chore: add Trivy vulnerability scanner to GitHub Actions workflow

Author: bbsnly

.github/workflows/php.yml

@@ -62,3 +62,17 @@ jobs:
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
         files: ./coverage.xml
+
+    - name: Run Trivy vulnerability scanner in repo mode
+      uses: aquasecurity/[email protected]
+      with:
+        scan-type: 'fs'
+        ignore-unfixed: true
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        severity: 'CRITICAL'
+
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: 'trivy-results.sarif'