ci: add Trivy security scan workflow

- Scan filesystem for HIGH and CRITICAL vulnerabilities on push, PR, and weekly schedule
- Upload SARIF results to the GitHub Security tab
- Add Trivy Security Scan badge to the README

Author: appleboy

.github/workflows/trivy.yml

@@ -0,0 +1,38 @@
+name: Trivy Security Scan
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: "0 0 * * 0"
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.35.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH
+          ignore-unfixed: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif

README.md

@@ -1,6 +1,7 @@
 # mcp-workshop
 
 [![build-and-test](https://github.com/go-training/mcp-workshop/actions/workflows/ci.yml/badge.svg)](https://github.com/go-training/mcp-workshop/actions/workflows/ci.yml)
+[![Trivy Security Scan](https://github.com/go-training/mcp-workshop/actions/workflows/trivy.yml/badge.svg)](https://github.com/go-training/mcp-workshop/actions/workflows/trivy.yml)
 
 English | [繁體中文](README.zh-TW.md) | [簡體中文](README.zh-CN.md)