ci: remove Snyk workflow as it already runs on Snyk SaaS (#47)

* ci: remove Snyk workflow as it already runs on Snyk SaaS

* ci: generate and upload sarif when running on schedule

.github/workflows/security.yml

@@ -1,34 +1,45 @@
-name: Security scan
+name: Security Scan
+
 on:
   push:
     branches:
       - master
       - main
   pull_request:
   schedule:
-    - cron: "0 3 * * MON" # Every monday at 3 AM
+    - cron: "0 3 * * *"
 
 jobs:
-  snyk:
-    name: Run security checks via snyk
-    runs-on: ubuntu-20.04
-    env:
-      SNYK_TOKEN: ${{ secrets.COREINT_SNYK_TOKEN }}
-    steps:
-      - uses: actions/checkout@v2
-      - name: Scan code for vulnerabilities
-        run: make ci/snyk-test
+  # Note: Snyk SaaS is already configured for this repository, which does not need a workflow to run
   trivy:
-    name: Run security checks via trivy
-    runs-on: ubuntu-20.04
+    name: Trivy security scan
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
 
       - name: Run Trivy vulnerability scanner in repo mode
         uses: aquasecurity/trivy-action@master
+        if: ${{ ! github.event.schedule }} # Do not run inline checks when running periodically
         with:
           scan-type: fs
           ignore-unfixed: true
           exit-code: 1
           severity: 'HIGH,CRITICAL'
+
+      - name: Run Trivy vulnerability scanner sarif output
+        uses: aquasecurity/trivy-action@master
+        if: ${{ github.event.schedule }} # Generate sarif when running periodically
+        with:
+          scan-type: fs
+          ignore-unfixed: true
+          severity: 'HIGH,CRITICAL'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        if: ${{ github.event.schedule }} # Upload sarif when running periodically
+        with:
+          sarif_file: 'trivy-results.sarif'