Merge pull request #987 from newrelic/dev

Release 11.4

Author: lavarou

.github/actions/ubuntu16-build-action/Dockerfile

@@ -0,0 +1,48 @@
+name: Security scan
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+  schedule:
+    - cron: '0 0 * * 0' # Every Sunday at 12:00 AM
+
+jobs:
+  trivy-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout newrelic-php-agent code
+        uses: actions/checkout@v4
+        with:
+          path: php-agent
+      - name: Run Trivy in table mode
+        # Table output is only useful when running on a pull request or push.
+        if: contains(fromJSON('["push", "pull_request"]'), github.event_name)
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: fs
+          scan-ref: ./php-agent
+          trivy-config: ./php-agent/trivy.yaml
+          trivyignores: ./php-agent/.trivyignore
+          format: table
+          exit-code: 1
+
+      - name: Run Trivy in report mode
+        # Only generate sarif when running nightly on the dev branch.
+        if: ${{ github.event_name == 'schedule' }}
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: fs
+          scan-ref: ./php-agent
+          trivy-config: ./php-agent/trivy.yaml
+          trivyignores: ./php-agent/.trivyignore
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        # Only upload sarif when running nightly on the dev branch.
+        if: ${{ github.event_name == 'schedule' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif