From 3ace5f998cca89edac7ea9a1b1762621b038193a Mon Sep 17 00:00:00 2001
From: Frank Heikens <fheikens@users.noreply.github.com>
Date: Mon, 23 Mar 2026 20:05:02 -0700
Subject: [PATCH] ci: pin trivy-action, add gitleaks secret scanning

- Pin trivy-action from @master to @0.31.0
- Add gitleaks secret detection step in security-scan job

Part of Elevarq release protocol standardization.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/container-ci.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/container-ci.yml b/.github/workflows/container-ci.yml
index 74f6e73..b917223 100644
--- a/.github/workflows/container-ci.yml
+++ b/.github/workflows/container-ci.yml
@@ -78,7 +78,7 @@ jobs:
         run: docker build -t pgagroal:ci .
 
       - name: Run Trivy filesystem scan
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.31.0
         with:
           scan-type: 'fs'
           scan-ref: '.'
@@ -86,7 +86,7 @@ jobs:
           exit-code: '1'
 
       - name: Run Trivy image scan
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.31.0
         with:
           scan-type: 'image'
           image-ref: 'pgagroal:ci'
@@ -95,13 +95,18 @@ jobs:
           ignore-unfixed: true
 
       - name: Run Trivy config scan
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.31.0
         with:
           scan-type: 'config'
           scan-ref: '.'
           severity: 'CRITICAL,HIGH'
           exit-code: '1'
 
+      - name: Run gitleaks secret scan
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
+
   integration-test:
     name: Integration Test
     needs: [build]