security Scan (pip-audit)
-        run: poetry run pip-audit --require-hashes=false || echo "Vulnerabilities found, see Dependabot for details"
-        continue-on-error: true
+      # Note: Security scanning moved to dedicated security.yml workflow (Trivy)
+      # Reason: Centralized security checks with GitHub Code Scanning integration
 
       # Decision: Run Pytest even if no tests exist yet (ensure setup works)
       # Reason: Validates that the test runner environment is correctly configured.

.github/workflows/frontend.yml

@@ -46,11 +46,8 @@ jobs:
       - name: Run Lint
         run: npm run lint
 
-      # Decision: Lightweight security check with npm audit (built-in tool)
-      # Reason: Fast vulnerability check (seconds) without blocking PR
-      - name: Security Scan (npm audit)
-        run: npm audit --audit-level=critical || echo "Vulnerabilities found, see Dependabot for details"
-        continue-on-error: true
+      # Note: Security scanning moved to dedicated security.yml workflow (Trivy)
+      # Reason: Centralized security checks with GitHub Code Scanning integration
 
       - name: Run Build
         # This checks for type errors and build capability

.github/workflows/security.yml

@@ -1,135 +1,76 @@
-name: Security Gatekeeper (Weekly)
+name: Security Scan (Dashboard & Log)
 
-# Decision: Run heavy scans daily during hackathon, not on PR
-# Reason: Syft+Grype takes 3-5min; use Dependabot+built-in tools for PR checks
-# Hackathon ends 2026-02-21, so daily scan ensures coverage throughout the event
+# Decision: Use Trivy + GitHub Code Scanning for lightweight, dashboard-integrated security
+# Reason: Hackathon-friendly (non-blocking, fast), better UX than Issue accumulation
 on:
+  push:
+    branches: ["main", "develop"]
+  pull_request:
+    branches: ["main", "develop"]
   schedule:
-    # Daily at 3:00 AM JST (18:00 UTC previous day) - Review results each morning
+    # Daily at 3:00 AM JST for comprehensive scan
     - cron: "0 18 * * *"
-  workflow_dispatch: # Allow manual trigger anytime
-  push:
-    branches: ["main"]
-    paths:
-      - ".grype.yaml"
-      - ".github/workflows/security.yml"
+  workflow_dispatch:
 
 permissions:
   contents: read
-  issues: write # For creating issues on vulnerability detection
+  security-events: write # Required for uploading to Security tab
 
 jobs:
-  security-check:
-    name: Deep Supply Chain & Secret Scan
+  trivy-scan:
+    name: Trivy Security Scan
     runs-on: ubuntu-latest
-    timeout-minutes: 10
+    timeout-minutes: 5
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-        with:
-          fetch-depth: 0 # Full history for TruffleHog
-
-      # 1. Secret Scanning (TruffleHog)
-      # Decision: Full repository scan for scheduled runs (not diff-based)
-      # Reason: Scheduled scans should audit entire codebase to prevent blind spots
-      - name: Secret Scan
-        id: trufflehog
-        uses: trufflesecurity/trufflehog@v3.82.13
-        with:
-          path: ./
-          # Note: No base/head specified = full repository scan
-          extra_args: --only-verified
-        continue-on-error: true
 
