Remove Trivy vulnerability scanning from pipeline

Removed all Trivy-related security scanning:
- Removed "Extract first tag for Trivy" step
- Removed "Run Trivy vulnerability scanner" step
- Removed "Upload Trivy results to GitHub Security" step
- Removed "Run Trivy in table format" step
- Removed security-events permission (no longer needed)

Updated SECURITY.md:
- Removed Trivy vulnerability scanning references
- Removed SARIF upload references
- Kept other security measures intact

The workflow now focuses on:
- Fork PR protection
- SBOM generation
- Provenance attestation
- Dependabot updates

.github/workflows/docker-build.yml

@@ -54,7 +54,6 @@ jobs:
     permissions:
       contents: read
       packages: write
-      security-events: write  # For Trivy to upload SARIF results
 
     strategy:
       matrix:
@@ -114,35 +113,3 @@ jobs:
           platforms: ${{ (github.event_name != 'pull_request' && github.event_name != 'pull_request_target') && 'linux/amd64,linux/arm64' || '' }}
           sbom: true
           provenance: true
-
-      - name: Extract first tag for Trivy
-        id: trivy-tag
-        run: |
-          # Extract the first tag from the metadata output
-          FIRST_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n 1)
-          echo "tag=$FIRST_TAG" >> $GITHUB_OUTPUT
-          echo "Using tag for Trivy: $FIRST_TAG"
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.24.0
-        with:
-          image-ref: ${{ steps.trivy-tag.outputs.tag }}
-          format: 'sarif'
-          output: 'trivy-results-${{ matrix.service }}.sarif'
-          severity: 'CRITICAL,HIGH'
-          exit-code: '1'  # Fail the build on critical/high vulnerabilities
-
-      - name: Upload Trivy results to GitHub Security
-        if: always()
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results-${{ matrix.service }}.sarif'
-          category: 'trivy-${{ matrix.service }}'
-
-      - name: Run Trivy in table format
-        if: always()
-        uses: aquasecurity/trivy-action@0.24.0
-        with:
-          image-ref: ${{ steps.trivy-tag.outputs.tag }}
-          format: 'table'
-          severity: 'CRITICAL,HIGH,MEDIUM'

SECURITY.md

@@ -30,11 +30,10 @@ We will respond within 48 hours and provide regular updates on the fix progress.
 Our CI/CD pipeline implements multiple security layers:
 
 1. **Fork PR Protection**: Pull requests from forks require manual approval (via `safe-to-build` label) before builds run
-2. **Vulnerability Scanning**: All images are scanned with Trivy for CRITICAL and HIGH vulnerabilities
-3. **SBOM Generation**: Software Bill of Materials is generated for all builds
-4. **Provenance Attestation**: Build provenance is recorded for supply chain security
-5. **Limited Permissions**: Workflows use minimal required permissions
-6. **No Push from PRs**: Pull requests only build images locally, never push to registry
+2. **SBOM Generation**: Software Bill of Materials is generated for all builds
+3. **Provenance Attestation**: Build provenance is recorded for supply chain security
+4. **Limited Permissions**: Workflows use minimal required permissions
+5. **No Push from PRs**: Pull requests only build images locally, never push to registry
 
 ### Container Security
 
@@ -64,10 +63,8 @@ When contributing:
 
 Our repository includes:
 
-- **Trivy vulnerability scanning** on every build
 - **Dependabot** for dependency updates
 - **GitHub Security Advisories** monitoring
-- **SARIF upload** to GitHub Security tab for vulnerability tracking
 
 ## Safe-to-Build Label