dependabot

.github/dependabot.yaml

@@ -0,0 +1,44 @@
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    registries: "*"
+    directory: /
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+        update-types:
+          - major
+          - minor
+          - patch
+    commit-message:
+      prefix: chore
+    schedule:
+      interval: weekly
+    labels:
+      - kind/chore
+      - dependabot
+    # reviewers:
+    #   - appkins-org/admin
+
+  - package-ecosystem: terraform
+    registries: "*"
+    directory: /
+    groups:
+      terraform:
+        patterns:
+          - "*"
+        update-types:
+          - major
+          - minor
+          - patch
+    commit-message:
+      prefix: chore
+    schedule:
+      interval: weekly
+    labels:
+      - kind/chore
+      - dependabot
+    # reviewers:
+    #   - appkins-org/admin

.github/workflows/check.yaml

@@ -0,0 +1,29 @@
+name: check
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+jobs:
+  check:
+    name: Check - Security
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in fs mode
+        uses: aquasecurity/trivy-action@0.20.0 # v0.21.0
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          trivy-config: trivy.yaml
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'