Scope Trivy scan to app manifests and fix pod security context

Author: tukue

.github/workflows/platform-iac-ci.yml

@@ -15,6 +15,7 @@ on:
 
 permissions:
   contents: read
+  security-events: write
 
 jobs:
   quality-gates:
@@ -45,4 +46,22 @@ jobs:
         with:
           directory: .
           framework: cloudformation,terraform,github_actions
+          soft_fail: false
+          output_format: cli,sarif
+          output_file_path: console,results.sarif
           quiet: true
+
+      - name: Upload Checkov SARIF report
+        if: always()
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: results.sarif
+
+      - name: Static security scan (Trivy IaC misconfigurations)
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          scan-type: config
+          scan-ref: applications/gitops/base
+          hide-progress: true
+          severity: CRITICAL,HIGH
+          exit-code: '1'

README.md

@@ -18,7 +18,7 @@ It is also curated as a **Platform Engineering consulting profile project** that
   - Secure-by-default guardrails and policy checks
 - Repository structure for multi-team and multi-environment operation
 - Backstage software template example for self-service service creation
-- CI pipeline for platform IaC quality gates (fmt/validate/lint/security)
+- CI pipeline for platform IaC quality gates (build/test/synth + Checkov + Trivy security scans)
 - GitOps-oriented app delivery guardrails
 - OPA/Conftest policy bundle for Kubernetes deployment security checks
 - Day-2 DX helpers via `Makefile`

applications/gitops/base/sample-service.yaml

@@ -22,6 +22,10 @@ spec:
       labels:
         app.kubernetes.io/name: sample-service
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: app
           image: nginx:1.27.0