Enhancement: Simplify CI workflow by removing unused steps and adding security analysis job

Signed-off-by: Ihor Dvoretskyi <[email protected]>

Author: idvoretskyi

.github/workflows/ci.yml

@@ -8,15 +8,12 @@ on:
 
 permissions:
   contents: read
-  security-events: write
   actions: read
 
 jobs:
   build:
     runs-on: ubuntu-latest
     name: Build and Validate
-    outputs:
-      image-name: ${{ steps.build.outputs.image-name }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -41,21 +38,8 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build Docker image
-        id: build
         run: |
-          IMAGE_NAME="dev-template:${{ github.sha }}"
-          docker build -t "$IMAGE_NAME" .devcontainer/
-          echo "image-name=$IMAGE_NAME" >> $GITHUB_OUTPUT
-
-      - name: Save Docker image as artifact
-        run: |
-          docker save ${{ steps.build.outputs.image-name }} | gzip > dev-template.tar.gz
-
-      - name: Upload Docker image artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: docker-image
-          path: dev-template.tar.gz
+          docker build -t dev-template:latest .devcontainer/
 
   test:
     runs-on: ubuntu-latest
@@ -87,49 +71,4 @@ jobs:
             which npm || echo "npm is missing"
             # Test essential packages
             curl --version
-            jq --version
-
-  security-scan:
-    runs-on: ubuntu-latest
-    name: Security and SBOM Analysis
-    needs: build
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Download Docker image artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: docker-image
-
-      - name: Load Docker image
-        run: |
-          docker load < dev-template.tar.gz
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: '${{ needs.build.outputs.image-name }}'
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: 'trivy-results.sarif'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Generate SBOM
-        uses: anchore/sbom-action@v0
-        with:
-          image: '${{ needs.build.outputs.image-name }}'
-          format: 'spdx-json'
-          output-file: 'sbom.spdx.json'
-
-      - name: Upload SBOM as artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: sbom
-          path: sbom.spdx.json
+            jq --version

.github/workflows/security.yml

@@ -0,0 +1,85 @@
+name: Security Analysis
+
+on:
+  schedule:
+    # Run security scans daily at 2 AM UTC
+    - cron: '0 2 * * *'
+  push:
+    branches: [ main ]
+    paths:
+      - '.devcontainer/**'
+      - 'Dockerfile'
+      - '.github/workflows/security.yml'
+  pull_request:
+    branches: [ main ]
+    paths:
+      - '.devcontainer/**'
+      - 'Dockerfile'
+      - '.github/workflows/security.yml'
+  workflow_dispatch: # Allow manual trigger
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    name: Security and SBOM Analysis
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install missing dependencies
+        run: sudo apt-get update && sudo apt-get install -y tcl
+
+      - name: Build Docker image for scanning
+        run: |
+          IMAGE_NAME="dev-template:${{ github.sha }}"
+          docker build -t "$IMAGE_NAME" .devcontainer/
+          echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: '${{ env.IMAGE_NAME }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          image: '${{ env.IMAGE_NAME }}'
+          format: 'spdx-json'
+          output-file: 'sbom.spdx.json'
+
+      - name: Upload SBOM as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-${{ github.sha }}
+          path: sbom.spdx.json
+          retention-days: 30
+
+      - name: Run Trivy filesystem scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-fs-results.sarif'
+
+      - name: Upload filesystem scan results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-fs-results.sarif'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}