chore(ci): add vulnerability scanning

.github/workflows/schedule.yaml

@@ -0,0 +1,14 @@
+---
+name: Schedule
+
+on:
+  schedule:
+    - cron: 11 15 * * *
+  workflow_dispatch:
+
+jobs:
+  scan-backend:
+    name: Scan backend image
+    uses: ./.github/workflows/trivy-scan.yaml
+    with:
+      image-ref: ghcr.io/adfinis/timed-backend

.github/workflows/trivy-scan.yaml

@@ -0,0 +1,48 @@
+---
+name: Trivy Scan
+
+on:
+  workflow_call:
+    inputs:
+      image-ref:
+        required: true
+        type: string
+        description: The image to scan e.g. ghcr.io/owner/image
+
+jobs:
+  trivy-scan:
+    permissions:
+      actions: none
+      checks: none
+      contents: none
+      deployments: none
+      issues: none
+      packages: write
+      pull-requests: none
+      repository-projects: none
+      security-events: write
+      statuses: none
+      id-token: none
+
+    runs-on: ubuntu-latest
+    name: Scan ${{ inputs.image-ref }}
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ${{ inputs.image-ref }}
+          format: "sarif"
+          output: "trivy.sarif"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: "trivy.sarif"