Security review and pipeline

.dockerignore

@@ -0,0 +1,25 @@
+# Secrets and credentials
+.env
+.env.*
+*.pem
+*.key
+*credentials*
+*secret*
+.aws/
+.ssh/
+
+# Git (may contain secrets in history)
+.git
+
+# IDE configs (may contain tokens)
+.idea/
+.vscode/
+.settings/
+.gradle/
+.claude
+
+# Local development
+docker-compose*.yml
+
+logs/
+docs/

.github/workflows/ci.yml

@@ -111,4 +111,58 @@ jobs:
           min-coverage-overall: 80
           min-coverage-changed-files: 80
 
+  security-scan:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    needs: build
+
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
 
+      - name: Run Trivy repo scan
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: 'repo'
+          scan-ref: '.'
+          format: 'table'
+          severity: 'CRITICAL,HIGH'
+          ignore-unfixed: true
+
+      - name: Run Trivy config scan
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: 'config'
+          scan-ref: '.'
+          format: 'table'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: docker-container
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v6
+        with:
+          builder: ${{ steps.buildx.outputs.name }}
+          context: .
+          push: false
+          load: true
+          tags: user-service:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Run Trivy image scan
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: 'image'
+          image-ref: 'user-service:${{ github.sha }}'
+          format: 'table'
+          severity: 'CRITICAL,HIGH'
+          ignore-unfixed: true