feat: add security scanning on CI workflow

.github/workflows/ci.yaml

@@ -322,3 +322,32 @@ jobs:
       id-token: write
       pull-requests: write
     secrets: inherit
+
+  security-app:
+    name: Security App
+    needs:
+      - orchestrator
+    strategy:
+      matrix:
+        project:
+          - api
+          - selfserve
+          - internal
+        exclude:
+          - project: ${{ (needs.orchestrator.outputs.should-build-api || needs.orchestrator.outputs.should-build-api-docker) && 'ignored' || 'api' }}
+          - project: ${{ (needs.orchestrator.outputs.should-build-selfserve || needs.orchestrator.outputs.should-build-selfserve-docker) && 'ignored' || 'selfserve' }}
+          - project: ${{ (needs.orchestrator.outputs.should-build-internal || needs.orchestrator.outputs.should-build-internal-docker) && 'ignored' || 'internal' }}
+    uses: ./.github/workflows/security-app.yaml
+    with:
+      project: ${{ matrix.project }}
+    permissions:
+      contents: read
+      security-events: write
+    secrets: inherit
+
+  security-terraform:
+    name: Security Terraform
+    uses: ./.github/workflows/security-terraform.yaml
+    permissions:
+      contents: read
+      security-events: write

.github/workflows/security-app.yaml

@@ -0,0 +1,103 @@
+name: Security App
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        type: string
+        default: 5.3.0
+        required: false
+      project:
+        type: string
+        required: true
+  schedule:
+    # Weekly on Monday at 00:00 UTC
+    - cron: 0 0 * * 1
+
+jobs:
+  dependency-scan-api:
+    if: github.event_name == 'schedule' || inputs.project == 'api'
+    name: API
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: app/api
+    env:
+      # Temporary until this repository becomes a mono-repository: https://dvsa.atlassian.net/browse/VOL-4961.
+      REMOTE_REPOSITORY: dvsa/olcs-backend
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: ${{ env.REMOTE_REPOSITORY }}
+          path: app/api
+      - name: Setup Snyk
+        uses: snyk/actions/setup@master
+      - name: Scan api repository
+        run: snyk test --sarif-file-output=snyk-results.sarif
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        continue-on-error: true
+
+      - name: Upload Results to GitHub Code Scanning
+        if: ${{ always() }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: app/api/snyk-results.sarif
+
+  dependency-scan-selfserve:
+    if: github.event_name == 'schedule' || inputs.project == 'selfserve'
+    name: Selfserve
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: app/selfserve
+    env:
+      # Temporary until this repository becomes a mono-repository: https://dvsa.atlassian.net/browse/VOL-4961.
+      REMOTE_REPOSITORY: dvsa/olcs-selfserve
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: ${{ env.REMOTE_REPOSITORY }}
+          path: app/selfserve
+      - name: Setup Snyk
+        uses: snyk/actions/setup@master
+      - name: Scan selfserve repository
+        run: snyk test --sarif-file-output=snyk-results.sarif
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        continue-on-error: true
+
+      - name: Upload Results to GitHub Code Scanning
+        if: ${{ always() }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: app/selfserve/snyk-results.sarif
+
+  dependency-scan-internal:
+    if: github.event_name == 'schedule' || inputs.project == 'internal'
+    name: Internal
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: app/internal
+    env:
+      # Temporary until this repository becomes a mono-repository: https://dvsa.atlassian.net/browse/VOL-4961.
+      REMOTE_REPOSITORY: dvsa/olcs-internal
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: ${{ env.REMOTE_REPOSITORY }}
+          path: app/internal
+      - name: Setup Snyk
+        uses: snyk/actions/setup@master
+      - name: Scan internal repository
+        run: snyk test --sarif-file-output=snyk-results.sarif
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        continue-on-error: true
+
+      - name: Upload Results to GitHub Code Scanning
+        if: ${{ always() }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: app/internal/snyk-results.sarif

.github/workflows/security-terraform.yaml

@@ -0,0 +1,33 @@
+name: Security Terraform
+
+on:
+  workflow_call:
+  schedule:
+    # Weekly on Monday at 00:00 UTC
+    - cron: 0 0 * * 1
+
+env:
+  TRIVY_TF_EXCLUDE_DOWNLOADED_MODULES: true
+
+jobs:
+  terraform-scan:
+    name: Terraform Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Scan Terraform
+        uses: aquasecurity/trivy-action@master
+        with:
+          exit-code: 1
+          scan-ref: "infra/terraform"
+          scan-type: "config"
+          format: "sarif"
+          output: "trivy-results.sarif"
+
+      - name: Upload Results to GitHub Code Scanning
+        if: ${{ always() }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-results.sarif"