GA(deps): Bump github/codeql-action from 3.25.12 to 3.25.13 #572

	name: Code Scanning

	on:
	push:
	branches: ["main"]
	pull_request:
	# The branches below must be a subset of the branches above
	branches: ["main"]
	schedule:
	# Runs at 13:16 UTC on Fri.
	- cron: "16 13 * * 5"

	permissions:
	contents: read

	jobs:
	hadolint:
	name: Hadolint
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write

	steps:
	- name: Checkout code
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332

	- name: Run Hadolint
	uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf
	with:
	dockerfile: ./Dockerfile
	format: sarif
	output-file: hadolint-results.sarif
	no-fail: true

	- name: Upload Hadolint scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac
	with:
	sarif_file: hadolint-results.sarif
	wait-for-processing: true

	trivy:
	name: Trivy
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write

	steps:
	- name: Checkout code
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332

	- name: Build an image from Dockerfile
	run: \|
	docker build -t ${{ github.sha }} .

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
	with:
	image-ref: "${{ github.sha }}"
	format: "template"
	template: "@/contrib/sarif.tpl"
	output: "trivy-results.sarif"
	severity: "CRITICAL,HIGH"

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac
	with:
	sarif_file: "trivy-results.sarif"
	wait-for-processing: true

Provide feedback