-      # 2. SBOM Generation (Syft)
-      - name: Generate SBOM
-        uses: anchore/sbom-action@v0.17.9
+      # 1. Console output for immediate feedback in CI logs
+      - name: Run Trivy (Log Output)
+        uses: aquasecurity/trivy-action@0.28.0
         with:
-          path: .
-          format: spdx-json
-          output-file: sbom.spdx.json
-
-      # 3. Vulnerability Scan (Grype)
-      # Decision: Fail on vulnerabilities but don't stop workflow (create issue instead)
-      # Reason: Need actual failure signal to trigger issue creation
-      - name: Vulnerability Scan
-        id: grype
-        uses: anchore/scan-action@v5.1.0
+          scan-type: "fs"
+          scan-ref: "."
+          format: "table"
+          exit-code: "0" # Don't fail CI (hackathon-friendly)
+          severity: "CRITICAL,HIGH"
+          trivyignores: ".trivyignore"
+
+      # 2. SARIF output for GitHub Security tab integration
+      - name: Run Trivy (SARIF Output)
+        uses: aquasecurity/trivy-action@0.28.0
         with:
-          sbom: sbom.spdx.json
-          fail-build: true # Exit code 1 on vulnerabilities (enables detection)
-          severity-cutoff: critical
-          output-format: table
-        continue-on-error: true # Don't stop workflow, proceed to issue creation
-
-      # 4. Create Issue on Vulnerability Detection
-      # Decision: Avoid duplicate issues by checking for open security alerts
-      # Reason: Daily scans would create noise if vulnerabilities persist
-      - name: Create Security Issue
-        if: steps.grype.outcome == 'failure' || steps.trufflehog.outcome == 'failure'
-        uses: actions/github-script@v7
+          scan-type: "fs"
+          scan-ref: "."
+          format: "sarif"
+          output: "trivy-results.sarif"
+          exit-code: "0" # Don't fail CI
+          severity: "CRITICAL,HIGH"
+          trivyignores: ".trivyignore"
+
+      # 3. Upload results to GitHub Security tab (visible like Dependabot alerts)
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always() # Upload even if scan found issues
         with:
-          script: |
-            const grypeFailure = '${{ steps.grype.outcome }}' === 'failure';
-            const truffleFailure = '${{ steps.trufflehog.outcome }}' === 'failure';
-
-            // Fixed title for deduplication
-            const title = '🔒 Security Alert: Automated Scan Results';
-
-            // Check for existing open issue
-            const existingIssues = await github.rest.issues.listForRepo({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              state: 'open',
-              labels: 'security-scan',
-              per_page: 1
-            });
-
-            const issues = [];
-            if (grypeFailure) issues.push('Critical vulnerabilities in dependencies');
-            if (truffleFailure) issues.push('Secrets detected in repository');
+          sarif_file: "trivy-results.sarif"
+          category: "trivy-fs-scan"
 
-            const body = `## Latest Scan: ${new Date().toISOString().split('T')[0]}
-
-            **Issues Detected**: ${issues.join(', ')}
-            **Scan Date**: ${new Date().toISOString()}
-            **Workflow Run**: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-
-            ### Detected Issues
-            ${grypeFailure ? '- ⚠️ **Critical vulnerabilities** in dependencies (see Grype logs)' : ''}
-            ${truffleFailure ? '- 🔑 **Secrets leaked** in repository (see TruffleHog logs)' : ''}
-
-            ### Action Required
-            1. Review the workflow logs for detailed information
-            2. ${grypeFailure ? 'Update affected dependencies or add exceptions to `.grype.yaml` with justification' : ''}
-            3. ${truffleFailure ? 'Remove secrets from repository and rotate compromised credentials immediately' : ''}
-            4. Close this issue once resolved
+  secret-scan:
+    name: Secret Scanning
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
 
-            ### Notes
-            - This is a daily automated scan during hackathon
-            - PRs are checked with lightweight tools (pip-audit/npm audit)
-            - Dependabot will create PRs for available updates
-            `;
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
-            if (existingIssues.data.length > 0) {
-              // Update existing issue
-              const issueNumber = existingIssues.data[0].number;
-              await github.rest.issues.createComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: issueNumber,
-                body: `---\n${body}`
-              });
-              console.log(`Updated existing issue #${issueNumber}`);
-            } else {
-              // Create new issue
-              await github.rest.issues.create({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                title: title,
-                body: body,
-                labels: ['security-scan', 'dependencies']
-              });
-              console.log('Created new security issue');
-            }
+      - name: TruffleHog Secret Scan
+        uses: trufflesecurity/trufflehog@v3.82.13
+        with:
+          path: ./
+          extra_args: --only-verified
+        continue-on-error: true

.trivyignore

@@ -0,0 +1,19 @@
+# Trivy ignore patterns
+# Decision: Exclude paths that are not our code or cause noise
+# Reason: Focus on actual application vulnerabilities, not 3rd-party dependencies in node_modules
+
+# Exclude node_modules (managed by Dependabot)
+**/node_modules/**
+
+# Exclude Python virtual environments
+**/.venv/**
+**/venv/**
+
+# Exclude build outputs
+**/dist/**
+**/build/**
+**/.next/**
+
+# Exclude test fixtures
+**/tests/**/__fixtures__/**
+**/test/**/__fixtures__/**