Replicate CVE scan from RKI

.github/workflows/cve-scan.yml

@@ -0,0 +1,77 @@
+name: CVE Scan
+
+on:
+  push:
+    branches: ["main"]
+    tags: ["**"]
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+  schedule:
+    - cron: "14 3 * * 1-5"
+  workflow_dispatch:
+
+concurrency:
+  group: {% raw %}${{ github.workflow }}-${{ github.ref }}{% endraw %}
+  cancel-in-progress: true
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Cache requirements
+        uses: actions/cache@v4
+        env:
+          cache-name: cache-requirements
+        with:
+          path: ~/.cache/pip
+          {% raw %}key: ${{ env.cache-name }}-${{ hashFiles('requirements.txt') }}{% endraw %}
+          restore-keys: |
+            {% raw %}${{ env.cache-name }}-{% endraw %}
+
+      - name: Cache environment
+        uses: actions/cache@v4
+        env:
+          cache-name: cache-environment
+        with:
+          path: ~/.cache/pip
+          {% raw %}key: ${{ env.cache-name }}-${{ hashFiles('*.lock') }}{% endraw %}
+          restore-keys: |
+            {% raw %}${{ env.cache-name }}-{% endraw %}
+
+      - name: Setup python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.11
+
+      - name: Install requirements
+        run: make setup
+
+      - name: Export dependencies
+        run: |
+          mkdir --parents pdm
+          pdm export-all > pdm/requirements.txt
+
+      - name: Run trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          format: 'sarif'
+          list-all-pkgs: 'true'
+          output: 'trivy-results.sarif'
+          scan-ref: '.'
+          scan-type: 'fs'
+          severity: 'MEDIUM,HIGH,CRITICAL'
+
+      - name: Publish results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'