GA(deps): Bump github/codeql-action from 3.27.5 to 3.28.0 #683

	name: Code Scanning

	on:
	push:
	branches: ["main"]
	pull_request:
	# The branches below must be a subset of the branches above
	branches: ["main"]
	schedule:
	# Runs at 13:16 UTC on Fri.
	- cron: "16 13 * * 5"

	permissions:
	contents: read

	jobs:
	hadolint:
	name: Hadolint
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write

	steps:
	- name: Checkout code
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

	- name: Run Hadolint
	uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf
	with:
	dockerfile: ./Dockerfile
	format: sarif
	output-file: hadolint-results.sarif
	no-fail: true

	- name: Upload Hadolint scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169
	with:
	sarif_file: hadolint-results.sarif
	wait-for-processing: true

	trivy:
	name: Trivy
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write

	steps:
	- name: Checkout code
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

	- name: Build an image from Dockerfile
	run: \|
	docker build -t ${{ github.sha }} .

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
	with:
	image-ref: "${{ github.sha }}"
	format: "template"
	template: "@/contrib/sarif.tpl"
	output: "trivy-results.sarif"
	severity: "CRITICAL,HIGH"

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169
	with:
	sarif_file: "trivy-results.sarif"
	wait-for-processing: true

Provide feedback