add code scanning jobs

Signed-off-by: denis-tingaikin <[email protected]>

.github/workflows/ci.yaml

@@ -1,54 +1,93 @@
----
 name: ci
 on:
   pull_request:
   push:
     branches:
-      - "release/**"
+      - release/**
 jobs:
   yamllint:
     uses: networkservicemesh/.github/.github/workflows/yamllint.yaml@main
-
   build-and-test:
     uses: networkservicemesh/.github/.github/workflows/build-and-test.yaml@main
     with:
       os: '["ubuntu-latest", "macos-latest", "windows-latest"]'
-
   golangci-lint:
     uses: networkservicemesh/.github/.github/workflows/golangci-lint.yaml@main
     with:
       linter-version: v1.53.3
-
   exclude-fmt-errorf:
     uses: networkservicemesh/.github/.github/workflows/exclude-fmt-errorf.yaml@main
-
   restrict-nsm-deps:
     uses: networkservicemesh/.github/.github/workflows/restrict-nsm-deps.yaml@main
     with:
-      allowed_repositories: "api"
-
+      allowed_repositories: api
   checkgomod:
     uses: networkservicemesh/.github/.github/workflows/checkgomod.yaml@main
-
   gogenerate:
     uses: networkservicemesh/.github/.github/workflows/sdk-gogenerate.yaml@main
-
   exclude-replace:
     uses: networkservicemesh/.github/.github/workflows/exclude-replace.yaml@main
-
+  trivy-scan-repo:
+    name: Scan repo with Trivy
+    permissions:
+      contents: read
+      security-events: write
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f
+        with:
+          scan-type: fs
+          scan-ref: .
+          ignore-unfixed: true
+          format: template
+          template: '@/contrib/sarif.tpl'
+          output: trivy-repo-results.sarif
+          severity: 'HIGH,CRITICAL'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: trivy-repo-results.sarif
+  tfsec:
+    name: tfsec sarif report
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Clone repo
+        uses: actions/checkout@v2
+        with:
+          persist-credentials: false
+      - name: tfsec
+        uses: aquasecurity/[email protected]
+        with:
+          sarif_file: tfsec.sarif
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: tfsec.sarif
   code-cov:
-    runs-on: ${{ matrix.os }}
+    runs-on: '${{ matrix.os }}'
     strategy:
       matrix:
-        os: ["ubuntu-latest", "macos-latest"]
+        os:
+          - ubuntu-latest
+          - macos-latest
     steps:
       - name: Check out code
         uses: actions/checkout@v2
       - name: Setup Go
         uses: actions/setup-go@v1
         with:
           go-version: 1.20.5
-      - run: |
-          go test -coverprofile=coverage-${{ matrix.os }}.txt -covermode=atomic -race ./...
+      - run: >
+          go test -coverprofile=coverage-${{ matrix.os }}.txt -covermode=atomic
+          -race ./...
       - name: Upload coverage reports to Codecov with GitHub Action
         uses: codecov/codecov-action@v3

.github/workflows/codeql-analysis.yaml

@@ -1,20 +1,39 @@
 ---
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
 name: CodeQL
 
 on:
   push:
-    branches: [main]
+    branches:
+      - main
   pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [main]
+    branches:
+      - main
   schedule:
-    - cron: '0 5 * * 0'
-
+    - cron: 44 12 * * 6
 jobs:
   analyze:
-    uses: networkservicemesh/.github/.github/workflows/codeql-analysis.yaml@main
+    name: Analyze
+    runs-on: '${{ (matrix.language == ''swift'' && ''macos-latest'') || ''ubuntu-latest'' }}'
+    timeout-minutes: '${{ (matrix.language == ''swift'' && 120) || 360 }}'
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - go
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: '${{ matrix.language }}'
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: '/language:${{matrix.language}}'

.github/workflows/dependency-review.yaml

@@ -0,0 +1,21 @@
+---
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v3
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v3