ci: add security scan with trivy

Security scan with trivy will be run on push to main and dev, pull request,
and daily. trivy will skip scanning vendor subdirectory because the agent
is not using code from that directory.

Author: lavarou

.github/workflows/security-scan.yml

@@ -0,0 +1,50 @@
+name: Security scan
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+  schedule:
+    - cron: '0 9 * * *' # Same time as CI Cron
+
+jobs:
+  trivy-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout newrelic-php-agent code
+        uses: actions/checkout@v4
+        with:
+          path: php-agent
+      - name: Run Trivy in table mode
+        # Table output is only useful when running on a pull request or push.
+        if: contains(fromJSON('["push", "pull_request"]'), github.event_name)
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: fs
+          scan-ref: ./php-agent
+          scanners: vuln,misconfig
+          skip-dirs: vendor
+          format: table
+          exit-code: 1
+          ignore-unfixed: true
+          severity: CRITICAL,HIGH,MEDIUM,LOW
+
+      - name: Run Trivy in report mode
+        # Only generate sarif when running nightly on the dev branch.
+        if: ${{ github.event_name == 'schedule' }}
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: fs
+          skip-dirs: vendor
+          format: sarif
+          output: trivy-results.sarif
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        # Only upload sarif when running nightly on the dev branch.
+        if: ${{ github.event_name == 'schedule' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif