ci(security): add Trivy vulnerability scanning to CI/CD

- Add Trivy fs scan for CRITICAL/HIGH severity vulnerabilities
- Upload results as SARIF to GitHub/Forgejo Security tab
- Add to both GitHub Actions and Forgejo workflows

.forgejo/workflows/ci.yml

@@ -30,6 +30,26 @@ jobs:
       - name: Build
         run: pnpm build
 
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+
   deploy-dev:
     if: github.ref == 'refs/heads/dev'
     needs: lint

.github/workflows/lint.yml

@@ -29,3 +29,18 @@ jobs:
 
       - name: Build
         run: pnpm build
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

README.md

@@ -30,6 +30,7 @@ A personal, opinionated SaaS template built for speed. Next.js 16 + Convex self-
 - [x] Project init script (`bin/init-template.mjs`)
 - [x] PWA Lite installability (manifest + icons)
 - [x] Docker deployment (Dockerfile + docker-compose)
+- [x] Security scanning (Trivy SAST + SCA)
 
 ## Quick Start